diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 085c469575d..4cb1d40419a 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 4c4a712262b..1af9fe46801 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 0519fedd662..820e21e29b9 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index c37e7d68f2e..b580bdcfc81 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e990120dfb5..424246a78e2 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 7f39cc44522..0b50b84fd3a 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/28" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.15.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 0a0955aaa32..f3b5ba6f7f4 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/16" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.15.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 283004af026..9f049370ed8 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 5f332e4cf30..0bb02a8a544 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2022/05/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 7ec822922d2..d53dbd7d3b0 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/23" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -37,10 +39,10 @@ process where or /* service or systemctl used to stop Elastic Agent on Linux */ (event.type == "end" and - (process.name : ("systemctl", "service") and + (process.name : ("systemctl", "service") and process.args : "elastic-agent" and - process.args : "stop") - or + process.args : "stop") + or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity" and diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index cf14cceb828..1922928eacf 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 25f36fbd3e7..36f70ceb90b 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/20" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 79ad5390354..b2d70bc98f4 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/29" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 84533a03f4f..efb705d1785 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 525da55ceb0..153f7aebddc 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "development" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 91da6fabb71..fc60a1e278f 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/07/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 32913f5971e..11963546d99 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index b663d70da00..3db4bdf1cbe 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/10" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 1f28d573922..b75979ae5b4 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index dbf0d0fb12f..70ea4c37330 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index d42f5741319..7f6fd6d01ce 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/03/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -31,19 +33,19 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:change and - (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and +event.category:file and event.type:change and + (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: - (* and - not + (* and + not ( - /bin/yum or - "/usr/sbin/pam-auth-update" or - /usr/libexec/packagekitd or - /usr/bin/dpkg or - /usr/bin/vim or - /usr/libexec/xpcproxy or - /usr/bin/bsdtar or + /bin/yum or + "/usr/sbin/pam-auth-update" or + /usr/libexec/packagekitd or + /usr/bin/dpkg or + /usr/bin/vim or + /usr/libexec/xpcproxy or + /usr/bin/bsdtar or /usr/local/bin/brew or /usr/bin/rsync or /usr/bin/yum or diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index cec0ff93d98..400716f83ae 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index c0df6679998..234ed6bc6f8 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2022/05/04" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -22,18 +24,18 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:(change or creation) and - file.name:("authorized_keys" or "authorized_keys2") and +event.category:file and event.type:(change or creation) and + file.name:("authorized_keys" or "authorized_keys2") and not process.executable: - (/Library/Developer/CommandLineTools/usr/bin/git or - /usr/local/Cellar/maven/*/libexec/bin/mvn or - /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or - /usr/bin/vim or - /usr/local/Cellar/coreutils/*/bin/gcat or + (/Library/Developer/CommandLineTools/usr/bin/git or + /usr/local/Cellar/maven/*/libexec/bin/mvn or + /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or + /usr/bin/vim or + /usr/local/Cellar/coreutils/*/bin/gcat or /usr/bin/bsdtar or - /usr/bin/nautilus or + /usr/bin/nautilus or /usr/bin/scp or - /usr/bin/touch or + /usr/bin/touch or /var/lib/docker/* or /usr/bin/google_guest_agent) ''' diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index e0df3d8aa6d..5e4bc234455 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/26" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 428b72f1e3f..a0d341570a8 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/03/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 5a67e5a6872..cdc05735497 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/02/03" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index ede884934ef..492f3bf90d2 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/13" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index ed24a7bc3d8..bdb9f68adc0 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/11/24" maturity = "production" -updated_date = "2022/02/16" -min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)." -min_stack_version = "8.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index 5b88f36a166..62a454fd2f1 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/04/21" maturity = "production" -updated_date = "2022/02/16" -min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)." -min_stack_version = "8.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index d59e0a722b2..9d44f4936ce 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index a65ec7316b9..ab371f7469e 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index dca7e8b4977..e21b5aa392c 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 4110331a4f6..7a124243277 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index 50ad221fdc6..0909584ac3c 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 41bacd7e4e4..6c46192a53a 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 59bfe53eafc..d5c661d4355 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index e9bc81ed4ba..bca7a1f2397 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 0f38bfd560a..54ca2642e20 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 39aac78b19b..06c0bdecf11 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 56aa312c172..ebec002e412 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 4d17f64ea25..8c248169a77 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 608c8a85007..aeb3c3cbf7c 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/10/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 5a7dd4837c6..4feea28b901 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/10/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index c025a145543..0fb8a88fea0 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 0836f85b61e..c2560f91450 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index deac79fe2f6..4021725f111 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e3d58bd4fd6..65a937528b7 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2022/03/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 6f40150d528..343d36d629c 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 876ec8bf80e..160a28de560 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index a991c5f57be..eb78385c1ad 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/22" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 22c78f4bc3a..03d2a63a988 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index f55e0e5d9d7..a6d2c03a796 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/29" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index c3c174508c0..896202291a5 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/17" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 8784d426194..a3c0fbab62b 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 2af9ef080dd..022869765db 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index e5eee33b43a..db266753b23 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 8c5d534e7f2..22fbf2e80b1 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 9e650a1e7ed..b514727fbf9 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/27" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 3a74b435459..16bdb004cfa 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index d799a20c7f4..3d48563df39 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 481df4dfd04..9cd43474362 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 90fd97a3944..ce6ad602da8 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/04/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 3909047888b..acc28ba1ec5 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 1c2690d6cc7..5e6b34c58c2 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 2b276c1abbe..b6971a8efad 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 1ebe340da1f..c6b55a7b57b 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index e4cb8e8eaf7..843f56f3aed 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 8e9904cec74..edae35ac634 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index a1a1cff48ef..b14a6c9b887 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -42,7 +44,7 @@ of the source IP address. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index cf997be4ade..cd6f007feb2 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -42,7 +44,7 @@ of the source IP address. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 35988790abf..2b6e681abfd 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -41,7 +43,7 @@ user. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index eb988ea160b..51ed2a7bf30 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index a16ed0dadf6..5182aae267b 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2022/04/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index d20094ff6c3..98658f842d4 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 94ae3cfacee..3c8dde9c5f0 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 374d94fc62b..8000c16a764 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 65617ffae45..dcc819da68f 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index dc98349791e..817550e621f 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/12" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index de34c8b9cb2..072f305a811 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/10" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 597ea914df2..d0a6ae23640 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/10" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 086300809d7..7ef1506a3d5 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index c0b70f34a87..d175dac1f5d 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 57ffe282789..41128fdc63a 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index b4baff8da98..78416677b0c 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/22" maturity = "production" -updated_date = "2021/09/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 1d1be7716e8..d5a63bc0e35 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -40,7 +42,7 @@ your first IAM user. Then securely lock away the root user credentials and use t service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). This rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning -the account is not secured properly. +the account is not secured properly. #### Possible investigation steps diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 360a6f53336..f1a82be81c5 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/10/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index afa2cfedd01..991f7e7f9b5 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 82b339e27a2..5af2f69635b 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 533d7a9aa45..0af85cdf472 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 39af8aec704..fb721a6aeb6 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/12" maturity = "production" -updated_date = "2021/10/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 6b4fb1714a9..1c96a5a39c0 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8c4c4820f8c..3cc97f76eb0 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index f6a2068e922..03225e9d265 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index d09c3e51f31..450ac76dbd0 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -33,7 +35,7 @@ type = "query" query = ''' event.dataset:azure.activitylogs and - azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and + azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 52912a862d4..35aa843c513 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/22" maturity = "production" -updated_date = "2021/09/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 69f3b560cc9..ec9f32538cd 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 4fba20ea451..dc8f526a509 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 763c1d36812..e77f6f12fb9 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index fff5ce5157f..fdac3a5ed4c 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index a4711ef0ccc..697745bbc8b 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/01" maturity = "production" -updated_date = "2021/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index b4ead5ba31f..cfb6b36fb22 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/24" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index bbbe2ce8118..722f5c4989f 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index cd5ea237184..6155a4e66c2 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/27" maturity = "production" -updated_date = "2022/02/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index a38057a25b2..0853719abe9 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 1289b596fa8..bc66dce7956 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 25fa04cb3e8..62167341600 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 507e10868a9..54c4bc1061e 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/24" maturity = "production" -updated_date = "2021/06/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 545b3d503d0..61c0ea0734c 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index f62a129494b..6aafda577ef 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/12" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index eec7eee274f..73b0337a5d1 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -28,7 +30,7 @@ This rule identifies events produced by Microsoft Identity Protection with high #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). -- Identify the user account involved and validate whether the suspicious activity is normal for that user. +- Identify the user account involved and validate whether the suspicious activity is normal for that user. - Consider the source IP address and geolocation for the involved user account. Do they look normal? - Consider the device used to sign in. Is it registered and compliant? - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 350583d23ed..b0c857da23e 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -27,7 +29,7 @@ or `atRisk`. #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). -- Identify the user account involved and validate whether the suspicious activity is normal for that user. +- Identify the user account involved and validate whether the suspicious activity is normal for that user. - Consider the source IP address and geolocation for the involved user account. Do they look normal? - Consider the device used to sign in. Is it registered and compliant? - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index f8a0f17173f..45570d54598 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index a23b24d8a3b..1dba35f8c6f 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -70,7 +72,7 @@ your IT teams to minimize the impact on business operations during these actions - Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook. - Disable the permission for a user to set consent permission on their behalf. - - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. + - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index d90deeca456..ccb6f215cb3 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 837197b0d35..6d5432f8bc5 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index a9c2aa29c7b..ab1b462eceb 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 603ddb25885..d73b74ca7a6 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 2a321bae517..44e1b37df6f 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/02/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 868e5ec47de..765d376c071 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = "azure" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index d2ffbe7950b..a8cde43861b 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 3fc79445b51..26a55088087 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -23,10 +25,10 @@ note = """## Triage and analysis Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles -such as Global Administrator and Application Administrator. +such as Global Administrator and Application Administrator. This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough -access to modify role assignment settings. +access to modify role assignment settings. #### Possible investigation steps diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index aab929854ad..2215b7dc015 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 0392baddaac..1bc83ba44d1 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 367d4626bcd..a5e48746400 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 22a288179b4..84ad211f3c6 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2021/11/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 7d460b4b128..d23b692c39a 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 81c4a24c9f6..d3a0c3c72b6 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = '7.14.0' +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index f4b6bd08fc8..571cd3b064a 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "endpoint" [rule] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index f0013f13a10..32844d95e07 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index ff837ff852e..b12ea3ed0ae 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 30f92a924e9..0371330efd5 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index bf6db737207..2158316621d 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index ff725226160..01ae45b1e51 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a51020e374a..f5bbbc9668e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 70fc658a03c..fe47c683768 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index ff35c6f6f8c..dc967d1fb0b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 4c2a2a55c23..a894b06a9bb 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index b9a7fbdcf49..ef549345635 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 89f6be2535b..a5596d1921d 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 5db8145a749..bad67cccc11 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 283c1694f18..111707924b9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 4c37eace740..49dbccff35f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = "gcp" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 152c0713a03..0c170a6f6ff 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index f98d8bdd687..ba5c68510bb 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 9234a204d7d..b921cf62d32 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 51a3b4136ef..e1e8303c204 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 92d22e0f539..99a854e2726 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 3659d02c7da..9a85cfc2e44 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 131af16bd28..6f14289612c 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 085fa6c50b3..fb9f0292f74 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 18a6408d6b8..1f97926ba33 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index 7a9209e16d2..60a5320b625 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index af832c6a7e7..412c1d6e774 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 68c60e5fc41..debea77a2fc 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index c0b08b820ab..229c3776cc9 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index ccf0924e508..8810645085a 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 08ad8a896a5..03e1c2ee005 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index f67fa93e882..56e081b89e7 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index d9b207a6426..588ba08abc5 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml index 724d3e6b1ed..d4117a6faf4 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index ea0abb11270..68c591d02a5 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index d512898f0a8..45655935a2d 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 7302029d340..092ef1d83af 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,9 +2,9 @@ creation_date = "2022/06/30" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/06/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -41,8 +41,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.verb:"create" -and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") +kubernetes.audit.verb:"create" +and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*) ''' diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 0f325829041..31e8714df06 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,9 +2,9 @@ creation_date = "2022/05/17" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" +kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.objectRef.subresource:"exec" ''' diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 376166b88e8..e6d6ce886ab 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index c75d52ff39d..48645274393 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 6a524b580b3..3b4443f5271 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index dfafe09a036..70455db958b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml index 30c880f5bf3..33fc1c82272 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/11" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,8 +42,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.verb:("create" or "update" or "patch") +kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.volumes.hostPath.path:("/" or "/proc" or "/root" or "/var" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/home/admin") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 8db4db42af7..8451dd09bdb 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 98a096dd1bf..647d910275d 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/29" maturity = "production" -updated_date = "2022/08/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index e8f9c357dc0..8af7f094a22 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/05/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index cb87e6635cb..fd6fd1742a2 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2022/05/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 61d2041dc90..0fb774db5b7 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/12/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index d152bc53a9c..13a91907420 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 1bd643578a5..45654f7fa43 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 1b839998c75..18b0a97dd31 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index c186b8e6f5f..075c900036a 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index df9ab143902..adafec01707 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/13" integration = "o365" maturity = "production" -updated_date = "2022/02/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 2b270b5cafd..97d63de0b2e 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index e04ff860af0..a15a7b4e76e 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index c3e5d09d659..4e4ca912fff 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/15" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 613963e9364..7daae51559d 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/15" maturity = "production" -updated_date = "2021/10/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 9c92c20dc56..0e9588b011f 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/15" maturity = "production" -updated_date = "2021/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 3727a0bb166..6dc020aac1e 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 669e137cab4..47dc36c97d2 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 5d38fb7af71..803497dc7a0 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index 7a1d2a093e7..8c65fa57197 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/15" maturity = "development" -updated_date = "2021/10/05" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 9e159134142..7fa3cce75b6 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/15" maturity = "production" -updated_date = "2021/10/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 7b739f01cdf..461c24dbd53 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/12" integration = "o365" maturity = "production" -updated_date = "2022/01/12" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 4239655f327..ed795805e00 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" -updated_date = "2022/01/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 505427744d8..3fe750c4d0a 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 23622c3b97f..edd8dada342 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index d121404abf5..cf56129ab23 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/07/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 5619369f8d3..6b757201872 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 1a0fab679de..acc9716ae15 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = "o365" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index d32b719d387..836040712fc 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/07/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 67bc2197d82..bba76cffcc6 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 10918a90f25..954b92e4f71 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index d42815e8a82..884723ebcc0 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index c03e8a92150..db75e5ba65a 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 8d3669b2fa2..90aa3dc1940 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index bbdb7edf8a3..2c8321700d0 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index c183eadf53b..a07fcb683bc 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 01701df4b83..de88ffbe205 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/03/22" maturity = "production" -updated_date = "2022/03/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 772352d22d5..ddab4460c17 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 92f98af6f67..4df86f5402d 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index bb447116dd7..171bf646b16 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 761968342cf..d2f8fae7f19 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 4d798661300..bc6f8ab4d11 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 336df740bfe..8cb518195d8 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 858f566b266..4553719ba76 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 445d1cdd235..3fba102b2d4 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index e4aed3711bb..37e6f828389 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 982e8458a8d..6156e8d087b 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index d02dcb72401..444e8e42ec5 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index a3ea6d1df28..35d8d8d823d 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 108afdab4c5..2c316553c84 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index b2f655ef830..e9ffbb65d1a 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 4ceb6a98174..950fc727c53 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 3d8a299b12d..03103d0b217 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/14" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 1d46e5fee73..0ba6ac9956f 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index 4931d2f79af..d941e1b94e2 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 0e074342251..1c259181dd4 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 2d04368f2b6..1109d239523 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index c24a7c89562..88040f1818e 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 4d46e0381a8..b6f58c79486 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 82a72dfe775..c908c955a36 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 3fb4239a883..e0db1ed9cb4 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 9f479d7df86..c5cba244647 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/16" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,7 +44,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and +[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] [process where event.action == "session_id_change" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index fdfbd697248..41db3e9ffa9 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index d38d0b83171..fc157d19cb9 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/12" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 974b60247cb..87f8ddc933d 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 736afdeec03..0a216aca171 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2022/07/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 6fbe0d37916..2aeed57afdb 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index b5e5cf34af3..25ab699b9a4 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 797dff73148..ccfd5d84a8d 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index e712df9eb30..e6a718fb247 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/22" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 13c7192ca38..c8e00083e0f 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index fd9012555a1..2f48d1792d0 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/21" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index ea799dd3e80..5dee1682f49 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/04/29" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index e6937f26f67..3598708e4f1 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/20" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -27,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" +file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index da385d91cd2..05d864296a4 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index a5eef7011fb..0599cdb0be3 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 732997b8efd..8aa75879f15 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 6e9d79e96b2..747da06d214 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/06/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index cf84f45e133..e125a0a56b9 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 044841ca27e..f5cc6c5e0b5 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 1d4b67ba48d..39380dca173 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_linux_netcat_network_connection.toml b/rules/linux/execution_linux_netcat_network_connection.toml index 65097f9525d..b382175087d 100644 --- a/rules/linux/execution_linux_netcat_network_connection.toml +++ b/rules/linux/execution_linux_netcat_network_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 9ec608508c8..0206e728f00 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/16" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 91eb38b517f..8a11f126d5b 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/05/12" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 0fe504fdff1..916fea94f24 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/10" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,8 +36,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - event.action == "exec" and user.name == "root" and +process where event.type == "start" and + event.action == "exec" and user.name == "root" and process.executable : ( "/dev/shm/*", "/run/shm/*", diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 63d8087ed8b..3ea9831b247 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/04/15" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and event.type:(start or process_started) and process.name:python* and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index e4dc0cf2c51..d3e3c678891 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/06" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index b7900e82135..0feaaf4ea53 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/11" maturity = "production" -updated_date = "2022/07/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index b4b8f0a7aa6..68e0e40ed46 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/27" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index d833f362699..6f07b0de72a 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index e0915c924e5..cb493e9f0be 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 42efdaa3457..09aa6fe7351 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,8 +26,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or +process where event.type == "start" and + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") ''' diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 15ecd152a8c..02810717410 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index fef7f9af4b6..da5c28b53e4 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/12" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 0dfeb99ed17..230705365af 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -54,7 +56,7 @@ reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" +reference = "https://attack.mitre.org/techniques/T1574/006/" [[rule.threat.technique]] id = "T1543" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index ba99631fbfb..149b2ab2c11 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -1,12 +1,14 @@ [metadata] creation_date = "2022/07/11" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] description = """ -Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. """ from = "now-9m" index = ["logs-*"] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 23da8be4399..4dcabef117b 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/06" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 6052c4d2de1..fce7628124f 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 0dfe418b076..bc2877b9b4a 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 3c097c6f14f..5de7817defc 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/26" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 393a90ec6b1..66d17e006fe 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index c3fc0ce3870..bab45c5cb5d 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index a70a2b68d06..92c407862f9 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index a44761bef50..e7ecc76a4ce 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index a0795302230..3b8cb920f7c 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 0e5f6b7d045..d43dbdd2b5a 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/06" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 1793757b701..8460830c2ad 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/05" maturity = "production" -updated_date = "2021/03/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_ssh_bruteforce.toml index c1dac360025..9878444781c 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_ssh_bruteforce.