From 0b627ca327290e3e8d063dafc9c5502c80715da2 Mon Sep 17 00:00:00 2001 From: Ben Skelker Date: Mon, 13 Jul 2020 19:39:02 +0300 Subject: [PATCH 1/2] fixes problematic terminology --- ...ommand_and_control_proxy_port_activity_to_the_internet.toml | 3 +-- ...defense_evasion_misc_lolbin_connecting_to_the_internet.toml | 2 +- ...ion_register_server_program_connecting_to_the_internet.toml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 5a1adcdad27..03460c0e4d2 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -15,8 +15,7 @@ false_positives = [ """ Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually - local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if - desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or + local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 36b7b839f84..4acf54fba97 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -9,7 +9,7 @@ author = ["Elastic"] description = """ Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass -application whitelisting and signature validation. +application allowlists and signature validation. """ index = ["winlogbeat-*"] language = "kuery" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 6948758229d..af12915df09 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -8,7 +8,7 @@ updated_date = "2020/06/24" author = ["Elastic"] description = """ Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of -an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary. +an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. """ false_positives = [ """ From 8c2732aad22de28881519d6920f68a70efe400b1 Mon Sep 17 00:00:00 2001 From: Ben Skelker Date: Mon, 13 Jul 2020 19:42:54 +0300 Subject: [PATCH 2/2] fixes ref links to security docs --- rules/ml/ml_linux_anomalous_network_activity.toml | 2 +- rules/ml/ml_linux_anomalous_network_port_activity.toml | 2 +- rules/ml/ml_linux_anomalous_network_service.toml | 2 +- rules/ml/ml_linux_anomalous_network_url_activity.toml | 2 +- rules/ml/ml_linux_anomalous_process_all_hosts.toml | 2 +- rules/ml/ml_linux_anomalous_user_name.toml | 2 +- rules/ml/ml_packetbeat_dns_tunneling.toml | 2 +- rules/ml/ml_packetbeat_rare_dns_question.toml | 2 +- rules/ml/ml_packetbeat_rare_server_domain.toml | 2 +- rules/ml/ml_packetbeat_rare_urls.toml | 2 +- rules/ml/ml_packetbeat_rare_user_agent.toml | 2 +- rules/ml/ml_rare_process_by_host_linux.toml | 2 +- rules/ml/ml_rare_process_by_host_windows.toml | 2 +- rules/ml/ml_suspicious_login_activity.toml | 2 +- rules/ml/ml_windows_anomalous_network_activity.toml | 2 +- rules/ml/ml_windows_anomalous_path_activity.toml | 2 +- rules/ml/ml_windows_anomalous_process_all_hosts.toml | 2 +- rules/ml/ml_windows_anomalous_process_creation.toml | 2 +- rules/ml/ml_windows_anomalous_script.toml | 2 +- rules/ml/ml_windows_anomalous_service.toml | 2 +- rules/ml/ml_windows_anomalous_user_name.toml | 2 +- rules/ml/ml_windows_rare_user_runas_event.toml | 2 +- rules/ml/ml_windows_rare_user_type10_remote_login.toml | 2 +- 23 files changed, 23 insertions(+), 23 deletions(-) diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index d653ad131d2..b69886d2d9f 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -27,7 +27,7 @@ Signals from this rule indicate the presence of network activity from a Linux pr - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index eafee5439d2..462dcc46369 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -18,7 +18,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_anomalous_network_port_activity_ecs" name = "Unusual Linux Network Port Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml index 3b8e61c9908..3b2ebc8e1df 100644 --- a/rules/ml/ml_linux_anomalous_network_service.toml +++ b/rules/ml/ml_linux_anomalous_network_service.toml @@ -17,7 +17,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_anomalous_network_service" name = "Unusual Linux Network Service" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml index 3adfeba4b2e..5316e7a6d03 100644 --- a/rules/ml/ml_linux_anomalous_network_url_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml @@ -25,7 +25,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_anomalous_network_url_activity_ecs" name = "Unusual Linux Web Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml index 6b0615a080f..e82034bb83d 100644 --- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml index 993fae1ac38..0ea17fc3b92 100644 --- a/rules/ml/ml_linux_anomalous_user_name.toml +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -33,7 +33,7 @@ Signals from this rule indicate activity for a Linux