From 56017b7a94d71e2d3bcb55120ab35fb24fade956 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 8 Jul 2020 19:12:29 -0600 Subject: [PATCH 01/10] Adds the Elastic Endpoint and External Alerts rules and required schema updates --- detection_rules/schema.py | 23 +++++++++ rules/cross-platform/external_alerts.toml | 57 +++++++++++++++++++++ rules/endpoint/elastic_endpoint.toml | 60 +++++++++++++++++++++++ 3 files changed, 140 insertions(+) create mode 100644 rules/cross-platform/external_alerts.toml create mode 100644 rules/endpoint/elastic_endpoint.toml diff --git a/detection_rules/schema.py b/detection_rules/schema.py index d4edeb198a9..bd4b1414eb5 100644 --- a/detection_rules/schema.py +++ b/detection_rules/schema.py @@ -16,6 +16,7 @@ VERSION_PATTERN = r'\d+\.\d+\.\d+' RULE_LEVELS = ['recommended', 'aggressive'] MATURITY_LEVELS = ['development', 'testing', 'staged', 'production', 'deprecated'] +OPERATORS = ['equals'] OS_OPTIONS = ['windows', 'linux', 'macos', 'solaris'] # need to verify with ecs INTERVAL_PATTERN = r'\d+[mshd]' MITRE_URL_PATTERN = r'https://attack.mitre.org/{type}/T[A-Z0-9]+/' @@ -81,6 +82,23 @@ class Filters(jsl.Document): query = jsl.DocumentField(FilterQuery) +class RiskScoreMapping(jsl.Document): + """Risk score mapping""" + + field = jsl.StringField(required=True) + operator = jsl.StringField(required=True, enum=OPERATORS) + value = jsl.StringField(required=True, default="") + + +class SeverityMapping(jsl.Document): + """Severity mapping""" + + field = jsl.StringField(required=True) + operator = jsl.StringField(required=True, enum=OPERATORS) + value = jsl.StringField(required=True) + severity = jsl.StringField(required=True) + + class ThreatTactic(jsl.Document): """Threat tactics.""" @@ -110,6 +128,7 @@ class SiemRuleApiSchema(jsl.Document): actions = jsl.ArrayField(required=False) author = jsl.ArrayField(jsl.StringField(default="Elastic"), required=True, min_items=1) + building_block_type = jsl.StringField(required=False) description = jsl.StringField(required=True) # api defaults to false if blank enabled = jsl.BooleanField(default=False, required=False) @@ -127,13 +146,17 @@ class SiemRuleApiSchema(jsl.Document): # output_index = jsl.StringField(required=False) # this is NOT allowed! references = jsl.ArrayField(jsl.StringField(), required=False) risk_score = jsl.IntField(minimum=0, maximum=100, required=True, default=21) + risk_score_mapping = jsl.ArrayField(jsl.DocumentField(RiskScoreMapping), required=False, min_items=1) rule_id = jsl.StringField(pattern=UUID_PATTERN, required=True) + rule_name_override = jsl.StringField(required=False) severity = jsl.StringField(enum=['low', 'medium', 'high', 'critical'], default='low', required=True) + severity_mapping = jsl.ArrayField(jsl.DocumentField(SeverityMapping), required=False, min_items=1) # saved_id - type must be 'saved_query' to allow this or else it is forbidden tags = jsl.ArrayField(jsl.StringField(), required=False) throttle = jsl.StringField(required=False) timeline_id = jsl.StringField(required=False) timeline_title = jsl.StringField(required=False) + timestamp_override = jsl.StringField(required=False) to = jsl.StringField(required=False, default='now') # require this to be always validated with a role # type = jsl.StringField(enum=[MACHINE_LEARNING, QUERY, SAVED_QUERY], required=True) diff --git a/rules/cross-platform/external_alerts.toml b/rules/cross-platform/external_alerts.toml new file mode 100644 index 00000000000..432d896293c --- /dev/null +++ b/rules/cross-platform/external_alerts.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2020/07/08" +ecs_version = ["1.5.0"] +maturity = "development" +updated_date = "2020/07/08" + +[rule] +author = ["Elastic"] +description = """ +Generates a detection alert each time an external alert is received. Enabling this rule allows you to immediately being +investigating external alerts in the app. +""" +language = "kuery" +license = "Elastic License" +name = "External Alerts" +risk_score = 47 +rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" +rule_name_override = "message" +severity = "medium" +tags = ["Elastic"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.kind:alert and not event.module:endpoint and not event.module:endgame +''' + + +[[rule.risk_score_mapping]] +field = "event.risk_score" +operator = "equals" +value = "" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "21" +severity = "low" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "47" +severity = "medium" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "73" +severity = "high" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "99" +severity = "critical" + diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/endpoint/elastic_endpoint.toml new file mode 100644 index 00000000000..ce93b568595 --- /dev/null +++ b/rules/endpoint/elastic_endpoint.