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index bc2ee9eb7b6..fa6adab100b 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 9e54cf24e20..5c88932e63f 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/03/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 9d1d262aa39..ac74b9f849a 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,7 +27,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.name:defaults and + process.name:defaults and process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) ''' diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 92d1bf9c0d0..e3ae4dd6b02 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index b5de04075bc..24fa9203815 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and event.type:(start or process_started) and process.args:(spctl and "--master-disable") ''' diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 00a38318d1b..569e5615704 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 52ec9d8ba0c..7934ef6c560 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index be7c8941271..1a283b58cc9 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 6c160808b27..b745b7d49b4 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/11" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 268fe3771b1..4d208175ca6 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 1bbc4c24e74..27bd40bb7aa 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 45a66834f6a..0617a53186d 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index e4ec4127798..64598d3578e 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2022/21/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 04002675711..fc629b1d0b2 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2022/07/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index cbff611403f..0ca015722bc 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index f8e2a26f441..f4ac8cd900f 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/08/12" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 7bf3ccc4a79..5fab7a995ea 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -1,13 +1,15 @@ [metadata] creation_date = "2021/02/23" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] description = """ -Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). -Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). +Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. """ false_positives = [ @@ -34,8 +36,8 @@ type = "eql" query = ''' sequence by host.id, user.id with maxspan=30s -[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] -[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] +[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] ''' [[rule.threat]] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 4636116f405..8bed1e85a53 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 64d39eea8a4..9d98ed40bff 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 67675757600..fcf05ceb13e 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index d2fbc37c02d..6a624b12b94 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/03/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,24 +30,24 @@ process where event.type in ("start", "process_started") and process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and process.name: ( - "bash", - "dash", - "sh", - "tcsh", - "csh", - "zsh", - "ksh", - "fish", - "python*", - "perl*", - "php*", + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "python*", + "perl*", + "php*", "osascript", - "pwsh", - "curl", - "wget", - "cp", - "mv", - "base64", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "base64", "launchctl" ) and /* noisy false positives related to product version discovery and office errors reporting */ diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index dcc836e81ac..503439edcea 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/12" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and event.type:start and process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) ''' diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 34691b1a2cc..6c38458ae9d 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index bc970d23102..ab28fd91f81 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 69f97ef01c2..df6136f0fa9 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/25" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 31cc60b977c..3a593cb808e 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index f67eea22750..8134e47db57 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +28,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [file where event.type != "deletion" and + [file where event.type != "deletion" and file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") ] [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 01451501a48..497a15c41ec 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 41a6f1d5160..9438a63137c 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 35a10afd866..dd18874a93f 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 4387eeb9149..e9bbfc947f7 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/25" maturity = "production" -updated_date = "2022/04/25" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and process.name != null and +file where event.type != "deletion" and process.name != null and file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab" ''' diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index fce77f91fae..f534a13971c 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 49714ab2cea..75832127aa0 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2022/07/25" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index e46352a3c60..62a1136e60e 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/08/25" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -27,8 +29,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category : file and event.action : modification and - file.path : /Users/*/Library/Preferences/com.apple.dock.plist and +event.category : file and event.action : modification and + file.path : /Users/*/Library/Preferences/com.apple.dock.plist and not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) ''' diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 48fcbcafd78..65dc9008dcf 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2022/05/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 1246a62c090..fde1d0b5a55 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index f760c40ac62..48fee93aa6f 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 0de21067d44..9e731724fd4 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 967ae50d80a..6e9215e789d 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2022/08/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,6 +26,7 @@ risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 3e5bfd31f64..3a6f8376082 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 38b4b1d168b..791796d5605 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 31e1f9d45f4..ad3afc98310 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 1b1b59ae5cb..4525ed5a680 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 70f528ef7a7..5fbac202ad2 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 99009173a77..7941b93cd37 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 995245bb50e..edcbaabc121 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index eac455d9fbb..64fe1a33c46 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 75a41d02c3d..4a5f09ff16a 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 537ec8cdc1c..8e2c38d1710 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/27" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 5fe38cdc197..042ba1e17b2 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index f734d500b9f..d4013e65c0e 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0f5514d0b0b..d4d570f6777 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 759156414c7..6e01d7d74b8 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 0def13bb6b1..0ed8ae13027 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 1b86ce26e4e..9dc4d369e4a 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 3887f8ce041..1465e49749d 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 58f246dd2f7..536118465b1 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 764dfe22640..49e4b61c2f9 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 3faf81a1510..2414cfe0729 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 5424191afdc..8fb0d2ea796 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 216b8c5ec98..9576661e24c 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/17" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index edce166ce68..7f024209c91 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/17" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 79e9b9ddb7d..d9e2c5d60ca 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 620a546d385..2dc000a2b23 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 47c7da06ecf..9982d28527b 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index eb7bc7b278d..dd92ad04606 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index db5319f19b2..21021f95fd6 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] anomaly_threshold = 25 diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index a57b9416638..5d518840f84 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index add207132de..31efb14ceb9 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 70f1708f484..b6d8ac10b26 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index b627f8d31e0..589f986e4b4 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 503a63f707f..d7d8cc71c66 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 1e92cca5dff..bdd5ae20680 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 557e7771369..102d6bdb5b5 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 8c4fdc43ad8..ccb7eb4490f 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index c24b0177ff0..1af67351a2d 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index c3dfcec90f2..5d1801beab9 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index ea7f00a4f72..ec4f84ddbeb 