user name that is rare and - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer? - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml index 84e218f5d4c..d954e9961d1 100644 --- a/rules/ml/ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/ml_packetbeat_dns_tunneling.toml @@ -24,7 +24,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_dns_tunneling" name = "DNS Tunneling" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml index 53c5315f585..cc205b03390 100644 --- a/rules/ml/ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/ml_packetbeat_rare_dns_question.toml @@ -27,7 +27,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_dns_question" name = "Unusual DNS Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 8dd1d521732..6c77bc97d00 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -27,7 +27,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_server_domain" name = "Unusual Network Destination Domain Name" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml index 3af3d007788..7414a22cf6d 100644 --- a/rules/ml/ml_packetbeat_rare_urls.toml +++ b/rules/ml/ml_packetbeat_rare_urls.toml @@ -30,7 +30,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_urls" name = "Unusual Web Request" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml index fb06c72ccad..0e67b8ec054 100644 --- a/rules/ml/ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/ml_packetbeat_rare_user_agent.toml @@ -28,7 +28,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_user_agent" name = "Unusual Web User Agent" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml index 190287daffa..5a6f9bff3a5 100644 --- a/rules/ml/ml_rare_process_by_host_linux.toml +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index f9344f61574..b9578a18ba5 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml index 559b427c997..c345827aed2 100644 --- a/rules/ml/ml_suspicious_login_activity.toml +++ b/rules/ml/ml_suspicious_login_activity.toml @@ -19,7 +19,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "suspicious_login_activity_ecs" name = "Unusual Login Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index fd4a04369bd..1d5841086b0 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -29,7 +29,7 @@ Signals from this rule indicate the presence of network activity from a Windows - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml index edac29c0eaa..a1e877f559d 100644 --- a/rules/ml/ml_windows_anomalous_path_activity.toml +++ b/rules/ml/ml_windows_anomalous_path_activity.toml @@ -25,7 +25,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_path_activity_ecs" name = "Unusual Windows Path Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml index 395b9207e4b..e92ed7533f5 100644 --- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml index 4029f330861..be6e92bc235 100644 --- a/rules/ml/ml_windows_anomalous_process_creation.toml +++ b/rules/ml/ml_windows_anomalous_process_creation.toml @@ -27,7 +27,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_process_creation" name = "Anomalous Windows Process Creation" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml index 66172bf9f66..f2e2366e18f 100644 --- a/rules/ml/ml_windows_anomalous_script.toml +++ b/rules/ml/ml_windows_anomalous_script.toml @@ -22,7 +22,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_script" name = "Suspicious Powershell Script" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml index 0e8ed05b37c..e968af06577 100644 --- a/rules/ml/ml_windows_anomalous_service.toml +++ b/rules/ml/ml_windows_anomalous_service.toml @@ -23,7 +23,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_service" name = "Unusual Windows Service" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml index 095ca04e1a4..abdb12a4e22 100644 --- a/rules/ml/ml_windows_anomalous_user_name.toml +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -34,7 +34,7 @@ Signals from this rule indicate activity for a Windows user name that is rare an - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml index b14b1b0b7cd..dc112b0bbfa 100644 --- a/rules/ml/ml_windows_rare_user_runas_event.toml +++ b/rules/ml/ml_windows_rare_user_runas_event.toml @@ -23,7 +23,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_rare_user_runas_event" name = "Unusual Windows User Privilege Elevation Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index e9677526c63..85e17ebbe91 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -27,7 +27,7 @@ note = """### Investigating an Unusual Windows User ### Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low"