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/07/08" +ecs_version = ["1.5.0"] +maturity = "development" +updated_date = "2020/07/08" + +[rule] +author = ["Elastic"] +description = """ +Generates a detection alert each time an Elastic Endpoint alert is received. Enabling this rule allows you to +immediately begin investigating your Elastic Endpoint alerts. +""" +enabled = true +from = "now-15m" +index = ["logs-*"] +language = "kuery" +license = "Elastic License" +name = "Elastic Endpoint" +risk_score = 47 +rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" +rule_name_override = "message" +severity = "medium" +tags = ["Elastic", "Endpoint"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.kind:alert and event.module:endpoint and not event.module:endgame +''' + + +[[rule.risk_score_mapping]] +field = "event.risk_score" +operator = "equals" +value = "" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "21" +severity = "low" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "47" +severity = "medium" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "73" +severity = "high" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "99" +severity = "critical" + From 16d6608719bb14661cb03161480f2aeb0a0b81a9 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Wed, 8 Jul 2020 22:51:05 -0600 Subject: [PATCH 02/10] Optimizing queries to fix tests --- rules/cross-platform/external_alerts.toml | 2 +- rules/endpoint/elastic_endpoint.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/external_alerts.toml b/rules/cross-platform/external_alerts.toml index 432d896293c..4231a40fb8c 100644 --- a/rules/cross-platform/external_alerts.toml +++ b/rules/cross-platform/external_alerts.toml @@ -22,7 +22,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and not event.module:endpoint and not event.module:endgame +event.kind:alert and not event.module:(endgame or endpoint) ''' diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/endpoint/elastic_endpoint.toml index ce93b568595..3f877adc7d3 100644 --- a/rules/endpoint/elastic_endpoint.toml +++ b/rules/endpoint/elastic_endpoint.toml @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:endpoint and not event.module:endgame +event.kind:alert and event.module:(endpoint and not endgame) ''' From 4bc8ae6b15ee4de7f2795871943269e3d5a3764d Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 9 Jul 2020 08:53:56 -0600 Subject: [PATCH 03/10] Apply PEP257 changes --- detection_rules/schema.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detection_rules/schema.py b/detection_rules/schema.py index bd4b1414eb5..2a260c3e9be 100644 --- a/detection_rules/schema.py +++ b/detection_rules/schema.py @@ -83,7 +83,7 @@ class Filters(jsl.Document): class RiskScoreMapping(jsl.Document): - """Risk score mapping""" + """Risk score mapping.""" field = jsl.StringField(required=True) operator = jsl.StringField(required=True, enum=OPERATORS) @@ -91,7 +91,7 @@ class RiskScoreMapping(jsl.Document): class SeverityMapping(jsl.Document): - """Severity mapping""" + """Severity mapping.""" field = jsl.StringField(required=True) operator = jsl.StringField(required=True, enum=OPERATORS) From c6077037a1ca411da2f8f22056f38143904a30fc Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 9 Jul 2020 12:59:24 -0600 Subject: [PATCH 04/10] Apply suggestions from code review Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> --- detection_rules/schema.py | 10 +++++----- rules/cross-platform/external_alerts.toml | 3 +-- rules/endpoint/elastic_endpoint.toml | 3 +-- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/detection_rules/schema.py b/detection_rules/schema.py index 2a260c3e9be..80bb33036d2 100644 --- a/detection_rules/schema.py +++ b/detection_rules/schema.py @@ -86,17 +86,17 @@ class RiskScoreMapping(jsl.Document): """Risk score mapping.""" field = jsl.StringField(required=True) - operator = jsl.StringField(required=True, enum=OPERATORS) - value = jsl.StringField(required=True, default="") + operator = jsl.StringField(required=False, enum=OPERATORS) + value = jsl.StringField(required=False) class SeverityMapping(jsl.Document): """Severity mapping.""" field = jsl.StringField(required=True) - operator = jsl.StringField(required=True, enum=OPERATORS) - value = jsl.StringField(required=True) - severity = jsl.StringField(required=True) + operator = jsl.StringField(required=False, enum=OPERATORS) + value = jsl.StringField(required=False) + severity = jsl.StringField(required=False) class ThreatTactic(jsl.Document): diff --git a/rules/cross-platform/external_alerts.toml b/rules/cross-platform/external_alerts.toml index 4231a40fb8c..bb1e2bb096e 100644 --- a/rules/cross-platform/external_alerts.toml +++ b/rules/cross-platform/external_alerts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" ecs_version = ["1.5.0"] -maturity = "development" +maturity = "production" updated_date = "2020/07/08" [rule] @@ -54,4 +54,3 @@ field = "event.severity" operator = "equals" value = "99" severity = "critical" - diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/endpoint/elastic_endpoint.toml index 3f877adc7d3..19fa26e2092 100644 --- a/rules/endpoint/elastic_endpoint.toml +++ b/rules/endpoint/elastic_endpoint.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" ecs_version = ["1.5.0"] -maturity = "development" +maturity = "production" updated_date = "2020/07/08" [rule] @@ -57,4 +57,3 @@ field = "event.severity" operator = "equals" value = "99" severity = "critical" - From 8da72627941740f536edd245db276621f20a87a4 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 9 Jul 2020 13:01:51 -0600 Subject: [PATCH 05/10] Update rules/cross-platform/external_alerts.toml Co-authored-by: Justin Ibarra --- rules/cross-platform/external_alerts.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/external_alerts.toml b/rules/cross-platform/external_alerts.toml index bb1e2bb096e..5ea4e33ebc8 100644 --- a/rules/cross-platform/external_alerts.toml +++ b/rules/cross-platform/external_alerts.toml @@ -7,7 +7,7 @@ updated_date = "2020/07/08" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an external alert is received. Enabling this rule allows you to immediately being +Generates a detection alert each time an external alert is received. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ language = "kuery" From 316d96bb4bbc13cbaf21d419996e7c4009295697 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 9 Jul 2020 13:07:17 -0600 Subject: [PATCH 06/10] Last fixes from review --- rules/cross-platform/external_alerts.toml | 4 ++-- rules/endpoint/elastic_endpoint.toml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/external_alerts.toml b/rules/cross-platform/external_alerts.toml index 5ea4e33ebc8..1c5ee60694a 100644 --- a/rules/cross-platform/external_alerts.toml +++ b/rules/cross-platform/external_alerts.toml @@ -7,8 +7,8 @@ updated_date = "2020/07/08" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an external alert is received. Enabling this rule allows you to immediately begin -investigating external alerts in the app. +Generates a detection alert for each external alert written to the configured securitySolution:defaultIndex. Enabling +this rule allows you to immediately begin investigating external alerts in the app. """ language = "kuery" license = "Elastic License" diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/endpoint/elastic_endpoint.toml index 19fa26e2092..d662ede962f 100644 --- a/rules/endpoint/elastic_endpoint.toml +++ b/rules/endpoint/elastic_endpoint.toml @@ -11,8 +11,9 @@ Generates a detection alert each time an Elastic Endpoint alert is received. Ena immediately begin investigating your Elastic Endpoint alerts. """ enabled = true -from = "now-15m" +from = "now-10m" index = ["logs-*"] +interval = "5m" language = "kuery" license = "Elastic License" name = "Elastic Endpoint" From c17ea374f594cea699d3642c75a66af217058d38 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 9 Jul 2020 13:10:12 -0600 Subject: [PATCH 07/10] Fixing test for unrequired default --- rules/endpoint/elastic_endpoint.