Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Rules] Update security rules package to v8.13.1-beta.1 #9284

Merged
merged 2 commits into from Mar 6, 2024
Merged

[Security Rules] Update security rules package to v8.13.1-beta.1 #9284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
174e80c
[Security Rules] Update security rules package to v8.13.1-beta.1
protectionsmachine Mar 6, 2024
3d1a58a
Add changelog entry for 8.13.1-beta.1
protectionsmachine Mar 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/security_detection_engine/changelog.yml
View file
Open in desktop
@@ -1,5 +1,10 @@
# newer versions go on top
# NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production
- version: 8.13.1-beta.1
changes:
- description: Release security rules update
type: enhancement
link: https://github.com/elastic/integrations/pull/9284
- version: 8.12.5
changes:
- description: Release security rules update
Expand Down
90 changes: 90 additions & 0 deletions ...urity_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json
View file
Open in desktop
@@ -0,0 +1,90 @@
{
"attributes": {
"author": [
"Austin Songer"
],
"description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.",
"false_positives": [
"A user sending emails using personal distribution folders may trigger the event."
],
"from": "now-30m",
"index": [
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Microsoft 365 User Restricted from Sending Email",
"note": "",
"query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n",
"references": [
"https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
"https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
],
"related_integrations": [
{
"package": "o365",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "0136b315-b566-482f-866c-1d8e2477ba16",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Domain: Cloud",
"Data Source: Microsoft 365",
"Use Case: Configuration Audit",
"Tactic: Initial Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1078",
"name": "Valid Accounts",
"reference": "https://attack.mitre.org/techniques/T1078/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 103
},
"id": "0136b315-b566-482f-866c-1d8e2477ba16_103",
"type": "security-rule"
}
89 changes: 89 additions & 0 deletions ...urity_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json
View file
Open in desktop
@@ -0,0 +1,89 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
"false_positives": [
"A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"note": "",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
],
"related_integrations": [
{
"package": "o365",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Domain: Cloud",
"Data Source: Microsoft 365",
"Use Case: Configuration Audit",
"Tactic: Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 103
},
"id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_103",
"type": "security-rule"
}
100 changes: 100 additions & 0 deletions ...ecurity_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json
View file
Open in desktop
@@ -0,0 +1,100 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.",
"from": "now-9m",
"history_window_start": "now-14d",
"index": [
"logs-endpoint.events.*",
"endgame-*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Persistence Through Systemd-udevd",
"new_terms_fields": [
"host.id",
"process.executable",
"file.path"
],
"query": "host.os.type:\"linux\" and event.category:\"file\" and\nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n",
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "file.extension",
"type": "keyword"
},
{
"ecs": true,
"name": "file.path",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.executable",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964",
"setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n",
"severity": "low",
"tags": [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1037",
"name": "Boot or Logon Initialization Scripts",
"reference": "https://attack.mitre.org/techniques/T1037/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "new_terms",
"version": 3
},
"id": "054db96b-fd34-43b3-9af2-587b3bd33964_3",
"type": "security-rule"
}
99 changes: 99 additions & 0 deletions ...ecurity_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json
View file
Open in desktop
@@ -0,0 +1,99 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.",
"from": "now-9m",
"index": [
"logs-system.syslog-*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Tainted Kernel Module Load",
"query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n",
"related_integrations": [
{
"package": "system",
"version": "^1.6.4"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": true,
"name": "message",
"type": "match_only_text"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a",
"setup": "\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n",
"severity": "low",
"tags": [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"reference": "https://attack.mitre.org/techniques/T1547/",
"subtechnique": [
{
"id": "T1547.006",
"name": "Kernel Modules and Extensions",
"reference": "https://attack.mitre.org/techniques/T1547/006/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1014",
"name": "Rootkit",
"reference": "https://attack.mitre.org/techniques/T1014/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 3
},
"id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_3",
"type": "security-rule"
}