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -1,18 +1,20 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/06/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was +A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by -either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. -Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), -or engage in data exfiltration, may produce a burst of failed connections. This could also -be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service +either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. +Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), +or engage in data exfiltration, may produce a burst of failed connections. This could also +be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 38cb5ab7f8a..39a4fc12e21 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -1,21 +1,23 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/08/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, -if not caused by a surge in business activity, can be due to suspicious or malicious activity. -Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually -large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, +if not caused by a surge in business activity, can be due to suspicious or malicious activity. +Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually +large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert. """, diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 1718ac48522..1740f13f7d4 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 13f4ec42de5..216d2f90c2c 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 3ff8f3b6529..27e76f3cef9 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 59c7a9ebb41..a6e07c81008 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/06/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 @@ -9,20 +11,20 @@ author = ["Elastic"] description = """ A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. -For example, when a user clicks on a link in a phishing email or opens a malicious document, -a request may be sent to download and run a payload from a server in a country which does not -normally appear in network traffic or business work-flows. Malware instances and persistence -mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, -which may be an unusual destination country for the source network. +For example, when a user clicks on a link in a phishing email or opens a malicious document, +a request may be sent to download and run a payload from a server in a country which does not +normally appear in network traffic or business work-flows. Malware instances and persistence +mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, +which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an + Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. - A new business workflow with an organization in a country with which no workflows previously - existed may trigger this alert - although the model will learn that the new destination country - is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many - countries for brief periods may trigger this alert. + A new business workflow with an organization in a country with which no workflows previously + existed may trigger this alert - although the model will learn that the new destination country + is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many + countries for brief periods may trigger this alert. """, ] from = "now-30m" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 02b2266bbcb..711353d5bed 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -1,25 +1,27 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/06/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network activity to one -destination country in the network logs. This could be due to unusually large amounts -of reconnaissance or enumeration traffic. Data exfiltration activity may also produce -such a surge in traffic to a destination country which does not normally appear in network -traffic or business work-flows. Malware instances and persistence mechanisms may communicate -with command-and-control (C2) infrastructure in their country of origin, which may be an +A machine learning job detected an unusually large spike in network activity to one +destination country in the network logs. This could be due to unusually large amounts +of reconnaissance or enumeration traffic. Data exfiltration activity may also produce +such a surge in traffic to a destination country which does not normally appear in network +traffic or business work-flows. Malware instances and persistence mechanisms may communicate +with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic - to one destination country, can trigger this alert. A new business workflow or a surge in business - activity in a particular country may trigger this alert. Business travelers who roam to many + Business workflows that occur very occasionally, and involve an unusual surge in network traffic + to one destination country, can trigger this alert. A new business workflow or a surge in business + activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity. """, ] diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 7d25b013dd2..430ebdb0911 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 3d3087f818f..2063a8e5a81 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 752dd900c8c..292ac6cf278 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 7fc189fede7..eb58bda47e2 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 202bb085786..43a5dc8cf02 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index e5cf3ff1647..386a6c5c462 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index d6604ba291f..ecc75619b24 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 567ab2817bf..fa5dbfd521d 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index b46168224e5..374ee419f79 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index dcde9607ea5..a4a7c0f162d 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index c3be167eebb..e2344b5c913 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 0cf487f03a9..64a54d7563b 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 78c58aa67fe..d98a18edde9 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/05" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index bf64d4062a0..416a4a71ecd 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/12/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 21726926b23..1b31af2f29d 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 74f56e4838e..e46f22010c0 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index a6e23998f6b..037247becaf 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index da93ea48180..984bc217138 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 7041c79953b..e2efb9f8c27 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 57317c93754..2e080d1e71c 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 25c22a1f8fc..a0a6679f43a 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 4e2af0def22..2e3e15c6b10 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index e7404a012b6..9ae1e20edb2 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index b03ebd5c0af..ceeb344961b 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 9eaceac7e8b..698c01a64f1 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 90ecee9d631..3c28a5b881b 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/11" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 075da944f3b..747224dd4bf 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 50844f50a05..61eee0e03ec 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 5b68b4260fd..e46a2cbed70 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 486f13b6805..7c8cc341b31 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 2741cf21464..04caa249471 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index c5f22e24240..bd31657ebf7 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 14052bfaa1a..e5c66a406a1 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 60996055050..8162f2555c8 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 54df4545861..a40897845de 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 79043d89028..bcdf8db18b2 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index c1373019977..1173027151b 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 3c3e950eb94..baeb525c230 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index b95c7f9b55d..d52db07d9da 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index baf4814adfa..f9f7b9d5bbe 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 6ac709f6377..8714ffa7cad 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index dee0eb2fff9..d7fe5b42c54 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 303a206f1a9..a729bc577b8 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index d97c9cd9ba0..4d55390afe3 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index c61454c4254..b19087a91d0 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index ea98f15c135..48dcda0d4ba 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 5ca39206e93..332442357bf 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 88ab60d7670..61cc02e66ad 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index c83f8df020b..2a839ec2ac9 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/05/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index e7f3516c830..369eed0c16a 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 8979e423b22..92f0fdd4a7b 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index c6af56a5189..1cf2dca8db5 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/28" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 5550fce14eb..5da8e1bbf2c 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 144464a555a..e591807e23d 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 387e421871f..8b16c283c1c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index bf99ab3ba5d..86189793890 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index a725d5e9c4c..15ad517a7e3 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -75,9 +77,9 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and - not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and + not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and not user.domain : "NT AUTHORITY"] - [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and + [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and not file.name : "__PSScriptPolicy*.ps1"] ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 31a7c0202c1..234ae3a6632 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 2f38f261c2e..563ba79bdf8 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 92d7cd735b1..1d2b3461985 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 249e2ddcec6..3c06f200db9 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ Directory `Ntds.dit` file. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Examine the command line to identify what information was targeted. diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 4859ea0c871..7001aa2c8ed 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 35c56fb4b39..e2e39e1bec3 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ credential access activities. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Examine the command line to identify the `.csproj` file location. diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 99628ad60f5..160e380719b 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/08" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index a3bbfb74235..ef2e662006a 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/24" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 4992858da2d..3f1e8cc76c8 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 40dd670c344..f9c480186e7 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 224df3d85bc..a6cb9e46202 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index eba67d25341..ef75e47a9f9 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 335896d918d..b5cebe2b673 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/07/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 15f675f069c..78e3413dad9 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/06/29" maturity = "production" -updated_date = "2022/06/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index d91fdb45bae..9a393f8d02a 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/08/02" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 7d2f763e0f8..a18d56b33c2 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f4ddafe6687..d690d19c809 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index edde3a34773..c09be8af0e6 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/05/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 0b5fd0bf929..ed0d60b371d 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/07/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 4af9eb1e30d..be0652459ba 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -min_stack_comments = "File header bytes field populated until 7.15." -min_stack_version = "7.15.0" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3536aa91d0f..be6289fe78f 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/18" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index fbc289771bc..57d4cabdeb4 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 52aeb5f5718..ff6c3ce5f68 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/24" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 6222ee5885f..db728f7998d 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/27" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index d47a34ea9b5..4c8c0e89d8e 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/30" maturity = "production" -updated_date = "2022/04/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,15 +25,16 @@ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type in ("start", "process_started") and process.name : "rundll32.exe" and - + /* Rundll32 WbeDav Client */ - process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and - + process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and + /* Access to named pipe via http */ process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc") ''' diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 431ad2d7a7f..5c15e0e4e1c 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2022/03/01" maturity = "production" -min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15" -min_stack_version = "7.15.0" -updated_date = "2022/07/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 1f317a28bad..6a214a8484f 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 498a1ca0a92..927a52eb076 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/27" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index eb8ba1019f3..0910b1d49ef 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/26" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index b7294aac8d3..12878bacd05 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/22" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 2d94e68d04c..463542ea009 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/17" -updated_date = "2022/03/31" +updated_date = "2022/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index bc9c9a1c3a4..ebc49b167e9 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/07" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index e074350015e..50b5f1f2d84 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2022/02/28" +updated_date = "2022/08/24" maturity = "production" -min_stack_version = "7.14.0" -min_stack_comments = "Cardinality field not added to threshold rule type until 7.14." +min_stack_version = "8.3.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" [rule] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index eadb2b47427..5fbd1b85408 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -41,7 +43,7 @@ modifications, and processes created. ### False positive analysis - If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions -if necessary. +if necessary. ### Response and remediation diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 9d9ec54ccd5..e972bee0a7f 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/25" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 89b1c2be6ca..5fc0013f1ea 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/27" -updated_date = "2022/03/31" +updated_date = "2022/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 8dffa5da197..53a70ea98c2 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 2cde9436bdd..465568984a1 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/01" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index e3de73a4dc5..7176301608f 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/22" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f387587232d..dd40f7079f9 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 248c209fd94..6ac4976915e 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 2a022aee2e4..e29aa582a3d 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/02/01" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 07d15a1c7cd..4e02f3e13f6 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 19cfe4d4e05..f70bdb6623a 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index e9e6d2edf75..adac067f44b 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/20" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 1b9d1c54774..f30f1c8e354 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 41011adf8b5..20a402446ed 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/31" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index dc98a8dc7f5..20bb4568fd9 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 9dd37de19e2..051dae54b56 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index b23c86bc786..9b16158eb0a 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/06" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 560f2d795b9..24a7c41736d 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/22" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 588a7827363..ba879e0357f 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index ba0d5224524..d474f8116dd 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 0592b61ba10..b2c7b958f9d 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 35df953dc93..01c9f1386a2 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/08" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index d1d7ec960e7..61535ca7363 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index bac0405d7c6..531eb5b0b22 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -40,7 +42,7 @@ execution of malicious documents. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, @@ -75,7 +77,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index a62d75041b6..0806d9a0c7d 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 8752c8e19c3..f184d0ae9f2 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index b14688c4bfc..9989869bf43 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index b096c92c15c..d5335215480 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 955a53ea7ac..4a8300d01b3 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 387b75639d2..861f269e831 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Dennis Perto"] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 0d0d67ae1d2..61979ad96e0 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index add66ec4c35..e935731ae19 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index fd85c211975..329ccf66d75 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index c31f119af1f..71f1ad1811d 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index f5864bd392e..190bd5a7466 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 828cfdc9165..f4dfd3c8ea6 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index f62ca5f7451..c9a234b7fbd 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 0828749b9f6..834bc59218a 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index c33ccef3dfd..c918c010e05 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index e7161d0890e..04b181254cb 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 25b898ad3fd..f068cd77626 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/10/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 5d7a7ba297a..78b3a369691 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index e8504e288ee..9a6486dc1ae 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 31ee40955dd..65d4dcbaa95 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/12" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index c10dcf45ad5..6359cd910cb 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 1b6bc53baaa..db78aef29ee 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/09/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index fc2a853d30f..56d1aaa2b46 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index f6109ebb426..26fa968a2fb 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 9e5ecf447e6..a22b0b9d9db 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index f85daba073d..81212aff743 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 48f5b6e0041..ffeacb3e92b 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2021/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,7 +44,7 @@ sequence by host.id, user.id with maxspan=5m ] by process.pid [process where event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ - + not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") ] by process.parent.Ext.real.pid ''' diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 238e72e3a69..13858de6941 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index b486d12cff7..ffb36c8047d 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 97779af30a0..0d51841416c 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 28f8d5a5016..40e8e9e85d1 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 481f5dfae27..e18dd020fb1 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 61688700732..58f8fc80285 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,7 +26,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where event.type == "end" and + [process where event.type == "end" and process.code_signature.trusted == false and not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") ] by process.executable diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 2827666da3c..0e49f385f27 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/31" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,6 +28,7 @@ risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 24ea0ce458b..78fb8df7128 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 8b069e3c1a0..9410f017370 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 26ba3a77642..f19450462cb 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 74952e3a18f..d438ea117db 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 2b4a23fccd7..5c264a22924 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 628e5d7b18b..c0ebb515d1b 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index ea95c5ac1a0..5b5cddc7fd3 