Skip to content

Commit

Permalink
[Detection Rules] Add 7.10 rules (#81676)
Browse files Browse the repository at this point in the history
  • Loading branch information
@brokensound77
brokensound77 authored Oct 27, 2020
1 parent 72ff6b8 commit 20cfa16
Show file tree
Hide file tree
Showing 325 changed files with 1,337 additions and 666 deletions.
6 changes: 3 additions & 3 deletions ...ution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
"rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
"severity": "medium",
"tags": [
"APM",
"Elastic"
"Elastic",
"APM"
],
"type": "query",
"version": 3
"version": 4
}
6 changes: 3 additions & 3 deletions ...ver/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
"rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
"severity": "medium",
"tags": [
"APM",
"Elastic"
"Elastic",
"APM"
],
"type": "query",
"version": 3
"version": 4
}
6 changes: 3 additions & 3 deletions ...ity_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,9 @@
"rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
"severity": "medium",
"tags": [
"APM",
"Elastic"
"Elastic",
"APM"
],
"type": "query",
"version": 3
"version": 4
}
6 changes: 3 additions & 3 deletions ...y_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
"rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
"severity": "medium",
"tags": [
"APM",
"Elastic"
"Elastic",
"APM"
],
"type": "query",
"version": 3
"version": 4
}
41 changes: 0 additions & 41 deletions ...b/detection_engine/rules/prepackaged_rules/c2_network_connection_from_windows_binary.json
View file

This file was deleted.

7 changes: 4 additions & 3 deletions ...r/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,12 @@
"rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
"severity": "low",
"tags": [
"AWS",
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Logging",
"Continuous Monitoring"
"Log Auditing"
],
"threat": [
{
Expand Down
3 changes: 2 additions & 1 deletion ...etection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,11 @@
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"GCP",
"Continuous Monitoring",
"SecOps",
"Logging"
"Log Auditing"
],
"threat": [
{
Expand Down
3 changes: 2 additions & 1 deletion ...r/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,11 @@
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"GCP",
"Continuous Monitoring",
"SecOps",
"Logging"
"Log Auditing"
],
"threat": [
{
Expand Down
7 changes: 4 additions & 3 deletions ...r/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,12 @@
"rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
"severity": "medium",
"tags": [
"Azure",
"Elastic",
"SecOps",
"Cloud",
"Azure",
"Continuous Monitoring",
"Logging"
"SecOps",
"Log Auditing"
],
"threat": [
{
Expand Down
5 changes: 4 additions & 1 deletion ...ction_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@
"severity": "low",
"tags": [
"Elastic",
"Windows"
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
4 changes: 3 additions & 1 deletion ...ib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"severity": "high",
"tags": [
"Elastic",
"Network"
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
6 changes: 4 additions & 2 deletions ...tion_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"severity": "medium",
"tags": [
"Elastic",
"Network"
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand All @@ -43,5 +45,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}
4 changes: 3 additions & 1 deletion ...ne/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"severity": "medium",
"tags": [
"Elastic",
"Network"
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
4 changes: 3 additions & 1 deletion ...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,9 @@
"severity": "high",
"tags": [
"Elastic",
"Network"
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
10 changes: 7 additions & 3 deletions ...ckaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
],
"index": [
"filebeat-*",
"packetbeat-*"
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
Expand All @@ -19,7 +20,10 @@
"severity": "low",
"tags": [
"Elastic",
"Network"
"Host",
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down Expand Up @@ -54,5 +58,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}
4 changes: 3 additions & 1 deletion ...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"severity": "high",
"tags": [
"Elastic",
"Network"
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
8 changes: 6 additions & 2 deletions ..._rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
],
"index": [
"filebeat-*",
"packetbeat-*"
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
Expand All @@ -19,7 +20,10 @@
"severity": "medium",
"tags": [
"Elastic",
"Network"
"Host",
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
10 changes: 7 additions & 3 deletions ...ction_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
],
"index": [
"filebeat-*",
"packetbeat-*"
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
Expand All @@ -19,7 +20,10 @@
"severity": "low",
"tags": [
"Elastic",
"Network"
"Host",
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand All @@ -39,5 +43,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
8 changes: 6 additions & 2 deletions ...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
],
"index": [
"filebeat-*",
"packetbeat-*"
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
Expand All @@ -23,7 +24,10 @@
"severity": "low",
"tags": [
"Elastic",
"Network"
"Host",
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand Down
10 changes: 7 additions & 3 deletions ...ngine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
],
"index": [
"filebeat-*",
"packetbeat-*"
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
Expand All @@ -19,7 +20,10 @@
"severity": "low",
"tags": [
"Elastic",
"Network"
"Host",
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand All @@ -39,5 +43,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}
10 changes: 7 additions & 3 deletions ...repackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
],
"index": [
"filebeat-*",
"packetbeat-*"
"packetbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
Expand All @@ -19,7 +20,10 @@
"severity": "low",
"tags": [
"Elastic",
"Network"
"Host",
"Network",
"Threat Detection",
"Command and Control"
],
"threat": [
{
Expand All @@ -39,5 +43,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Loading

0 comments on commit 20cfa16

Please sign in to comment.