Skip to content

Commit 48cf95c

Browse files
[Rule Tuning] Change Network Rules to Use Network Packet Capture Integration (#2665)
* updated indexes and updated dates * added network_traffic integration tag to rules * reverting changes to resolve conflicts * metadata changes; indexes changed; schemas and manifest updated * updated default telnet port connection rule * updating integration manifests * adjusted rules; updated integrations; deduplicate packages
1 parent 0f6ded4 commit 48cf95c

20 files changed

+53
-50
lines changed
287 Bytes
Binary file not shown.
94.2 KB
Binary file not shown.

detection_rules/rule.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1018,6 +1018,9 @@ def _convert_add_related_integrations(self, obj: dict) -> None:
10181018
if package["integration"] not in policy_templates:
10191019
del package["integration"]
10201020

1021+
# remove duplicate entries
1022+
package_integrations = list({json.dumps(d, sort_keys=True):
1023+
d for d in package_integrations}.values())
10211024
obj.setdefault("related_integrations", package_integrations)
10221025

10231026
def _convert_add_required_fields(self, obj: dict) -> None:

detection_rules/schemas/definitions.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
MINOR_SEMVER = r'^\d+\.\d+$'
2828
BRANCH_PATTERN = f'{VERSION_PATTERN}|^master$'
2929

30-
NON_DATASET_PACKAGES = ['apm', 'endpoint', 'system', 'windows', 'cloud_defend']
30+
NON_DATASET_PACKAGES = ['apm', 'endpoint', 'system', 'windows', 'cloud_defend', 'network_traffic']
3131
INTERVAL_PATTERN = r'^\d+[mshd]$'
3232
TACTIC_URL = r'^https://attack.mitre.org/tactics/TA[0-9]+/$'
3333
TECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/$'

rules/network/command_and_control_accepted_default_telnet_port_connection.toml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2020/02/18"
3-
integration = ["endpoint"]
3+
integration = ["network_traffic"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
@@ -24,7 +24,7 @@ false_positives = [
2424
""",
2525
]
2626
from = "now-9m"
27-
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
27+
index = ["packetbeat-*", "logs-network_traffic.*"]
2828
language = "kuery"
2929
license = "Elastic License v2"
3030
name = "Accepted Default Telnet Port Connection"
@@ -45,8 +45,7 @@ timestamp_override = "event.ingested"
4545
type = "query"
4646

4747
query = '''
48-
event.category:(network or network_traffic) and destination.port:23
49-
and network.direction:(inbound or ingress or outbound or egress)
48+
event.dataset: network_traffic.flow and event.type: connection
5049
and not event.action:(
5150
flow_dropped or denied or deny or
5251
flow_terminated or timeout or Reject or network_flow)

rules/network/command_and_control_cobalt_strike_beacon.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2020/07/06"
3-
integration = ["endpoint"]
3+
integration = ["network_traffic"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
@@ -20,7 +20,7 @@ false_positives = [
2020
""",
2121
]
2222
from = "now-9m"
23-
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
23+
index = ["packetbeat-*", "logs-network_traffic.*"]
2424
language = "lucene"
2525
license = "Elastic License v2"
2626
name = "Cobalt Strike Command and Control Beacon"
@@ -40,7 +40,7 @@ timestamp_override = "event.ingested"
4040
type = "query"
4141

4242
query = '''
43-
event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
43+
event.dataset: (network_traffic.tls or network_traffic.http) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
4444
'''
4545

4646

rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2020/10/05"
3-
integration = ["endpoint"]
3+
integration = ["network_traffic"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
@@ -16,7 +16,7 @@ SHA256 hashing algorithms (the default is SHA1). See the References section for
1616
configuration.
1717
"""
1818
from = "now-9m"
19-
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
19+
index = ["packetbeat-*", "logs-network_traffic.*"]
2020
language = "kuery"
2121
license = "Elastic License v2"
2222
name = "Default Cobalt Strike Team Server Certificate"
@@ -39,7 +39,7 @@ timestamp_override = "event.ingested"
3939
type = "query"
4040

4141
query = '''
42-
event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or
42+
event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or
4343
tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or
4444
tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)
4545
'''

rules/network/command_and_control_download_rar_powershell_from_internet.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2020/07/02"
3-
integration = ["endpoint"]
3+
integration = ["network_traffic"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
@@ -21,7 +21,7 @@ false_positives = [
2121
""",
2222
]
2323
from = "now-9m"
24-
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
24+
index = ["packetbeat-*", "logs-network_traffic.*"]
2525
language = "kuery"
2626
license = "Elastic License v2"
2727
name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
@@ -41,7 +41,7 @@ timestamp_override = "event.ingested"
4141
type = "query"
4242

4343
query = '''
44-
event.category:(network or network_traffic) and network.protocol:http and
44+
event.dataset: (network_traffic.http or network_traffic.tls) and
4545
(url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and
4646
not destination.ip:(
4747
10.0.0.0/8 or

rules/network/command_and_control_fin7_c2_behavior.toml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2020/07/06"
3-
integration = ["endpoint"]
3+
integration = ["network_traffic"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
@@ -19,7 +19,7 @@ false_positives = [
1919
""",
2020
]
2121
from = "now-9m"
22-
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
22+
index = ["packetbeat-*", "logs-network_traffic.*"]
2323
language = "lucene"
2424
license = "Elastic License v2"
2525
name = "Possible FIN7 DGA Command and Control Behavior"
@@ -37,8 +37,8 @@ timestamp_override = "event.ingested"
3737
type = "query"
3838

3939
query = '''
40-
event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp
41-
AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
40+
event.dataset: (network_traffic.tls or network_traffic.http) AND
41+
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
4242
'''
4343

4444

rules/network/command_and_control_halfbaked_beacon.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2020/07/06"
3-
integration = ["endpoint"]
3+
integration = ["network_traffic"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
@@ -19,7 +19,7 @@ false_positives = [
1919
""",
2020
]
2121
from = "now-9m"
22-
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
22+
index = ["packetbeat-*", "logs-network_traffic.*"]
2323
language = "lucene"
2424
license = "Elastic License v2"
2525
name = "Halfbaked Command and Control Beacon"
@@ -38,7 +38,7 @@ timestamp_override = "event.ingested"
3838
type = "query"
3939

4040
query = '''
41-
event.category:(network OR network_traffic) AND network.protocol:http AND
41+
event.dataset: (network_traffic.tls or network_traffic.http) AND
4242
network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
4343
destination.port:(53 OR 80 OR 8080 OR 443)
4444
'''

0 commit comments

Comments
 (0)