diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml index a2c6958dfd4..655e09eeb41 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Behavior - Detected - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Behavior Alerts +### Investigating Behavior Alerts Malicious behavior protection is a foundational feature which can be used to protect against all manner of attacks on the endpoint. For example, it provides coverage against phishing such as malicious macros, many malware families based on their activities, privilege escalation attacks such as user account control bypasses (UAC), credential theft, and much more. It works by consuming an unfiltered feed of all events that are captured on the system (process, file, registry, network, dns, etc). These events are processed against a routinely updated set of rules written by Elastic threat experts. From there, malicious behaviors are identified and offending processes are terminated. The protection operates on the event stream asynchronously, but has been designed to be extremely efficient and typically requires just milliseconds (under standard load) to stop malicious activity. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml index 1e0722f914b..8af46da9997 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Behavior - Prevented - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Behavior Alerts +### Investigating Behavior Alerts Malicious behavior protection is a foundational feature which can be used to protect against all manner of attacks on the endpoint. For example, it provides coverage against phishing such as malicious macros, many malware families based on their activities, privilege escalation attacks such as user account control bypasses (UAC), credential theft, and much more. It works by consuming an unfiltered feed of all events that are captured on the system (process, file, registry, network, dns, etc). These events are processed against a routinely updated set of rules written by Elastic threat experts. From there, malicious behaviors are identified and offending processes are terminated. The protection operates on the event stream asynchronously, but has been designed to be extremely efficient and typically requires just milliseconds (under standard load) to stop malicious activity. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml index 0ec6ae24a5e..449214b199d 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Malicious File - Detected - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Malware Alerts +### Investigating Malware Alerts Elastic Endpoint malware protection leverages a combination of supervised machine learning (ML) models (PE, MachO) and yara signatures. Our ML models are trained on hundreds of millions of executables and model updates are released approximately monthly. Our yara signatures are created with automated signature creation technologies built in-house along with hand-written rules by our threat researchers. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml index 20332c27998..94c813c1e5e 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Malicious File - Prevented - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Malware Alerts +### Investigating Malware Alerts Elastic Endpoint malware protection leverages a combination of supervised machine learning (ML) models (PE, MachO) and yara signatures. Our ML models are trained on hundreds of millions of executables and model updates are released approximately monthly. Our yara signatures are created with automated signature creation technologies built in-house along with hand-written rules by our threat researchers. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml index b0baf3094d9..9716115e810 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Memory Threat - Detected - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Memory Threat Alerts +### Investigating Memory Threat Alerts Elastic Endpoint’s memory threat protection adds a layer of coverage for advanced attacks which avoid the traditional approach of writing payloads to disk. Instead, the malicious code runs only in-memory, an effective technique for evading legacy security products. There are currently two sub-categories of memory threat protection. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml index 640215afcc8..15b8a013da5 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Memory Threat - Prevented- Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Memory Threat Alerts +### Investigating Memory Threat Alerts Elastic Endpoint’s memory threat protection adds a layer of coverage for advanced attacks which avoid the traditional approach of writing payloads to disk. Instead, the malicious code runs only in-memory, an effective technique for evading legacy security products. There are currently two sub-categories of memory threat protection. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml index 555321f3295..c1dedd7cc21 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Ransomware - Detected - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Ransomware Alerts +### Investigating Ransomware Alerts Ransomware protection adds a dedicated layer of detection and prevention against ransomware attacks. Our Ransomware protection consists of 3 subtypes: `behavioral`, `canary files`, and `MBR`. Our behavioral ransomware protection monitors the low level file system activity of all processes on the system to identify generic file encryption techniques. We include signals such as file header information, entropy calculations, known and suspicious extensions, and more to make verdicts. Canary files serve as a high confidence short-cut to other behavior techniques. Our endpoint places hidden files in select directories on the system and will trigger on any process attempting to tamper with the files. Finally, we protect the Master Boot Record (MBR) with our kernel minifilter driver to prevent this type of ransomware attack. diff --git a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml index 6edfaed4791..6783527e5bb 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml @@ -24,7 +24,7 @@ max_signals = 10000 name = "Ransomware - Prevented - Elastic Defend" note = """## Triage and analysis -### Investigating Elastic Defend Ransomware Alerts +### Investigating Ransomware Alerts Ransomware protection adds a dedicated layer of detection and prevention against ransomware attacks. Our Ransomware protection consists of 3 subtypes: `behavioral`, `canary files`, and `MBR`. Our behavioral ransomware protection monitors the low level file system activity of all processes on the system to identify generic file encryption techniques. We include signals such as file header information, entropy calculations, known and suspicious extensions, and more to make verdicts. Canary files serve as a high confidence short-cut to other behavior techniques. Our endpoint places hidden files in select directories on the system and will trigger on any process attempting to tamper with the files. Finally, we protect the Master Boot Record (MBR) with our kernel minifilter driver to prevent this type of ransomware attack.