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/28" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index c885b93f22c..fc277c2c976 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=5m - [process where event.type == "start" and + [process where event.type == "start" and process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] [file where event.type != "deletion" and file.name : ("wscript.exe.log", diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index b5132a60e5b..3ce9febd757 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/11" maturity = "production" -updated_date = "2022/07/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 11d4b4be012..d7f0ff9e335 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/24" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 4edc902adbd..a9b022ce87e 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 978d4c730db..925f683e295 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index b66064a65d2..fa88e3a5796 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 347a288c9bd..2e5e03b0bb5 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index ad708348224..6c9ed67716e 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 714cab64f8f..004e22e6602 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 89516e87ebb..1aadd0b3786 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 5b1a36a5433..c0e02b91e99 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/28" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 63ec1b1c9af..9cbfa12f82f 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 73cec9c2c32..45d36bda30d 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b61d1ab8b10..e8da6bc58a0 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 840911786f2..1268e86f2da 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 5680002eb5e..3e47ac99fe6 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/03/02" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5166b5dadbd..a9a040432c4 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 9db5ed801ab..efbd0638ae5 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index f29e17be027..c01dc0af7b3 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 1cb97983a31..74340e2bf94 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/31" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 20bc4c12c74..de79b18a151 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 9d82dda6636..aea0e9576b1 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4c0feb42301..bf84837c359 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 8af6b60bb35..dccba051886 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index fef327af87d..d822c7b5dfb 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/15" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 1030003c6cd..df268f1263a 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/06/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 3365e23a048..2ddcef7e383 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 1a3ee704624..14b5eb74503 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 02fbad45b1c..73c4486b7ce 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 842b7e305c8..59fa893d921 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5f123a7abf7..f34b52b1d62 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index d521f15c766..e127caf03ba 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 014993e3906..8563addf90c 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 39e4ec455cc..59849446d3b 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index dd406eaeb78..a9db9e87d34 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 819406f15b3..7409b4e053a 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/09/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index ae04debda00..89ee324fcad 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index a4194430c1d..85d57219d53 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index f8370250d40..88fd4fa7ea1 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index e4cc470138e..b4102eb2339 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 12a8bab11d2..cdea617dac5 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -65,7 +67,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 14e53e6cbc7..75e4a0377dc 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -19,7 +21,7 @@ note = """## Triage and analysis ### Investigating Execution of File Written or Modified by PDF Reader -PDF is a common file type used in corporate environments and most machines have software to +PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation. @@ -64,7 +66,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index b2018109329..0106950c77f 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index c40773fa259..5ce13c0f8ff 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 7ec0e180886..d697c16895a 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 1f586ed2bca..47e7f9988f7 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index eea8d7e2db9..5adbd0ecdea 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 0e1e196bac5..eb0103d8aac 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1ccfb17e6f3..b884ac56217 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 8f636125939..8f6e3d5c11d 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 2fb99c696bd..6e844710964 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/30" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index c543dd0a12b..2b0da73e860 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 277f4556a53..a5b85e49db8 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 9f5aa58613d..e03e57ce4cb 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index b3b3a3dde93..aaff7b9e9af 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index c10dc9be6f0..edfb9805121 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 07f355d3640..cc68269a126 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/01" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 78c8dd66cdd..bc4f2dbaedb 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 08bd6c26557..d5ec9209458 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2022/07/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 7ed6ca4d442..f4354064921 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index a049d324d0f..bb92b2428a1 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 5aa7db9cf51..7c676d94e22 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 9f6e33d6046..88ac96c3cd5 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 89d55f8aec3..34fa1477cb1 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/03" maturity = "production" -updated_date = "2022/07/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 8ad0c47c2ba..ffa8551cc96 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 636783ea43b..6c5c5f28156 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index b97252ffabf..c100567b4d3 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 170467c5bc6..6068ea9c0b0 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 1fb11a8ec56..dc6994c27ac 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/08" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 8af826f0989..917415c9589 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -64,7 +66,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 397e53e29fd..b5a2b80bafe 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -61,7 +63,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index ad9b101a045..0568e141684 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -30,7 +32,7 @@ versions 2003 to 2019 and can be triggered by a malicious DNS response. Because privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure. -This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a +This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server. #### Possible investigation steps diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 634aef78054..02884a3ac61 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 9f62938589b..f315225dba3 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 5610adb230d..3b3e05b4a59 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 8b898b011d1..d8488e1d839 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index b8c2de134bd..2a3e1cd8fcd 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 7abcd80c5fa..214a92111e0 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index cffda358a40..986d05289fd 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/22" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 39a9850fe8c..dae96e8015a 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index f2b1052df46..162b8f4b1f8 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/04/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vu the source of the incoming traffic and determine if this activity has been observed previously within an environment. - Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts. - Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as -Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. +Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning. - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment. @@ -57,7 +59,7 @@ determine the source of the activity and potentially allowlist the source host. - Initiate the incident response process based on the outcome of the triage. - Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) -a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. +a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. - Maintain backups of your critical systems to aid in quick recovery. - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities. - If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior. diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index e71d29e9436..e8f51e328cf 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/12" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 7f643135fb6..440f51dc013 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 275db00083c..c443b7b1f36 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index af720899382..d2a93a2f206 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 9a45277bfc8..285d5470251 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8ec58a7467a..8373b7e8f53 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -32,10 +34,10 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ [process where event.type in ("start", "process_started") and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "C:\\windows\\TEMP\\nessus_*.TMP", - "C:\\Windows\\CCM\\SystemTemp\\*", - "C:\\Windows\\CCMCache\\*", + not process.args : ("C:\\windows\\temp\\nessus_*.txt", + "C:\\windows\\TEMP\\nessus_*.TMP", + "C:\\Windows\\CCM\\SystemTemp\\*", + "C:\\Windows\\CCMCache\\*", "C:\\CCM\\Cache\\*") ] ''' diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 27cb52548e3..8aebea11f5f 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index dc983f7440c..7ca58f87238 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 8aa1a6fe3b6..c98bd25bcf8 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 93a7d6ca72c..873f5fdfaff 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,18 +30,18 @@ query = ''' /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m - [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and + [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] - [registry where process.name : "explorer.exe" and + [registry where process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] - + [process where event.type in ("start", "process_started") and - (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and + (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ] ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 33ce418dad1..7b3d39f6ad8 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index fde56d87dfc..073ea9e064f 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,12 +25,12 @@ type = "eql" query = ''' sequence with maxspan=1s [network where process.name : "services.