From 3e4dde09e67bcf03c8a8f1541bb2bef54b449319 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Fri, 21 Mar 2025 20:07:16 +0530 Subject: [PATCH 01/10] Modify Unit test and update rules --- ...nse_evasion_elastic_memory_threat_detected.toml | 11 +++-------- ...se_evasion_elastic_memory_threat_prevented.toml | 11 +++-------- .../endpoint/elastic_endpoint_security.toml | 11 +++-------- ...lastic_endpoint_security_behavior_detected.toml | 11 +++-------- ...astic_endpoint_security_behavior_prevented.toml | 11 +++-------- .../execution_elastic_malicious_file_detected.toml | 11 +++-------- ...execution_elastic_malicious_file_prevented.toml | 11 +++-------- .../impact_elastic_ransomware_detected.toml | 11 +++-------- .../impact_elastic_ransomware_prevented.toml | 11 +++-------- ...ntial_access_endgame_cred_dumping_detected.toml | 13 +++++-------- ...tial_access_endgame_cred_dumping_prevented.toml | 13 +++++-------- .../endgame_adversary_behavior_detected.toml | 11 ++++------- rules/promotions/endgame_malware_detected.toml | 13 +++++-------- rules/promotions/endgame_malware_prevented.toml | 13 +++++-------- rules/promotions/endgame_ransomware_detected.toml | 14 +++++--------- rules/promotions/endgame_ransomware_prevented.toml | 13 +++++-------- .../execution_endgame_exploit_detected.toml | 13 +++++-------- .../execution_endgame_exploit_prevented.toml | 13 +++++-------- rules/promotions/external_alerts.toml | 13 +++++-------- ...alation_endgame_cred_manipulation_detected.toml | 13 +++++-------- ...lation_endgame_cred_manipulation_prevented.toml | 13 +++++-------- ...calation_endgame_permission_theft_detected.toml | 13 +++++-------- ...alation_endgame_permission_theft_prevented.toml | 13 +++++-------- ...alation_endgame_process_injection_detected.toml | 13 +++++-------- ...lation_endgame_process_injection_prevented.toml | 13 +++++-------- .../threat_intel_rapid7_threat_command.toml | 14 ++++---------- 26 files changed, 110 insertions(+), 210 deletions(-) diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml index 8bb3d7440cf..347ae4ec74d 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Memory Threat - Detected - Elastic Defend" note = """## Triage and analysis @@ -102,13 +102,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml index 89703207083..03627866904 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Memory Threat - Prevented- Elastic Defend" note = """## Triage and analysis @@ -101,13 +101,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 2ccf3d1f1e5..b92b5349886 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" integration = ["endpoint"] maturity = "production" promotion = true -updated_date = "2025/03/20" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Endpoint Security (Elastic Defend)" note = """## Triage and analysis @@ -75,13 +75,8 @@ Related rules: - Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml index 2e974c5e182..b4bd8b83308 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Behavior - Detected - Elastic Defend" note = """## Triage and analysis @@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml index e7cfc0d2077..44ff061f365 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Behavior - Prevented - Elastic Defend" note = """## Triage and analysis @@ -86,13 +86,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml index 3db40040cfd..c943822d4a5 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malicious File - Detected - Elastic Defend" note = """## Triage and analysis @@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml index 39d13c7be2f..c6425746152 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malicious File - Prevented - Elastic Defend" note = """## Triage and analysis @@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml index 60feb66107a..b8b5fba869a 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Detected - Elastic Defend" note = """## Triage and analysis @@ -84,13 +84,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml index 2247a29ec10..adb1215f54b 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Prevented - Elastic Defend" note = """## Triage and analysis @@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 998ef82e8d0..aca343f06c3 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Dumping - Detected - Elastic Endgame" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index ed000beca84..71a8606bbae 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Dumping - Prevented - Elastic Endgame" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index aab9803aab6..f3b7447bce1 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -21,13 +21,10 @@ risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 31bbc4f7634..8b086d882a7 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malware - Detected - Elastic Endgame" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "critical" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 467ddcf812c..1b23ca98399 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 9d23dc1b843..1fce3d200e9 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,15 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Detected - Elastic Endgame" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" setup = """## Setup +### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. - -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "critical" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index b32b9b36ac8..1b74f59e20a 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index d47aedb63de..407b912e050 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Exploit - Detected - Elastic Endgame" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = [ "Data Source: Elastic Endgame", diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 9666184c917..ee42d263ab0 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Exploit - Prevented - Elastic Endgame" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = [ "Data Source: Elastic Endgame", diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 98fd75797e7..914f8fdb1e5 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/08" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -21,20 +21,17 @@ index = [ ] language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "External Alerts" risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index f0314e447df..1b99da186e5 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Manipulation - Detected - Elastic Endgame" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 25e26765377..23dba0db25f 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Manipulation - Prevented - Elastic Endgame" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 91f88ec9639..605e73da2e4 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Permission Theft - Detected - Elastic Endgame" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 5e40431547a..1a546d88d02 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Permission Theft - Prevented - Elastic Endgame" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 4294a157d34..c7d161c83e1 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Process Injection - Detected - Elastic Endgame" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 296341418d8..4463d21ade7 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,19 +15,16 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Process Injection - Prevented - Elastic Endgame" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml index 949b292ceda..7653b8e8d29 100644 --- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["ti_rapid7_threat_command"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "wi interval = "30m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Rapid7 Threat Command CVEs Correlation" note = """## Triage and analysis @@ -53,15 +53,9 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). -## Max Signals +### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. - -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" tags = [ From b34df64c521a8533a2384926a8036596d9164d62 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Mon, 24 Mar 2025 13:07:21 +0530 Subject: [PATCH 02/10] Modify Unit test and update rules --- ...s_cookies_chromium_browsers_debugging.toml | 8 +++- .../defense_evasion_timestomp_touch.toml | 6 ++- .../guided_onboarding_sample_rule.toml | 8 +++- ...ation_setuid_setgid_bit_set_via_chmod.toml | 8 +++- ...tential_linux_ssh_bruteforce_external.toml | 6 ++- ...tential_linux_ssh_bruteforce_internal.toml | 6 ++- ...defense_evasion_chattr_immutable_file.toml | 6 ++- .../defense_evasion_hidden_file_dir_tmp.toml | 6 ++- .../defense_evasion_hidden_shared_object.toml | 6 ++- ...suspicious_file_opened_through_editor.toml | 8 +++- ...very_potential_network_sweep_detected.toml | 8 +++- ...iscovery_potential_port_scan_detected.toml | 8 +++- ...very_potential_syn_port_scan_detected.toml | 8 +++- .../endgame_adversary_behavior_detected.toml | 2 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 8 +++- ..._access_iis_connectionstrings_dumping.toml | 8 +++- ...ense_evasion_iis_httplogging_disabled.toml | 8 +++- tests/test_all_rules.py | 44 ++++++++++--------- 18 files changed, 124 insertions(+), 38 deletions(-) diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e0b4e935489..ece42ef183d 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -35,6 +35,12 @@ references = [ ] risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index c2e470ee110..769a9e63958 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -25,6 +25,10 @@ events will not define `event.ingested` and default fallback for EQL rules was n Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index a7b712595e0..f44ff499c8f 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -63,6 +63,12 @@ This alert will show once every 24 hours for each host. It is safe to disable th references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"] risk_score = 21 rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "low" tags = ["Use Case: Guided Onboarding", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 3b753299f55..88ff8606fab 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -22,6 +22,12 @@ name = "SUID/SGID Bit Set" references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 4b29c61c900..29efdc8ce1a 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -75,6 +75,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index b11e36ba5ed..168adee95a1 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -71,6 +71,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index acae70f730b..617f9495106 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -93,6 +93,10 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index ab2a7a74da8..21ac49649b4 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -64,6 +64,10 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 5bcb15995f5..c5df41e2346 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/20" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,10 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index a3db7c8cbe3..60023ecd055 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -56,6 +56,12 @@ In Linux environments, text editors create temporary swap files (.swp) during fi - Review and update system hardening measures, such as file permissions and access controls, to prevent similar incidents in the future.""" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 7520d59e1ef..4e558990d47 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/02/28" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -21,6 +21,12 @@ max_signals = 5 name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "low" tags = [ "Domain: Network", diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 4ca3308aca5..0661ccd41de 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/02/28" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -22,6 +22,12 @@ max_signals = 5 name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "low" tags = [ "Domain: Network", diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 4a1cd603b41..17366b1a565 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/02/28" +updated_date = "2025/03/24" [rule] author = ["Elastic"] @@ -22,6 +22,12 @@ max_signals = 5 name = "Potential SYN-Based Port Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "low" tags = [ "Domain: Network", diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index f3b7447bce1..5606647ab8c 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Adversary Behavior - Detected - Elastic Endgame" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 14e2e20d979..26fcbf63caf 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,12 @@ references = [ ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3982f2e52c9..58c626c33a1 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -35,6 +35,12 @@ references = [ ] risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0dc79543403..106d2252a54 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -64,6 +64,12 @@ This rule monitors commands that disable IIS logging. """ risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" +setup = """## Setup + +### Additional notes + +For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 23160f00b98..4b535b4d300 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -132,28 +132,30 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") build_rule(query=query, from_field="now-10m", interval="10m") def test_max_signals_note(self): - """Ensure the max_signals note is present when max_signals > 1000.""" - max_signal_standard_setup = 'This rule is configured to generate more **Max alerts per run** than the ' \ - 'default 1000 alerts per run set for all rules. This is to ensure that it ' \ - "captures as many alerts as possible.\n\n**IMPORTANT:** The rule's " \ - '**Max alerts per run** setting can be superseded by the ' \ - '`xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines ' \ - 'the maximum alerts generated by _any_ rule in the Kibana alerting framework. ' \ - 'For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule ' \ - 'will still generate no more than 1000 alerts even if its own **Max alerts per ' \ - 'run** is set higher.\n\nTo make sure this rule can generate as many alerts as ' \ - "it's configured in its own **Max alerts per run** setting, increase the " \ - '`xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** ' \ - 'Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless ' \ - 'projects.' + """Ensure the max_signals note is present and max_signals <= 1000.""" + max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\ + 'please refer to this [guide]'\ + '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' + failures = [] + for rule in self.all_rules: - if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: - error_message = f'{self.rule_str(rule)} note required for max_signals > 1000' - self.assertIsNotNone(rule.contents.data.setup, error_message) - if max_signal_standard_setup not in rule.contents.data.setup: - self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' - f'Expected: {max_signal_standard_setup}\n\n' - f'Actual: {rule.contents.data.setup}') + max_signals = rule.contents.data.get('max_signals') + setup_note = rule.contents.data.get('setup') + + # Check if max_signals is defined + if max_signals is not None: + # Fail if max_signals > 1000 + if max_signals > 1000: + failures.append(f'{self.rule_str(rule)} max_signals cannot exceed 1000.') + # Check if the predefined note is present in the setup field + if setup_note is None or max_signal_standard_setup not in setup_note: + failures.append( + f'{self.rule_str(rule)} expected max_signals note missing\n\n' + ) + + if failures: + fail_msg = "The following rules failed the max_signals validation:\n" + self.fail(fail_msg + '\n'.join(failures)) def test_from_filed_value(self): """ Add "from" Field Validation for All Rules""" From 2edae6a6d6a45475e1e85dd51b2112c66d4f67e4 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Mon, 24 Mar 2025 13:11:21 +0530 Subject: [PATCH 03/10] Fix Lint issues --- tests/test_all_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 4b535b4d300..51f7c00d598 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -135,7 +135,7 @@ def test_max_signals_note(self): """Ensure the max_signals note is present and max_signals <= 1000.""" max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\ 'please refer to this [guide]'\ - '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' + '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' # noqa: E501 failures = [] for rule in self.all_rules: @@ -151,7 +151,7 @@ def test_max_signals_note(self): if setup_note is None or max_signal_standard_setup not in setup_note: failures.append( f'{self.rule_str(rule)} expected max_signals note missing\n\n' - ) + ) if failures: fail_msg = "The following rules failed the max_signals validation:\n" From fff2995f381406a9dc01b307fa4056ba4058bd86 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Mon, 24 Mar 2025 13:16:16 +0530 Subject: [PATCH 04/10] Fix Lint issues --- tests/test_all_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 51f7c00d598..311e3de755c 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -135,7 +135,7 @@ def test_max_signals_note(self): """Ensure the max_signals note is present and max_signals <= 1000.""" max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\ 'please refer to this [guide]'\ - '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' # noqa: E501 + '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' # noqa: E501 failures = [] for rule in self.all_rules: From 0f5a19890f1052bc9e08edea8ba80fd16cb998e6 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 26 Mar 2025 21:42:13 +0530 Subject: [PATCH 05/10] Update rules based on review comments --- pyproject.toml | 2 +- ...s_cookies_chromium_browsers_debugging.toml | 80 +++++++++---------- .../defense_evasion_timestomp_touch.toml | 6 +- .../guided_onboarding_sample_rule.toml | 8 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 8 +- ...tential_linux_ssh_bruteforce_external.toml | 6 +- ...tential_linux_ssh_bruteforce_internal.toml | 6 +- ...defense_evasion_chattr_immutable_file.toml | 6 +- .../defense_evasion_hidden_file_dir_tmp.toml | 6 +- .../defense_evasion_hidden_shared_object.toml | 6 +- ...suspicious_file_opened_through_editor.toml | 8 +- ...very_potential_network_sweep_detected.toml | 8 +- ...iscovery_potential_port_scan_detected.toml | 8 +- ...very_potential_syn_port_scan_detected.toml | 8 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 10 +-- ..._access_iis_connectionstrings_dumping.toml | 68 ++++++++-------- ...ense_evasion_iis_httplogging_disabled.toml | 10 +-- tests/test_all_rules.py | 31 +++---- 18 files changed, 100 insertions(+), 185 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 0cf991bb4e7..986cf0df5b7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.2" +version = "1.0.3" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index bdb902d6f00..e0b4e935489 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/21" integration = ["endpoint", "windows", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -25,41 +27,6 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Cookies Theft via Browser Debugging - -Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. - -### Possible investigation steps - -- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. -- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. -- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. -- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. -- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. -- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. - -### False positive analysis - -- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. -- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. -- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. -- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. -- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. -- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. -- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. -- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. -- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" references = [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", @@ -68,12 +35,6 @@ references = [ ] risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -105,6 +66,41 @@ process where event.type in ("start", "process_started", "info") and "--remote-debugging-pipe=*") and process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" ''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Cookies Theft via Browser Debugging + +Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. +- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. +- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. +- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. +- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. +- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. + +### False positive analysis + +- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. +- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. +- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. +- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. +- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. +- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. +- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. +- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. +- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" [[rule.threat]] diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 769a9e63958..c2e470ee110 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -25,10 +25,6 @@ events will not define `event.ingested` and default fallback for EQL rules was n Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index f44ff499c8f..a7b712595e0 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -63,12 +63,6 @@ This alert will show once every 24 hours for each host. It is safe to disable th references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"] risk_score = 21 rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "low" tags = ["Use Case: Guided Onboarding", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 88ff8606fab..3b753299f55 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -22,12 +22,6 @@ name = "SUID/SGID Bit Set" references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 29efdc8ce1a..4b29c61c900 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -75,10 +75,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 168adee95a1..b11e36ba5ed 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -71,10 +71,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 617f9495106..acae70f730b 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -93,10 +93,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 21ac49649b4..ab2a7a74da8 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -64,10 +64,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index c5df41e2346..5bcb15995f5 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/20" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -92,10 +92,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index 60023ecd055..a3db7c8cbe3 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -56,12 +56,6 @@ In Linux environments, text editors create temporary swap files (.swp) during fi - Review and update system hardening measures, such as file permissions and access controls, to prevent similar incidents in the future.""" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 4e558990d47..7520d59e1ef 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/28" [rule] author = ["Elastic"] @@ -21,12 +21,6 @@ max_signals = 5 name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "low" tags = [ "Domain: Network", diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 0661ccd41de..4ca3308aca5 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/28" [rule] author = ["Elastic"] @@ -22,12 +22,6 @@ max_signals = 5 name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "low" tags = [ "Domain: Network", diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 17366b1a565..4a1cd603b41 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/28" [rule] author = ["Elastic"] @@ -22,12 +22,6 @@ max_signals = 5 name = "Potential SYN-Based Port Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "low" tags = [ "Domain: Network", diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 34424e7bf60..14e2e20d979 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/21" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] @@ -116,12 +118,6 @@ references = [ ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index cb148af760b..3982f2e52c9 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/21" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] @@ -27,6 +29,35 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" +references = [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", +] +risk_score = 73 +rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" +''' note = """## Triage and analysis > **Disclaimer**: @@ -62,41 +93,6 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed. - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query. - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.""" -references = [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", -] -risk_score = 73 -rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and - process.args : "connectionStrings" and process.args : "-pdf" -''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 39f8adadadb..0dc79543403 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/02/21" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] @@ -62,12 +64,6 @@ This rule monitors commands that disable IIS logging. """ risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" -setup = """## Setup - -### Additional notes - -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 311e3de755c..94d7a078e78 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -132,30 +132,21 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") build_rule(query=query, from_field="now-10m", interval="10m") def test_max_signals_note(self): - """Ensure the max_signals note is present and max_signals <= 1000.""" + """Ensure the max_signals note is present when max_signals > 1000.""" max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\ 'please refer to this [guide]'\ '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' # noqa: E501 - failures = [] - for rule in self.all_rules: - max_signals = rule.contents.data.get('max_signals') - setup_note = rule.contents.data.get('setup') - - # Check if max_signals is defined - if max_signals is not None: - # Fail if max_signals > 1000 - if max_signals > 1000: - failures.append(f'{self.rule_str(rule)} max_signals cannot exceed 1000.') - # Check if the predefined note is present in the setup field - if setup_note is None or max_signal_standard_setup not in setup_note: - failures.append( - f'{self.rule_str(rule)} expected max_signals note missing\n\n' - ) - - if failures: - fail_msg = "The following rules failed the max_signals validation:\n" - self.fail(fail_msg + '\n'.join(failures)) + if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: + error_message = f'{self.rule_str(rule)} max_signals cannot exceed 1000.' + self.fail(f'{self.rule_str(rule)} max_signals cannot exceed 1000.') + if rule.contents.data.max_signals and rule.contents.data.max_signals == 1000: + error_message = f'{self.rule_str(rule)} note required for max_signals == 1000' + self.assertIsNotNone(rule.contents.data.setup, error_message) + if max_signal_standard_setup not in rule.contents.data.setup: + self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' + f'Expected: {max_signal_standard_setup}\n\n' + f'Actual: {rule.contents.data.setup}') def test_from_filed_value(self): """ Add "from" Field Validation for All Rules""" From 508097bf2ad0f245d043f998cf66a0f33b737b41 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 26 Mar 2025 21:48:08 +0530 Subject: [PATCH 06/10] Update rule intervals based on aggred values --- .../credential_access_endgame_cred_dumping_detected.toml | 4 ++-- .../credential_access_endgame_cred_dumping_prevented.toml | 4 ++-- rules/promotions/endgame_adversary_behavior_detected.toml | 4 ++-- rules/promotions/endgame_malware_detected.toml | 4 ++-- rules/promotions/endgame_malware_prevented.toml | 4 ++-- rules/promotions/endgame_ransomware_detected.toml | 4 ++-- rules/promotions/endgame_ransomware_prevented.toml | 4 ++-- rules/promotions/execution_endgame_exploit_detected.toml | 4 ++-- rules/promotions/execution_endgame_exploit_prevented.toml | 4 ++-- ...ivilege_escalation_endgame_cred_manipulation_detected.toml | 4 ++-- ...vilege_escalation_endgame_cred_manipulation_prevented.toml | 4 ++-- ...rivilege_escalation_endgame_permission_theft_detected.toml | 4 ++-- ...ivilege_escalation_endgame_permission_theft_prevented.toml | 4 ++-- ...ivilege_escalation_endgame_process_injection_detected.toml | 4 ++-- ...vilege_escalation_endgame_process_injection_prevented.toml | 4 ++-- 15 files changed, 30 insertions(+), 30 deletions(-) diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index aca343f06c3..5082f2d604b 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 71a8606bbae..0b261d4a3ef 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 5606647ab8c..a0c013ff09d 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 8b086d882a7..3644ccc5d43 