++

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Behavior - Detected - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Behavior Alerts
+### Investigating Behavior Alerts
 
 Malicious behavior protection is a foundational feature which can be used to protect against all manner of attacks on the endpoint. For example, it provides coverage against phishing such as malicious macros, many malware families based on their activities, privilege escalation attacks such as user account control bypasses (UAC), credential theft, and much more. It works by consuming an unfiltered feed of all events that are captured on the system (process, file, registry, network, dns, etc). These events are processed against a routinely updated set of rules written by Elastic threat experts. From there, malicious behaviors are identified and offending processes are terminated. The protection operates on the event stream asynchronously, but has been designed to be extremely efficient and typically requires just milliseconds (under standard load) to stop malicious activity.
 

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Behavior - Prevented - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Behavior Alerts
+### Investigating Behavior Alerts
 
 Malicious behavior protection is a foundational feature which can be used to protect against all manner of attacks on the endpoint. For example, it provides coverage against phishing such as malicious macros, many malware families based on their activities, privilege escalation attacks such as user account control bypasses (UAC), credential theft, and much more. It works by consuming an unfiltered feed of all events that are captured on the system (process, file, registry, network, dns, etc). These events are processed against a routinely updated set of rules written by Elastic threat experts. From there, malicious behaviors are identified and offending processes are terminated. The protection operates on the event stream asynchronously, but has been designed to be extremely efficient and typically requires just milliseconds (under standard load) to stop malicious activity.
 

rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Malicious File - Detected - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Malware Alerts
+### Investigating Malware Alerts
 
 Elastic Endpoint malware protection leverages a combination of supervised machine learning (ML) models (PE, MachO) and yara signatures. Our ML models are trained on hundreds of millions of executables and model updates are released approximately monthly. Our yara signatures are created with automated signature creation technologies built in-house along with  hand-written rules by our threat researchers.
 

rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Malicious File - Prevented - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Malware Alerts
+### Investigating Malware Alerts
 
 Elastic Endpoint malware protection leverages a combination of supervised machine learning (ML) models (PE, MachO) and yara signatures. Our ML models are trained on hundreds of millions of executables and model updates are released approximately monthly. Our yara signatures are created with automated signature creation technologies built in-house along with  hand-written rules by our threat researchers.
 

rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Memory Threat - Detected - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Memory Threat Alerts
+### Investigating Memory Threat Alerts
 
 Elastic Endpoint’s memory threat protection adds a layer of coverage for advanced attacks which avoid the traditional approach of writing payloads to disk. Instead, the malicious code runs only in-memory, an effective technique for evading legacy security products. There are currently two sub-categories of memory threat protection.
 

rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Memory Threat - Prevented- Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Memory Threat Alerts
+### Investigating Memory Threat Alerts
 
 Elastic Endpoint’s memory threat protection adds a layer of coverage for advanced attacks which avoid the traditional approach of writing payloads to disk. Instead, the malicious code runs only in-memory, an effective technique for evading legacy security products. There are currently two sub-categories of memory threat protection.
 

rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Ransomware - Detected - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Ransomware Alerts
+### Investigating Ransomware Alerts
 
 Ransomware protection adds a dedicated layer of detection and prevention against ransomware attacks. Our Ransomware protection consists of 3 subtypes: `behavioral`, `canary files`, and `MBR`. Our behavioral ransomware protection monitors the low level file system activity of all processes on the system to identify generic file encryption techniques. We include signals such as file header information, entropy calculations, known and suspicious extensions, and more to make verdicts. Canary files serve as a high confidence short-cut to other behavior techniques. Our endpoint places hidden files in select directories on the system and will trigger on any process attempting to tamper with the files. Finally, we protect the Master Boot Record (MBR) with our kernel minifilter driver to prevent this type of ransomware attack.
 

rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml

@@ -24,7 +24,7 @@ max_signals = 10000
 name = "Ransomware - Prevented - Elastic Defend"
 note = """## Triage and analysis
 
-### Investigating Elastic Defend Ransomware Alerts
+### Investigating Ransomware Alerts
 
 Ransomware protection adds a dedicated layer of detection and prevention against ransomware attacks. Our Ransomware protection consists of 3 subtypes: `behavioral`, `canary files`, and `MBR`. Our behavioral ransomware protection monitors the low level file system activity of all processes on the system to identify generic file encryption techniques. We include signals such as file header information, entropy calculations, known and suspicious extensions, and more to make verdicts. Canary files serve as a high confidence short-cut to other behavior techniques. Our endpoint places hidden files in select directories on the system and will trigger on any process attempting to tamper with the files. Finally, we protect the Master Boot Record (MBR) with our kernel minifilter driver to prevent this type of ransomware attack.