From c5774265101d77796285bb50bab22771261a0ca4 Mon Sep 17 00:00:00 2001 From: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com> Date: Wed, 8 Jul 2020 05:56:17 -0700 Subject: [PATCH] Update Lookback Interval for AWS Rules --- rules/aws/collection_cloudtrail_logging_created.toml | 4 ++-- rules/aws/credential_access_iam_user_addition_to_group.toml | 4 ++-- rules/aws/defense_evasion_cloudtrail_logging_deleted.toml | 4 ++-- rules/aws/defense_evasion_cloudtrail_logging_suspended.toml | 4 ++-- rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml | 4 ++-- rules/aws/defense_evasion_configuration_recorder_stopped.toml | 4 ++-- rules/aws/defense_evasion_ec2_flow_log_deletion.toml | 4 ++-- rules/aws/defense_evasion_ec2_network_acl_deletion.toml | 4 ++-- rules/aws/defense_evasion_guardduty_detector_deletion.toml | 4 ++-- .../aws/defense_evasion_s3_bucket_configuration_deletion.toml | 4 ++-- rules/aws/defense_evasion_waf_acl_deletion.toml | 4 ++-- rules/aws/exfiltration_ec2_snapshot_change_activity.toml | 4 ++-- rules/aws/impact_cloudtrail_logging_updated.toml | 4 ++-- rules/aws/impact_cloudwatch_log_group_deletion.toml | 4 ++-- rules/aws/impact_cloudwatch_log_stream_deletion.toml | 4 ++-- rules/aws/impact_ec2_disable_ebs_encryption.toml | 4 ++-- rules/aws/impact_iam_deactivate_mfa_device.toml | 4 ++-- rules/aws/impact_iam_group_deletion.toml | 4 ++-- rules/aws/impact_rds_cluster_deletion.toml | 4 ++-- rules/aws/impact_rds_instance_cluster_stoppage.toml | 4 ++-- rules/aws/initial_access_console_login_root.toml | 4 ++-- rules/aws/initial_access_password_recovery.toml | 4 ++-- rules/aws/persistence_ec2_network_acl_creation.toml | 4 ++-- rules/aws/persistence_iam_group_creation.toml | 4 ++-- rules/aws/persistence_rds_cluster_creation.toml | 4 ++-- rules/aws/privilege_escalation_root_login_without_mfa.toml | 2 +- rules/aws/privilege_escalation_updateassumerolepolicy.toml | 4 ++-- 27 files changed, 53 insertions(+), 53 deletions(-) diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index 0d5b080701f..f925ec4d504 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/10" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index 2f03a2c47b9..bbdedd3186b 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/04" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index d43d5752153..f295acd48af 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/26" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 41dccb57104..29c7c524a26 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/10" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3b207af2598..4a947f07e01 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/15" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 55135ed3bde..2f80e52246d 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/16" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 6c367e599af..85339644b4c 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/15" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 71ecbaca0ef..3599c2c4221 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/26" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index 7540e5a8964..a50b74211aa 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/28" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 97a37cb625e..3080d30f5c2 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/27" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 4cec5326fd2..09e482097b9 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/21" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 2c3790d3065..224914317ff 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/24" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index 786cced0d11..171ee2beaa1 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/10" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index c4b9a024570..4c665d5dac9 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/18" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 9173374d1c8..95be708c791 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/20" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index 22b4f2f85fb..e8bb6427cf2 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/05" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 2c7037ca916..6e03a95172f 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/26" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 99e4bce69b1..ade99f21327 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/21" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index 288644cb380..211fda75694 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/21" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index 63f72fe4624..a73e76f5c97 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/20" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index e718e2bc59c..f063a28d6b3 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/11" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 73034fc829b..f3cf8a31ce7 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index 172201f7e90..ab268c6d21f 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/04" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index 16eb726f0af..489919b2355 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/05" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index fe8f6e09211..dcf515947a2 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/05/20" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 59b3539f5b0..2f3ed2c0fe9 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -16,7 +16,7 @@ false_positives = [ and increases the risk of compromised credentials. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index c458ea89e25..0d997462694 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/07/06" +updated_date = "2020/07/07" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery"