Skip to content

Commit

Permalink
bc5 siem rules merge (elastic#62679)
Browse files Browse the repository at this point in the history 
* bc5 rule merge

version changes
field changes to endpoint rules
removed max_signals from 7 rules

* Fixing monitoring i18n (elastic#62715)

* Updates esarchiver test data with the latest rules (elastic#62723)

* Remove CR, only CRLF for rules

* delete two files

for Garrett

* deletes

delete 2 files (for Garrett)

* Revert "deletes"

This reverts commit cc2ac1e.

* Revert "Fixing monitoring i18n (elastic#62715)"

This reverts commit 0285740.

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Garrett Spong <[email protected]>
Co-authored-by: Ross Wolf <[email protected]>
  • Loading branch information
@randomuserid @elasticmachine
@spong @rw-access
4 people committed Apr 7, 2020
1 parent 635b0ad commit 3d6a754
Show file tree
Hide file tree
Showing 75 changed files with 224 additions and 2,971 deletions.
2 changes: 1 addition & 1 deletion ...gins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@
"Elastic"
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion .../server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@
"Elastic"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Adversary Behavior - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
"query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
"risk_score": 47,
"rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
"severity": "medium",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...ction_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Credential Dumping - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
"risk_score": 73,
"rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...tion_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Credential Dumping - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
"risk_score": 47,
"rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
"severity": "medium",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ..._engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Credential Manipulation - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
"risk_score": 73,
"rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Credential Manipulation - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
"risk_score": 47,
"rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
"severity": "medium",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions .../detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Exploit - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
"risk_score": 73,
"rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Exploit - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
"risk_score": 47,
"rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
"severity": "medium",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions .../detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Malware - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
"risk_score": 99,
"rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
"severity": "critical",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Malware - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
"risk_score": 73,
"rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...n_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Permission Theft - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
"risk_score": 73,
"rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ..._engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Permission Theft - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
"risk_score": 47,
"rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
"severity": "medium",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ..._engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Process Injection - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
"risk_score": 73,
"rule_id": "80c52164-c82a-402c-9964-852533d58be1",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Process Injection - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
"risk_score": 47,
"rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
"severity": "medium",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...tection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Ransomware - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
"risk_score": 99,
"rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
"severity": "critical",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
4 changes: 2 additions & 2 deletions ...ection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"interval": "10m",
"language": "kuery",
"name": "Ransomware - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
"query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
"risk_score": 73,
"rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
"severity": "high",
Expand All @@ -16,5 +16,5 @@
"Endpoint"
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...gine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,5 +46,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion .../server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...b/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...b/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...rver/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...tection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...erver/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion .../siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion .../lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...er/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...ver/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...m/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion ...er/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
2 changes: 1 addition & 1 deletion .../lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
Loading

0 comments on commit 3d6a754

Please sign in to comment.