Skip to content

Commit b4c84e8

Browse files
w0rk3rMikaayenson
w0rk3r
and
Mikaayenson
authored
[Security Content] Tags Reform (#2725)
* Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <[email protected]> Co-authored-by: Mika Ayenson <[email protected]>
1 parent 7d758fd commit b4c84e8

File tree

817 files changed

+2148
-2182
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

817 files changed

+2148
-2182
lines changed

rules/apm/apm_403_response_to_a_post.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["apm"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"]
2727
risk_score = 47
2828
rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
2929
severity = "medium"
30-
tags = ["Elastic", "APM"]
30+
tags = ["Data Source: APM"]
3131
timestamp_override = "event.ingested"
3232
type = "query"
3333

rules/apm/apm_405_response_method_not_allowed.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["apm"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"]
2727
risk_score = 47
2828
rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef"
2929
severity = "medium"
30-
tags = ["Elastic", "APM"]
30+
tags = ["Data Source: APM"]
3131
timestamp_override = "event.ingested"
3232
type = "query"
3333

rules/apm/apm_sqlmap_user_agent.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["apm"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["http://sqlmap.org/"]
2727
risk_score = 47
2828
rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
2929
severity = "medium"
30-
tags = ["Elastic", "APM"]
30+
tags = ["Data Source: APM"]
3131
timestamp_override = "event.ingested"
3232
type = "query"
3333

rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan
2626
risk_score = 73
2727
rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
2828
severity = "high"
29-
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Command and Control"]
29+
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
3030
type = "eql"
3131

3232
query = '''

rules/cross-platform/command_and_control_non_standard_ssh_port.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["endpoint"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -30,7 +30,7 @@ references = ["https://attack.mitre.org/techniques/T1571/"]
3030
risk_score = 21
3131
rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
3232
severity = "low"
33-
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "macOS"]
33+
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS"]
3434
type = "eql"
3535

3636
query = '''

rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
3333
risk_score = 47
3434
rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
3535
severity = "medium"
36-
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"]
36+
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"]
3737
timestamp_override = "event.ingested"
3838
type = "eql"
3939

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
[metadata]
22
creation_date = "2021/07/14"
33
maturity = "production"
4-
updated_date = "2022/08/24"
4+
updated_date = "2023/06/22"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
77

@@ -25,7 +25,7 @@ name = "Agent Spoofing - Mismatched Agent ID"
2525
risk_score = 73
2626
rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
2727
severity = "high"
28-
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
28+
tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
2929
timestamp_override = "event.ingested"
3030
type = "query"
3131

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
[metadata]
22
creation_date = "2021/07/14"
33
maturity = "production"
4-
updated_date = "2022/08/24"
4+
updated_date = "2023/06/22"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
77

@@ -25,7 +25,7 @@ name = "Agent Spoofing - Multiple Hosts Using Same Agent"
2525
risk_score = 73
2626
rule_id = "493834ca-f861-414c-8602-150d5505b777"
2727
severity = "high"
28-
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
28+
tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
2929
timestamp_override = "event.ingested"
3030
type = "threshold"
3131

rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
2424
risk_score = 47
2525
rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac"
2626
severity = "medium"
27-
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"]
27+
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
2828
timestamp_override = "event.ingested"
2929
type = "eql"
3030

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["endpoint"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2022/12/14"
7+
updated_date = "2023/06/22"
88

99
[rule]
1010
author = ["Elastic"]
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
2424
risk_score = 47
2525
rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
2626
severity = "medium"
27-
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"]
27+
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
2828
timestamp_override = "event.ingested"
2929
type = "eql"
3030

0 commit comments

Comments
 (0)