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 1b23ca98399..0a6b773f241 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 1fce3d200e9..b0171a32958 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 1b74f59e20a..cd945e66b44 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 407b912e050..b2e547782eb 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index ee42d263ab0..163aba074f1 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index 1b99da186e5..da991355420 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 23dba0db25f..9aaa937eeb3 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 605e73da2e4..322c952590e 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 1a546d88d02..14c309eb893 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index c7d161c83e1..723ab063010 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 4463d21ade7..8f6cf13a7f4 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -10,9 +10,9 @@ description = """ Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-1m" index = ["endgame-*"] -interval = "10m" +interval = "2m" language = "kuery" license = "Elastic License v2" max_signals = 1000 From c836382ef7b4f638677304faf3a70ea7b36b1976 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 26 Mar 2025 21:50:20 +0530 Subject: [PATCH 07/10] Update a rule from main --- ...s_cookies_chromium_browsers_debugging.toml | 74 +++++++++---------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e0b4e935489..8d556a3e47c 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/12/21" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Cookies Theft via Browser Debugging + +Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. +- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. +- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. +- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. +- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. +- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. + +### False positive analysis + +- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. +- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. +- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. +- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. +- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. +- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. +- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. +- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. +- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" references = [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", @@ -66,41 +99,6 @@ process where event.type in ("start", "process_started", "info") and "--remote-debugging-pipe=*") and process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Cookies Theft via Browser Debugging - -Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. - -### Possible investigation steps - -- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. -- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. -- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. -- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. -- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. -- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. - -### False positive analysis - -- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. -- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. -- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. -- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. -- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. -- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. -- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. -- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. -- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" [[rule.threat]] From 010aa5973f3091b99a564dd56dc4fdfdee7824e3 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 26 Mar 2025 21:52:41 +0530 Subject: [PATCH 08/10] Update windows rule from main --- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 4 +- ..._access_iis_connectionstrings_dumping.toml | 62 +++++++++---------- ...ense_evasion_iis_httplogging_disabled.toml | 4 +- 3 files changed, 32 insertions(+), 38 deletions(-) diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 14e2e20d979..5057638d046 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3982f2e52c9..ad8287b9688 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -29,35 +27,6 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" -references = [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", -] -risk_score = 73 -rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and - process.args : "connectionStrings" and process.args : "-pdf" -''' note = """## Triage and analysis > **Disclaimer**: @@ -93,6 +62,35 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed. - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query. - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.""" +references = [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", +] +risk_score = 73 +rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0dc79543403..60048de8eac 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] From 9a77790b4f77984ef8fc79e153c539e3b6a1e99e Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 26 Mar 2025 22:33:36 +0530 Subject: [PATCH 09/10] Review Comments --- rules/promotions/external_alerts.