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/endpoint/elastic_endpoint.toml index d662ede962f..50ffc7b0016 100644 --- a/rules/endpoint/elastic_endpoint.toml +++ b/rules/endpoint/elastic_endpoint.toml @@ -13,7 +13,6 @@ immediately begin investigating your Elastic Endpoint alerts. enabled = true from = "now-10m" index = ["logs-*"] -interval = "5m" language = "kuery" license = "Elastic License" name = "Elastic Endpoint" From fb46bb2ee833798bd92ffdbb55fb059e22ae9a19 Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 9 Jul 2020 13:19:09 -0600 Subject: [PATCH 08/10] Adding increased default max_signals to not interfere with testing --- rules/cross-platform/external_alerts.toml | 1 + rules/endpoint/elastic_endpoint.toml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/cross-platform/external_alerts.toml b/rules/cross-platform/external_alerts.toml index 1c5ee60694a..c082039db69 100644 --- a/rules/cross-platform/external_alerts.toml +++ b/rules/cross-platform/external_alerts.toml @@ -12,6 +12,7 @@ this rule allows you to immediately begin investigating external alerts in the a """ language = "kuery" license = "Elastic License" +max_signals = 10000 name = "External Alerts" risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/endpoint/elastic_endpoint.toml index 50ffc7b0016..a7d8c7720f5 100644 --- a/rules/endpoint/elastic_endpoint.toml +++ b/rules/endpoint/elastic_endpoint.toml @@ -15,6 +15,7 @@ from = "now-10m" index = ["logs-*"] language = "kuery" license = "Elastic License" +max_signals = 10000 name = "Elastic Endpoint" risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" From ccbf03781328105e16ad59b7c2c939a9f1cba001 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 9 Jul 2020 13:30:35 -0600 Subject: [PATCH 09/10] Make promotions folder --- rules/README.md | 2 +- rules/{endpoint => promotions}/elastic_endpoint.toml | 0 .../endpoint_adversary_behavior_detected.toml | 0 .../endpoint_cred_dumping_detected.toml | 0 .../endpoint_cred_dumping_prevented.toml | 0 .../endpoint_cred_manipulation_detected.toml | 0 .../endpoint_cred_manipulation_prevented.toml | 0 rules/{endpoint => promotions}/endpoint_exploit_detected.toml | 0 rules/{endpoint => promotions}/endpoint_exploit_prevented.toml | 0 rules/{endpoint => promotions}/endpoint_malware_detected.toml | 0 rules/{endpoint => promotions}/endpoint_malware_prevented.toml | 0 .../endpoint_permission_theft_detected.toml | 0 .../endpoint_permission_theft_prevented.toml | 0 .../endpoint_process_injection_detected.toml | 0 .../endpoint_process_injection_prevented.toml | 0 .../{endpoint => promotions}/endpoint_ransomware_detected.toml | 0 .../{endpoint => promotions}/endpoint_ransomware_prevented.toml | 0 rules/{cross-platform => promotions}/external_alerts.toml | 0 18 files changed, 1 insertion(+), 1 deletion(-) rename rules/{endpoint => promotions}/elastic_endpoint.toml (100%) rename rules/{endpoint => promotions}/endpoint_adversary_behavior_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_cred_dumping_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_cred_dumping_prevented.toml (100%) rename rules/{endpoint => promotions}/endpoint_cred_manipulation_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_cred_manipulation_prevented.toml (100%) rename rules/{endpoint => promotions}/endpoint_exploit_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_exploit_prevented.toml (100%) rename rules/{endpoint => promotions}/endpoint_malware_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_malware_prevented.toml (100%) rename rules/{endpoint => promotions}/endpoint_permission_theft_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_permission_theft_prevented.toml (100%) rename rules/{endpoint => promotions}/endpoint_process_injection_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_process_injection_prevented.toml (100%) rename rules/{endpoint => promotions}/endpoint_ransomware_detected.toml (100%) rename rules/{endpoint => promotions}/endpoint_ransomware_prevented.toml (100%) rename rules/{cross-platform => promotions}/external_alerts.toml (100%) diff --git a/rules/README.md b/rules/README.md index 23d550469e9..361f70bda23 100644 --- a/rules/README.md +++ b/rules/README.md @@ -8,10 +8,10 @@ Rules within this folder are organized by solution or platform. The structure is | [`apm/`](apm) | Rules that use Application Performance Monitoring (APM) data sources | | [`aws/`](aws) | Rules written for the Amazon Web Services (AWS) module of filebeat | | `cross-platform/` | Rules that apply to multiple platforms, such as Windows and Linux | -| [`endpoint/`](endpoint) | Rules specifically for Elastic Endpoint Security solution | | [`linux/`](linux) | Rules for Linux or other Unix based operating systems | | `macos/` | Rules for macOS | | [`ml/`](ml) | Rules that use machine learning jobs (ML) | | [`network/`](network) | Rules that use network data sources | | [`okta/`](okta) | Rules written for the Okta module of filebeat | +| [`promotions/`](promotions) | Rules that promote external alerts into detection engine alerts | | [`windows/`](windows) | Rules for the Microsoft Windows Operating System | diff --git a/rules/endpoint/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml similarity index 100% rename from rules/endpoint/elastic_endpoint.toml rename to rules/promotions/elastic_endpoint.toml diff --git a/rules/endpoint/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml similarity index 100% rename from rules/endpoint/endpoint_adversary_behavior_detected.toml rename to rules/promotions/endpoint_adversary_behavior_detected.toml diff --git a/rules/endpoint/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml similarity index 100% rename from rules/endpoint/endpoint_cred_dumping_detected.toml rename to rules/promotions/endpoint_cred_dumping_detected.toml diff --git a/rules/endpoint/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_cred_dumping_prevented.toml rename to rules/promotions/endpoint_cred_dumping_prevented.toml diff --git a/rules/endpoint/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml similarity index 100% rename from rules/endpoint/endpoint_cred_manipulation_detected.toml rename to rules/promotions/endpoint_cred_manipulation_detected.toml diff --git a/rules/endpoint/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_cred_manipulation_prevented.toml rename to rules/promotions/endpoint_cred_manipulation_prevented.toml diff --git a/rules/endpoint/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml similarity index 100% rename from rules/endpoint/endpoint_exploit_detected.toml rename to rules/promotions/endpoint_exploit_detected.toml diff --git a/rules/endpoint/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_exploit_prevented.toml rename to rules/promotions/endpoint_exploit_prevented.toml diff --git a/rules/endpoint/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml similarity index 100% rename from rules/endpoint/endpoint_malware_detected.toml rename to rules/promotions/endpoint_malware_detected.toml diff --git a/rules/endpoint/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_malware_prevented.toml rename to rules/promotions/endpoint_malware_prevented.toml diff --git a/rules/endpoint/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml similarity index 100% rename from rules/endpoint/endpoint_permission_theft_detected.toml rename to rules/promotions/endpoint_permission_theft_detected.toml diff --git a/rules/endpoint/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_permission_theft_prevented.toml rename to rules/promotions/endpoint_permission_theft_prevented.toml diff --git a/rules/endpoint/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml similarity index 100% rename from rules/endpoint/endpoint_process_injection_detected.toml rename to rules/promotions/endpoint_process_injection_detected.toml diff --git a/rules/endpoint/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_process_injection_prevented.toml rename to rules/promotions/endpoint_process_injection_prevented.toml diff --git a/rules/endpoint/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml similarity index 100% rename from rules/endpoint/endpoint_ransomware_detected.toml rename to rules/promotions/endpoint_ransomware_detected.toml diff --git a/rules/endpoint/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml similarity index 100% rename from rules/endpoint/endpoint_ransomware_prevented.toml rename to rules/promotions/endpoint_ransomware_prevented.toml diff --git a/rules/cross-platform/external_alerts.toml b/rules/promotions/external_alerts.toml similarity index 100% rename from rules/cross-platform/external_alerts.toml rename to rules/promotions/external_alerts.toml From 564574781b3ee6bb8951abfd4d1d03739f3d281f Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Thu, 9 Jul 2020 13:57:44 -0600 Subject: [PATCH 10/10] Refining Elastic Endpoint rule index --- rules/promotions/elastic_endpoint.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index a7d8c7720f5..1108443063c 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -12,7 +12,7 @@ immediately begin investigating your Elastic Endpoint alerts. """ enabled = true from = "now-10m" -index = ["logs-*"] +index = ["logs-endpoint.alerts-*"] language = "kuery" license = "Elastic License" max_signals = 10000