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id - [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and - not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and + [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and + not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and not (process.name : "msiexec.exe" and process.args : "/V") and not process.executable : ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 24fb688d0d2..7772d0ac9d0 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2022/04/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -49,7 +51,7 @@ further understand the source of the activity and determine the intent based on - Remove scheduled task and any other related artifacts. - Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks. -""" +""" risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index 2926e729fd8..1cd9e456311 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index c83e5f1c09b..cdec153a09b 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 1515fcef4ee..98c55b9c54f 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index e69db3deaee..fe2cbf83858 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/31" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index afeb0fdc611..8f8ede5f303 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index b2a649d7d53..87e6ea6e8c9 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 3d848d39949..bd333a6fa49 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b2c73e2ac57..10bda16b9fc 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index b3b0f594d49..0a552d3a984 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/22" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 3825fa432a7..8f364e80d7e 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 359ee3b4022..b322eb39119 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/17" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -28,9 +28,9 @@ type = "eql" query = ''' registry where length(registry.data.strings) > 0 and - registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", + "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /* add FPs here */ not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 33756adcc8f..72fc0f11824 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 4ec2dfca6de..cb007feefd7 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 560c30f21de..44117c47709 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 3abb7cd7c5f..a167b976529 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/04" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index c18d24c6fb0..e691e45ab75 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 1133fb27ca8..b05a57b6969 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/16" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 059c908b70f..d8b6f1cbdf2 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 7711fd21528..7e53b4f100a 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/27" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 1db8061ae64..25dcc9f809f 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 0a055ef4c41..2d708937b46 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 9dcc445b97f..a88cd84cc6d 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ registry where "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath", "HKLM\\SYSTEM\\Setup\\CmdLine", "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and - + not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index f09f1290c9f..bf91a0ed639 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 28051d02a1d..4b720ed9386 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] @@ -30,16 +30,16 @@ query = ''' registry where registry.data.strings != null and registry.path : ( /* Machine Hive */ - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", - "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */ - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */ diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 69a428737f6..7f1ef22d7e5 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 3d49f5d7760..fc12dcdcb12 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/06/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 06ecd712bcf..9a42da61fcb 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index a36c9a58431..e0b15ff8d55 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 80e81892e4a..b6ebd0323b6 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -71,7 +73,7 @@ malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -""" +""" risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" @@ -82,15 +84,15 @@ query = ''' sequence by host.id, process.entity_id with maxspan=5s [process where event.type in ("start", "process_started") and process.code_signature.trusted == false and /* suspicious paths can be added here */ - process.executable : ("C:\\Users\\*.exe", - "C:\\ProgramData\\*.exe", - "C:\\Windows\\Temp\\*.exe", - "C:\\Windows\\Tasks\\*.exe", - "C:\\Intel\\*.exe", + process.executable : ("C:\\Users\\*.exe", + "C:\\ProgramData\\*.exe", + "C:\\Windows\\Temp\\*.exe", + "C:\\Windows\\Tasks\\*.exe", + "C:\\Intel\\*.exe", "C:\\PerfLogs\\*.exe") ] [file where event.type != "deletion" and user.domain != "NT AUTHORITY" and - file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ] ''' diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 4ca25716ead..93a1c1e758b 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 53ce2d3d094..c8b7ff074dc 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 18f8d8db489..d0f23ab06a7 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 7571849916d..10e4e202a80 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2022/08/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 9315c24f122..3867e795159 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index f92ac6ca93a..9f6c2aa4ba6 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 09aa535f6ca..acf6d33305b 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index a4d154837cd..120788fff66 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Skoetting"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index ea713ca4d0b..fe1d1338579 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 96c0218b40b..6dd4099780d 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Skoetting"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 355869f2736..ada05a00f9a 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 84f48f3f82e..fd414d53df5 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 60d217ff9d0..fe198357083 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 6ae20021702..115c37e1ba3 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 6fc02c63764..5ac2cdb8a3d 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index dc0524bd662..e12d5088467 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index e4549f5bd51..bda788a0d39 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 69663f8c90c..e17ef2cd67f 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where registry.data.strings != null and process.name : "WmiPrvSe.exe" and registry.path : ( "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", @@ -37,18 +39,18 @@ registry where "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", - "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun" ) ''' diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index f35db5c3212..77f61da2f3b 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index cf600e0a3da..f487637afa9 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index afbc05d7412..5ae6566bab6 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index b56a7fcaf22..59d740fa1d9 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/03/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 82f314a47d3..3e7651f6d1c 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index faeb8989ef6..d4f0f18036b 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/11/25" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index b2fbedc4d24..f944d9ee620 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/27" maturity = "production" -updated_date = "2022/04/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 0d33aa97997..1f98312c78c 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 8ef1ebecc7c..cf7755f29ba 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 1d47d7423ed..bc8be58eeeb 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index bbc327c47e1..9b97e46ab80 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 2a73658996d..3f477aa0f2d 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b444af272e8..316b360f0cf 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 4952c61bdf0..3e0f3bc2dbe 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index af56fb238eb..7989ea55e0b 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 791707ea03a..383a55656e3 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and +registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and not registry.data.strings : ("C:\\windows", "%SystemRoot%") ''' diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 8d32b434265..d3048f7ece7 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/12" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index e773941b6f3..84142a0d951 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/05/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 70a509e6e30..8e93087784a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index e02bb7e9625..43f649f51d4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index d1dfe81dbeb..6c472be6084 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index ee62820a9f0..90515eff7d1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 3dc01cfe071..5db14e8052a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index e2bec86f947..301fdcbbf08 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -18,9 +20,9 @@ note = """## Triage and analysis ### Investigating Bypass UAC via Event Viewer -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 7ebe8c35ea4..a017669d412 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -18,9 +20,9 @@ note = """## Triage and analysis ### Investigating UAC Bypass Attempt via Windows Directory Masquerading -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 68ea244d1b7..7a1832eac75 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -18,9 +20,9 @@ note = """## Triage and analysis ### Investigating UAC Bypass via Windows Firewall Snap-In Hijack -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index bc9b37269fb..a872c120c9f 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index ee4a4b19fd8..d6c7b8bcfdb 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 5d80bc7104f..dede169417e 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index b2bfcc6f007..5d37f47284c 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 03e0c4740a7..8791d7dc9c1 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 4f186739ddb..1c06a4cadfb 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/07" maturity = "production" -updated_date = "2022/02/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 6d1ee32d2b5..cdbcb473ac7 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"]