-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
version changes field changes to endpoint rules removed max_signals from 7 rules
- Loading branch information
Craig
committed
Apr 6, 2020
1 parent
29abe5b
commit 88109b0
Showing
127 changed files
with
4,314 additions
and
4,321 deletions.
There are no files selected for viewing
46 changes: 23 additions & 23 deletions
46
...gins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,24 @@ | ||
{ | ||
"description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", | ||
"false_positives": [ | ||
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." | ||
], | ||
"index": [ | ||
"apm-*-transaction*" | ||
], | ||
"language": "kuery", | ||
"name": "Web Application Suspicious Activity: POST Request Declined", | ||
"query": "http.response.status_code:403 and http.request.method:post", | ||
"references": [ | ||
"https://en.wikipedia.org/wiki/HTTP_403" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", | ||
"severity": "medium", | ||
"tags": [ | ||
"APM", | ||
"Elastic" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", | ||
"false_positives": [ | ||
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." | ||
], | ||
"index": [ | ||
"apm-*-transaction*" | ||
], | ||
"language": "kuery", | ||
"name": "Web Application Suspicious Activity: POST Request Declined", | ||
"query": "http.response.status_code:403 and http.request.method:post", | ||
"references": [ | ||
"https://en.wikipedia.org/wiki/HTTP_403" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", | ||
"severity": "medium", | ||
"tags": [ | ||
"APM", | ||
"Elastic" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
46 changes: 23 additions & 23 deletions
46
.../server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,24 @@ | ||
{ | ||
"description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", | ||
"false_positives": [ | ||
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." | ||
], | ||
"index": [ | ||
"apm-*-transaction*" | ||
], | ||
"language": "kuery", | ||
"name": "Web Application Suspicious Activity: Unauthorized Method", | ||
"query": "http.response.status_code:405", | ||
"references": [ | ||
"https://en.wikipedia.org/wiki/HTTP_405" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", | ||
"severity": "medium", | ||
"tags": [ | ||
"APM", | ||
"Elastic" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", | ||
"false_positives": [ | ||
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." | ||
], | ||
"index": [ | ||
"apm-*-transaction*" | ||
], | ||
"language": "kuery", | ||
"name": "Web Application Suspicious Activity: Unauthorized Method", | ||
"query": "http.response.status_code:405", | ||
"references": [ | ||
"https://en.wikipedia.org/wiki/HTTP_405" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", | ||
"severity": "medium", | ||
"tags": [ | ||
"APM", | ||
"Elastic" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
...engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Adversary Behavior - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event", | ||
"risk_score": 47, | ||
"rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Adversary Behavior - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", | ||
"risk_score": 47, | ||
"rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
...ction_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Dumping - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection", | ||
"risk_score": 73, | ||
"rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Dumping - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", | ||
"risk_score": 73, | ||
"rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
...tion_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Dumping - Prevented - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention", | ||
"risk_score": 47, | ||
"rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Dumping - Prevented - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", | ||
"risk_score": 47, | ||
"rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
..._engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Manipulation - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection", | ||
"risk_score": 73, | ||
"rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Manipulation - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", | ||
"risk_score": 73, | ||
"rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
...engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Manipulation - Prevented - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention", | ||
"risk_score": 47, | ||
"rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Credential Manipulation - Prevented - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", | ||
"risk_score": 47, | ||
"rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
.../detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Exploit - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection", | ||
"risk_score": 73, | ||
"rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Exploit - Detected - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", | ||
"risk_score": 73, | ||
"rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
38 changes: 19 additions & 19 deletions
38
...detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
{ | ||
"description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Exploit - Prevented - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention", | ||
"risk_score": 47, | ||
"rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 1 | ||
{ | ||
"description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", | ||
"from": "now-660s", | ||
"index": [ | ||
"endgame-*" | ||
], | ||
"interval": "10m", | ||
"language": "kuery", | ||
"name": "Exploit - Prevented - Elastic Endpoint", | ||
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", | ||
"risk_score": 47, | ||
"rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Endpoint" | ||
], | ||
"type": "query", | ||
"version": 2 | ||
} |
Oops, something went wrong.