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 914f8fdb1e5..fb5226c5111 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -10,6 +10,7 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ +from = "now-2m" index = [ "apm-*-transaction*", "traces-apm*", @@ -19,6 +20,7 @@ index = [ "packetbeat-*", "winlogbeat-*", ] +interval = "1m" language = "kuery" license = "Elastic License v2" max_signals = 1000 From 6f0d2f965b4c7e1563c39db96c94ec18470679c4 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 27 Mar 2025 08:51:07 +0530 Subject: [PATCH 10/10] Review Comments --- .../defense_evasion_elastic_memory_threat_detected.toml | 2 +- .../defense_evasion_elastic_memory_threat_prevented.toml | 2 +- rules/integrations/endpoint/elastic_endpoint_security.toml | 2 +- .../endpoint/elastic_endpoint_security_behavior_detected.toml | 2 +- .../endpoint/elastic_endpoint_security_behavior_prevented.toml | 2 +- .../endpoint/execution_elastic_malicious_file_detected.toml | 2 +- .../endpoint/execution_elastic_malicious_file_prevented.toml | 2 +- .../endpoint/impact_elastic_ransomware_detected.toml | 2 +- .../endpoint/impact_elastic_ransomware_prevented.toml | 2 +- .../credential_access_endgame_cred_dumping_detected.toml | 2 +- .../credential_access_endgame_cred_dumping_prevented.toml | 2 +- rules/promotions/endgame_adversary_behavior_detected.toml | 2 +- rules/promotions/endgame_malware_detected.toml | 2 +- rules/promotions/endgame_malware_prevented.toml | 2 +- rules/promotions/endgame_ransomware_detected.toml | 2 +- rules/promotions/endgame_ransomware_prevented.toml | 2 +- rules/promotions/execution_endgame_exploit_detected.toml | 2 +- rules/promotions/execution_endgame_exploit_prevented.toml | 2 +- rules/promotions/external_alerts.toml | 2 +- ...privilege_escalation_endgame_cred_manipulation_detected.toml | 2 +- ...rivilege_escalation_endgame_cred_manipulation_prevented.toml | 2 +- .../privilege_escalation_endgame_permission_theft_detected.toml | 2 +- ...privilege_escalation_endgame_permission_theft_prevented.toml | 2 +- ...privilege_escalation_endgame_process_injection_detected.toml | 2 +- ...rivilege_escalation_endgame_process_injection_prevented.toml | 2 +- rules/threat_intel/threat_intel_rapid7_threat_command.toml | 2 +- tests/test_all_rules.py | 2 +- 27 files changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml index 347ae4ec74d..6efe866ae2d 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml @@ -103,7 +103,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml index 03627866904..30c8f39a92d 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml @@ -102,7 +102,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index b92b5349886..92653c37c11 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -76,7 +76,7 @@ Related rules: ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml index b4bd8b83308..545b32f35d9 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml @@ -86,7 +86,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml index 44ff061f365..bb24e18e9c4 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml @@ -87,7 +87,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml index c943822d4a5..27540bdadbf 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml @@ -94,7 +94,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml index c6425746152..f456b755cd1 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml @@ -94,7 +94,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml index b8b5fba869a..0690b835f0d 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml @@ -85,7 +85,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml index adb1215f54b..bb35e257d25 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml @@ -86,7 +86,7 @@ To avoid generating duplicate alerts, you should enable either all feature-speci ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 5082f2d604b..d38cd884d91 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 0b261d4a3ef..f46b90819c7 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index a0c013ff09d..7dac55b3b2c 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 3644ccc5d43..4daed0dfdcf 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 0a6b773f241..709de30d31d 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index b0171a32958..9f8c169466d 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -22,7 +22,7 @@ rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index cd945e66b44..28f96352a27 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index b2e547782eb..c74ed775d20 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = [ diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 163aba074f1..9882090ac4d 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = [ diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index fb5226c5111..c94fea89967 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -32,7 +32,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux", "Resources: Investigation Guide"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index da991355420..c828eafd159 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 9aaa937eeb3..654389a20dd 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 322c952590e..da56645fb6b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 14c309eb893..9b43b081eca 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 723ab063010..38a36feec06 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 8f6cf13a7f4..5a5e8b7765d 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -23,7 +23,7 @@ setup = """## Setup ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml index 7653b8e8d29..1d532f38b72 100644 --- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -55,7 +55,7 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu ### Additional notes -For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" tags = [ diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 94d7a078e78..d93d4df4270 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -133,7 +133,7 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") def test_max_signals_note(self): """Ensure the max_signals note is present when max_signals > 1000.""" - max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\ + max_signal_standard_setup = 'For information on troubleshooting the maximum alerts warning '\ 'please refer to this [guide]'\ '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' # noqa: E501 for rule in self.all_rules: