From d94b6562c04efaf868bb80eab8c2dd856438c7ba Mon Sep 17 00:00:00 2001 From: Tre Date: Tue, 16 Nov 2021 12:58:51 -0500 Subject: [PATCH 01/12] [QA][refactor] Use ui settings - discover histogram (#114997) * [QA][refactor] Use ui settings - discover histogram Use ui settings instead of setting absolute range for timepicker. Stacked on top of: https://github.com/elastic/kibana/pull/114530 * Use TimeStrings interface. --- .../apps/discover/_discover_histogram.ts | 37 ++++++++++--------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/test/functional/apps/discover/_discover_histogram.ts b/test/functional/apps/discover/_discover_histogram.ts index 36abcd81d53a..62d6ede32305 100644 --- a/test/functional/apps/discover/_discover_histogram.ts +++ b/test/functional/apps/discover/_discover_histogram.ts @@ -8,6 +8,7 @@ import expect from '@kbn/expect'; import { FtrProviderContext } from '../../ftr_provider_context'; +import { TimeStrings } from '../../page_objects/common_page'; export default function ({ getService, getPageObjects }: FtrProviderContext) { const esArchiver = getService('esArchiver'); @@ -40,10 +41,12 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { 'test/functional/fixtures/es_archiver/long_window_logstash_index_pattern' ); await security.testUser.restoreDefaults(); + await PageObjects.common.unsetTime(); }); - async function prepareTest(fromTime: string, toTime: string, interval?: string) { - await PageObjects.timePicker.setAbsoluteRange(fromTime, toTime); + async function prepareTest(time: TimeStrings, interval?: string) { + await PageObjects.common.setTime(time); + await PageObjects.common.navigateToApp('discover'); await PageObjects.discover.waitUntilSearchingHasFinished(); if (interval) { await PageObjects.discover.setChartInterval(interval); @@ -52,32 +55,32 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { } it('should visualize monthly data with different day intervals', async () => { - const fromTime = 'Nov 1, 2017 @ 00:00:00.000'; - const toTime = 'Mar 21, 2018 @ 00:00:00.000'; - await prepareTest(fromTime, toTime, 'Month'); + const from = 'Nov 1, 2017 @ 00:00:00.000'; + const to = 'Mar 21, 2018 @ 00:00:00.000'; + await prepareTest({ from, to }, 'Month'); const chartCanvasExist = await elasticChart.canvasExists(); expect(chartCanvasExist).to.be(true); }); it('should visualize weekly data with within DST changes', async () => { - const fromTime = 'Mar 1, 2018 @ 00:00:00.000'; - const toTime = 'May 1, 2018 @ 00:00:00.000'; - await prepareTest(fromTime, toTime, 'Week'); + const from = 'Mar 1, 2018 @ 00:00:00.000'; + const to = 'May 1, 2018 @ 00:00:00.000'; + await prepareTest({ from, to }, 'Week'); const chartCanvasExist = await elasticChart.canvasExists(); expect(chartCanvasExist).to.be(true); }); it('should visualize monthly data with different years scaled to 30 days', async () => { - const fromTime = 'Jan 1, 2010 @ 00:00:00.000'; - const toTime = 'Mar 21, 2019 @ 00:00:00.000'; - await prepareTest(fromTime, toTime, 'Day'); + const from = 'Jan 1, 2010 @ 00:00:00.000'; + const to = 'Mar 21, 2019 @ 00:00:00.000'; + await prepareTest({ from, to }, 'Day'); const chartCanvasExist = await elasticChart.canvasExists(); expect(chartCanvasExist).to.be(true); const chartIntervalIconTip = await PageObjects.discover.getChartIntervalWarningIcon(); expect(chartIntervalIconTip).to.be(true); }); it('should allow hide/show histogram, persisted in url state', async () => { - const fromTime = 'Jan 1, 2010 @ 00:00:00.000'; - const toTime = 'Mar 21, 2019 @ 00:00:00.000'; - await prepareTest(fromTime, toTime); + const from = 'Jan 1, 2010 @ 00:00:00.000'; + const to = 'Mar 21, 2019 @ 00:00:00.000'; + await prepareTest({ from, to }); let canvasExists = await elasticChart.canvasExists(); expect(canvasExists).to.be(true); await testSubjects.click('discoverChartOptionsToggle'); @@ -95,10 +98,10 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { expect(canvasExists).to.be(true); }); it('should allow hiding the histogram, persisted in saved search', async () => { - const fromTime = 'Jan 1, 2010 @ 00:00:00.000'; - const toTime = 'Mar 21, 2019 @ 00:00:00.000'; + const from = 'Jan 1, 2010 @ 00:00:00.000'; + const to = 'Mar 21, 2019 @ 00:00:00.000'; const savedSearch = 'persisted hidden histogram'; - await prepareTest(fromTime, toTime); + await prepareTest({ from, to }); await testSubjects.click('discoverChartOptionsToggle'); await testSubjects.click('discoverChartToggle'); let canvasExists = await elasticChart.canvasExists(); From 8c76499c9e2aa99192a30b2237b99aee68a70591 Mon Sep 17 00:00:00 2001 From: Tim Roes Date: Tue, 16 Nov 2021 19:01:18 +0100 Subject: [PATCH 02/12] Fix flaky KQL suggestion tests (#118670) --- test/functional/services/query_bar.ts | 18 +++++++++++++++++- .../apps/discover/value_suggestions.ts | 19 +++++-------------- .../value_suggestions_non_timebased.ts | 9 +-------- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/test/functional/services/query_bar.ts b/test/functional/services/query_bar.ts index f0728f2b022e..55a27f0423ee 100644 --- a/test/functional/services/query_bar.ts +++ b/test/functional/services/query_bar.ts @@ -76,8 +76,24 @@ export class QueryBarService extends FtrService { expect((await queryLanguageButton.getVisibleText()).toLowerCase()).to.eql(lang); } - public async getSuggestions() { + /** + * Returns the currently shown suggestions texts of the query bar. Since there is no loading + * indicator to wait for to validate if suggestion loading is done, this method is private + * and should not be used in tests. Instead {@link #expectSuggestions} should be used, which + * properly waits for the expected suggestions. + */ + private async getSuggestions() { const suggestions = await this.testSubjects.findAll('autoCompleteSuggestionText'); return Promise.all(suggestions.map((suggestion) => suggestion.getVisibleText())); } + + public async expectSuggestions({ count, contains }: { count: number; contains?: string }) { + await this.retry.try(async () => { + const suggestions = await this.getSuggestions(); + expect(suggestions.length).to.be(count); + if (contains) { + expect(suggestions).to.contain(contains); + } + }); + } } diff --git a/x-pack/test/functional/apps/discover/value_suggestions.ts b/x-pack/test/functional/apps/discover/value_suggestions.ts index 9a56ee944deb..6cef27227954 100644 --- a/x-pack/test/functional/apps/discover/value_suggestions.ts +++ b/x-pack/test/functional/apps/discover/value_suggestions.ts @@ -5,7 +5,6 @@ * 2.0. */ -import expect from '@kbn/expect'; import { FtrProviderContext } from '../../ftr_provider_context'; import { UI_SETTINGS } from '../../../../../src/plugins/data/common'; @@ -56,16 +55,13 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { ); await queryBar.setQuery('extension.raw : '); - const suggestions = await queryBar.getSuggestions(); - expect(suggestions.length).to.be(0); + await queryBar.expectSuggestions({ count: 0 }); }); it('show up if in range', async () => { await PageObjects.timePicker.setDefaultAbsoluteRange(); await queryBar.setQuery('extension.raw : '); - const suggestions = await queryBar.getSuggestions(); - expect(suggestions.length).to.be(5); - expect(suggestions).to.contain('"jpg"'); + await queryBar.expectSuggestions({ count: 5, contains: '"jpg"' }); }); }); @@ -90,8 +86,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { }); }); - // FLAKY: https://github.com/elastic/kibana/issues/116892 - describe.skip('useTimeRange disabled', () => { + describe('useTimeRange disabled', () => { before(async () => { await setAutocompleteUseTimeRange(false); }); @@ -117,17 +112,13 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { ); await queryBar.setQuery('extension.raw : '); - const suggestions = await queryBar.getSuggestions(); - expect(suggestions.length).to.be(5); - expect(suggestions).to.contain('"jpg"'); + await queryBar.expectSuggestions({ count: 5, contains: '"jpg"' }); }); it('show up', async () => { await PageObjects.timePicker.setDefaultAbsoluteRange(); await queryBar.setQuery('extension.raw : '); - const suggestions = await queryBar.getSuggestions(); - expect(suggestions.length).to.be(5); - expect(suggestions).to.contain('"jpg"'); + await queryBar.expectSuggestions({ count: 5, contains: '"jpg"' }); }); }); }); diff --git a/x-pack/test/functional/apps/discover/value_suggestions_non_timebased.ts b/x-pack/test/functional/apps/discover/value_suggestions_non_timebased.ts index ecf8fd31ce93..b95cbea20cf8 100644 --- a/x-pack/test/functional/apps/discover/value_suggestions_non_timebased.ts +++ b/x-pack/test/functional/apps/discover/value_suggestions_non_timebased.ts @@ -5,13 +5,11 @@ * 2.0. */ -import expect from '@kbn/expect'; import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService, getPageObjects }: FtrProviderContext) { const esArchiver = getService('esArchiver'); const queryBar = getService('queryBar'); - const retry = getService('retry'); const PageObjects = getPageObjects(['common', 'settings', 'context', 'header']); describe('value suggestions non time based', function describeIndexTests() { @@ -30,12 +28,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { it('shows all autosuggest options for a filter in discover context app', async () => { await PageObjects.common.navigateToApp('discover'); await queryBar.setQuery('type.keyword : '); - - await retry.try(async () => { - const suggestions = await queryBar.getSuggestions(); - expect(suggestions.length).to.be(1); - expect(suggestions).to.contain('"apache"'); - }); + await queryBar.expectSuggestions({ count: 1, contains: '"apache"' }); }); }); } From 4f958691e1dbcf2fc063ca954c46460c28cf45bd Mon Sep 17 00:00:00 2001 From: ymao1 Date: Tue, 16 Nov 2021 13:04:59 -0500 Subject: [PATCH 03/12] Removing incorrect deprecation message for task manager max workers (#118615) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- x-pack/plugins/task_manager/server/index.test.ts | 2 +- x-pack/plugins/task_manager/server/index.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/task_manager/server/index.test.ts b/x-pack/plugins/task_manager/server/index.test.ts index 6fb512bebbd8..2145c01dfe68 100644 --- a/x-pack/plugins/task_manager/server/index.test.ts +++ b/x-pack/plugins/task_manager/server/index.test.ts @@ -41,7 +41,7 @@ describe('deprecations', () => { const { messages } = applyTaskManagerDeprecations({ max_workers: 1000 }); expect(messages).toMatchInlineSnapshot(` Array [ - "setting \\"xpack.task_manager.max_workers\\" (1000) greater than 100 is deprecated. Values greater than 100 will not be supported starting in 8.0.", + "setting \\"xpack.task_manager.max_workers\\" (1000) greater than 100 is deprecated.", ] `); }); diff --git a/x-pack/plugins/task_manager/server/index.ts b/x-pack/plugins/task_manager/server/index.ts index 58fba0b6f68c..0c967e1aa038 100644 --- a/x-pack/plugins/task_manager/server/index.ts +++ b/x-pack/plugins/task_manager/server/index.ts @@ -65,7 +65,7 @@ export const config: PluginConfigDescriptor = { addDeprecation({ level: 'critical', configPath: `${fromPath}.max_workers`, - message: `setting "${fromPath}.max_workers" (${taskManager?.max_workers}) greater than ${MAX_WORKERS_LIMIT} is deprecated. Values greater than ${MAX_WORKERS_LIMIT} will not be supported starting in 8.0.`, + message: `setting "${fromPath}.max_workers" (${taskManager?.max_workers}) greater than ${MAX_WORKERS_LIMIT} is deprecated.`, correctiveActions: { manualSteps: [ `Maximum allowed value of "${fromPath}.max_workers" is ${MAX_WORKERS_LIMIT}.` + From 61ee7a8c19a4c63a3bb2a92a11f6e314aad4e6f8 Mon Sep 17 00:00:00 2001 From: Kaarina Tungseth Date: Tue, 16 Nov 2021 12:07:25 -0600 Subject: [PATCH 04/12] [DOCS] Adds the 7.16 dashboard docs (#117916) * [DOCS] 7.16 docs * Review comments Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- docs/user/dashboard/dashboard.asciidoc | 22 +++++++++++++++---- .../make-dashboards-interactive.asciidoc | 16 +++++++++----- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/docs/user/dashboard/dashboard.asciidoc b/docs/user/dashboard/dashboard.asciidoc index 474b45f4989f..364a7d9e53dd 100644 --- a/docs/user/dashboard/dashboard.asciidoc +++ b/docs/user/dashboard/dashboard.asciidoc @@ -361,17 +361,31 @@ To exit *Edit* mode, click *Switch to view mode*. [float] [[download-csv]] -== Download panel data +== View the panel data and requests -Download panel data in a CSV file. When you download visualization panels with multiple layers, each layer produces a CSV file, and the file names contain the visualization and layer index names. +View the data in visualizations and the requests that collect the data. -. Open the panel menu, then select *Inspect*. +. Open the panel menu, then click *More > Inspect*. -. Click *Download CSV*, then select the format type from the dropdown: +. View and download the panel data. + +.. Open the *View* dropdown, then click *Data*. + +.. Click *Download CSV*, then select the format type from the dropdown: * *Formatted CSV* — Contains human-readable dates and numbers. * *Unformatted* — Best used for computer use. ++ +When you download visualization panels with multiple layers, each layer produces a CSV file, and the file names contain the visualization and layer {data-source} names. + +. View the requests that collect the data. + +.. Open the *View* dropdown, then click *Requests*. + +.. From the dropdown, select the requests you want to view. + +.. To view the requests in *Console*, click *Request*, then click *Open in Console*. [float] [[share-the-dashboard]] diff --git a/docs/user/dashboard/make-dashboards-interactive.asciidoc b/docs/user/dashboard/make-dashboards-interactive.asciidoc index 6e09fd34f508..54a723f63e25 100644 --- a/docs/user/dashboard/make-dashboards-interactive.asciidoc +++ b/docs/user/dashboard/make-dashboards-interactive.asciidoc @@ -94,20 +94,26 @@ To save the panel to the dashboard: [[explore-the-underlying-documents]] === Open panel data in Discover -You can add interactions to panels that allow you to open *Discover* and explore the panel data. To use the *Discover* interactions, the panel must use only one index pattern, and you must enable <> and <> in kibana.yml. +You can add interactions to panels that allow you to open and explore the data in *Discover*. To use the interactions, the panel must use only one {data-view}. -If you are using 7.13.0 and earlier, panel interactions are enabled by default. +There are three types of *Discover* interactions you can add to dashboards: -There are two types of *Discover* interactions that you can add to dashboards: - -* *Panel interactions* — Opens the panel data in *Discover*, including the dashboard-level filters, but not the panel-level filters. +* *Panel interactions* — Opens panel data in *Discover*, including the dashboard-level filters, but not the panel-level filters. ++ +To enable panel interactions, configure <> in kibana.yml. If you are using 7.13.0 and earlier, panel interactions are enabled by default. + To use panel interactions, open the panel menu, then click *Explore underlying data*. * *Series data interactions* — Opens the series data in *Discover*. + +To enable series data interactions, configure <> in kibana.yml. If you are using 7.13.0 and earlier, data series interactions are enabled by default. ++ To use series data interactions, click a data series in the panel. +* *Saved search interactions* — Opens <> data in *Discover*. ++ +To use saved search interactions, open the panel menu, then click *More > View saved search*. + [float] [[create-drilldowns]] === Create drilldowns From 33c1313daf257eea32d686bb0900041f0a38281e Mon Sep 17 00:00:00 2001 From: Kaarina Tungseth Date: Tue, 16 Nov 2021 12:08:10 -0600 Subject: [PATCH 05/12] [DOCS] Adds the 7.16 TSVB docs (#117931) * [DOCS] Adds the 7.16 TSVB docs * Fixes broken link * Update docs/user/dashboard/tsvb.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * Update docs/user/dashboard/tsvb.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * Review comments Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- docs/index.asciidoc | 1 + docs/user/dashboard/tsvb.asciidoc | 104 ++++++++++++------------------ 2 files changed, 42 insertions(+), 63 deletions(-) diff --git a/docs/index.asciidoc b/docs/index.asciidoc index f9ed2abc4b8c..ec1a99fa5bff 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -13,6 +13,7 @@ include::{docs-root}/shared/versions/stack/{source_branch}.asciidoc[] :es-docker-image: {es-docker-repo}:{version} :blob: {kib-repo}blob/{branch}/ :security-ref: https://www.elastic.co/community/security/ +:Data-source: Data view :data-source: data view :data-sources: data views :a-data-source: a data view diff --git a/docs/user/dashboard/tsvb.asciidoc b/docs/user/dashboard/tsvb.asciidoc index c944ec2c9e08..7efd8425e561 100644 --- a/docs/user/dashboard/tsvb.asciidoc +++ b/docs/user/dashboard/tsvb.asciidoc @@ -15,33 +15,11 @@ With *TSVB*, you can: [role="screenshot"] image::images/tsvb-screenshot.png[TSVB overview] -[float] -[[tsvb-required-choices]] -==== Open and set up TSVB - -Open *TSVB*, then configure the required settings. - -. On the dashboard, click *All types*, then select *TSVB*. - -. In *TSVB*, click *Panel options*, then specify the required *Data* settings. - -.. From the *Index pattern* dropdown, select the index pattern you want to visualize. -+ -To visualize the data in an {es} index, open the *Index pattern selection mode* menu, deselect *Use only {kib} index patterns*, then enter the {es} index. - -.. From the *Time field* dropdown, select the field you want to visualize, then enter the field *Interval*. - -.. Select a *Drop last bucket* option. -+ -By default, *TSVB* drops the last bucket because the time filter intersects the time range of the last bucket. To view the partial data, select *No*. - -.. To view a filtered set of documents, enter <> in the *Panel filter* field. - [float] [[tsvb-index-pattern-mode]] -==== Change the {data-source} mode +==== Open and set up TSVB -You can create *TSVB* visualizations with only {data-sources}, or {es} index strings. +Open *TSVB*, then configure the required settings. You can create *TSVB* visualizations with only {data-sources}, or {es} index strings. When you use only {data-sources}, you are able to: @@ -53,28 +31,56 @@ When you use only {data-sources}, you are able to: * Improve performance -IMPORTANT: Creating *TSVB* visualizations with an {es} index string is deprecated. To use an {es} index string, contact your administrator, or go to <> and set `metrics:allowStringIndices` to `true`. Creating *TSVB* visualizations with an {es} index string will be removed in a future release. -Creating visualizations with only {data-sources} is the default one for new visualizations but it can also be switched for the old implementations: +IMPORTANT: Creating *TSVB* visualizations with an {es} index string is deprecated and will be removed in a fytyre release. By default, you create *TSVB* visualizations with only {data-sources}. To use an {es} index string, contact your administrator, or go to <> and set `metrics:allowStringIndices` to `true`. + +. On the dashboard, click *All types*, then select *TSVB*. -. Click *Panel options*, then open the *Index pattern selection mode* options next to the *Index pattern* dropdown. +. In *TSVB*, click *Panel options*, then specify the *Data* settings. -. Select *Use only Kibana index patterns*. +. Open the *Index pattern selection mode* options next to the *Index pattern* dropdown. -. From the *Index pattern* drodpown, select the index pattern, then select the *Time field*. +. Select *Use only {kib} {data-sources}*. + +. From the *Index pattern* drodpown, select the {data-source}, then select the *Time field* and *Interval*. + +. Select a *Drop last bucket* option. + -image::images/tsvb_index_pattern_selection_mode.png[Change index pattern selection mode action] +By default, *TSVB* drops the last bucket because the time filter intersects the time range of the last bucket. To view the partial data, select *No*. + +. To view a filtered set of documents, enter <> in the *Panel filter* field. [float] -[[configure-the-data-series]] +[[tsvb-function-reference]] ==== Configure the series Each *TSVB* visualization shares the same options to create a *Series*. Each series can be thought of as a separate {es} aggregation. -For each series, the *Options* control the styling and {es} options, and are inherited from *Panel options*. +The *Options* control the styling and {es} options, and are inherited from *Panel options*. When you have separate options for each series, you can compare different {es} indices, and view two time ranges from the same index. To configure the value of each series, select the function, then configure the function inputs. Only the last function is displayed. -. From the *Aggregation* dropdown, select the function for the series. +. From the *Aggregation* dropdown, select the function for the series. *TSVB* provides you with shortcuts for some frequently-used functions: ++ +*Filter Ratio*:: + Returns a percent value by calculating a metric on two sets of documents. + For example, calculate the error rate as a percentage of the overall events over time. ++ +*Counter Rate*:: + Used when dealing with monotonically increasing counters. Shortcut for *Max*, *Derivative*, and *Positive Only*. ++ +*Positive Only*:: + Removes any negative values from the results, which can be used as a post-processing step + after a derivative. ++ +*Series Agg*:: + Applies a function to all of the *Group by* series to reduce the values to a single number. + This function must always be the last metric in the series. + For example, if the *Time Series* visualization shows 10 series, the sum *Series Agg* calculates + the sum of all 10 bars and outputs a single Y value per X value. This is often confused + with the overall sum function, which outputs a single Y value per unique series. ++ +*Math*:: + For each series, apply simple and advanced calculations. Only use *Math* for the last function in a series. . To display each group separately, select one of the following options from the *Group by* dropdown: @@ -82,7 +88,7 @@ To configure the value of each series, select the function, then configure the f * *Terms* — Displays the top values of the field. The color is only configurable in the *Time Series* chart. To configure, click *Options*, then select an option from the *Split color theme* dropdown. -. Click *Options*, then configure the inputs for the function. +. Click *Options*, then configure the inputs for the function. For example, to use a different field format, make a selection from the *Data formatter* dropdown. [float] [[configure-the-visualizations]] @@ -124,37 +130,9 @@ To change this behavior, click *Panel options*, then specify a URL in the *Item The *Markdown* visualization supports Markdown with Handlebar (mustache) syntax to insert dynamic data, and supports custom CSS. -[float] -[[tsvb-function-reference]] -==== TSVB function reference - -*TSVB* provides you with shortcuts for some frequently-used functions. - -*Filter Ratio*:: - Returns a percent value by calculating a metric on two sets of documents. - For example, calculate the error rate as a percentage of the overall events over time. - -*Counter Rate*:: - Used when dealing with monotonically increasing counters. Shortcut for *Max*, *Derivative*, and *Positive Only*. - -*Positive Only*:: - Removes any negative values from the results, which can be used as a post-processing step - after a derivative. - -*Series Agg*:: - Applies a function to all of the *Group by* series to reduce the values to a single number. - This function must always be the last metric in the series. - For example, if the *Time Series* visualization shows 10 series, the sum *Series Agg* calculates - the sum of all 10 bars and output a single Y value per X value. This is often confused - with the overall sum function, which outputs a single Y value per unique series. - -*Math*:: - The math context is able to do simple and advanced calculations per series. - This function must always be the last metric in the series. - [float] [[save-the-tsvb-panel]] -===== Save and add the panel +==== Save and add the panel Save the panel to the *Visualize Library* and add it to the dashboard, or add it to the dashboard without saving. From 3e3e9017f850d8f4f39d44fe733073f2120db022 Mon Sep 17 00:00:00 2001 From: Shahzad Date: Tue, 16 Nov 2021 19:17:21 +0100 Subject: [PATCH 06/12] [Exploratory view] Apply fix deep equality check (#118529) --- .../views/view_actions.test.tsx | 54 +++++++++++++++++++ .../exploratory_view/views/view_actions.tsx | 17 +++++- 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.test.tsx b/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.test.tsx index 934d8f7fdbfe..8f0180c6be4b 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.test.tsx +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.test.tsx @@ -85,4 +85,58 @@ describe('ViewActions', () => { await assertApplyIsEnabled(); }); + it('apply button is disabled when no filter changes but different orders', async () => { + const allSeries: AllSeries = [ + { + seriesType: 'area', + breakdown: 'monitor.type', + filters: [ + { + values: ['spa-heartbeat', 'nyc-heartbeat', 'au-heartbeat'], + field: 'observer.geo.name', + }, + ], + time: { from: 'now-15m', to: 'now' }, + dataType: 'synthetics', + reportDefinitions: { 'monitor.name': [], 'url.full': ['ALL_VALUES'] }, + selectedMetricField: 'monitor.duration.us', + name: 'All monitors response duration', + }, + ]; + + const urlSeries: AllSeries = [ + { + seriesType: 'area', + breakdown: 'monitor.type', + filters: [ + { + field: 'observer.geo.name', + values: ['spa-heartbeat', 'nyc-heartbeat', 'au-heartbeat'], + notValues: undefined, + notWildcards: undefined, + }, + ], + time: { from: 'now-15m', to: 'now' }, + reportDefinitions: { 'monitor.name': [], 'url.full': ['ALL_VALUES'] }, + dataType: 'synthetics', + selectedMetricField: 'monitor.duration.us', + name: 'All monitors response duration', + }, + ]; + + mockSeriesStorage(allSeries, urlSeries); + + render(); + const applyBtn = screen.getByText(/Apply changes/i); + + const btnComponent = screen.getByTestId('seriesChangesApplyButton'); + + expect(btnComponent.classList).toContain('euiButton-isDisabled'); + + fireEvent.click(applyBtn); + + await waitFor(() => { + expect(applyChanges).toBeCalledTimes(0); + }); + }); }); diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.tsx b/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.tsx index e85ce8ff40c6..2b9e8a26b0c2 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.tsx +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/views/view_actions.tsx @@ -10,11 +10,23 @@ import { EuiButton, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { isEqual, pickBy } from 'lodash'; import { allSeriesKey, convertAllShortSeries, useSeriesStorage } from '../hooks/use_series_storage'; +import { SeriesUrl } from '../types'; interface Props { onApply?: () => void; } +export function removeUndefinedEmptyValues(series: SeriesUrl) { + const resultSeries = removeUndefinedProps(series) as SeriesUrl; + Object.entries(resultSeries).forEach(([prop, value]) => { + if (typeof value === 'object') { + // @ts-expect-error + resultSeries[prop] = removeUndefinedEmptyValues(value); + } + }); + return resultSeries; +} + export function removeUndefinedProps(obj: T): Partial { return pickBy(obj, (value) => value !== undefined); } @@ -29,7 +41,10 @@ export function ViewActions({ onApply }: Props) { if (noChanges) { noChanges = !allSeries.some( (series, index) => - !isEqual(removeUndefinedProps(series), removeUndefinedProps(urlAllSeries[index])) + !isEqual( + removeUndefinedEmptyValues(series), + removeUndefinedEmptyValues(urlAllSeries[index]) + ) ); } From 16592f94f6ba453c9a7dd802040a1dc195ac3993 Mon Sep 17 00:00:00 2001 From: Vadim Yakhin Date: Tue, 16 Nov 2021 10:26:46 -0800 Subject: [PATCH 07/12] Remove getaslocaldatetimestring (#118105) * Revert "Fix bug where number rendered as date (#116224)" This reverts commit 8c6ef2054f7b3d8dfe4c042789a63badec269fec. * Remove the usage of getAsLocalDateTimeString * Remove test Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../__mocks__/content_sources.mock.ts | 2 +- .../example_result_detail_card.test.tsx | 30 ------------------- .../example_result_detail_card.tsx | 7 +---- .../display_settings/result_detail.test.tsx | 5 +--- 4 files changed, 3 insertions(+), 41 deletions(-) diff --git a/x-pack/plugins/enterprise_search/public/applications/workplace_search/__mocks__/content_sources.mock.ts b/x-pack/plugins/enterprise_search/public/applications/workplace_search/__mocks__/content_sources.mock.ts index 7222edad5682..48cbf4ba00d8 100644 --- a/x-pack/plugins/enterprise_search/public/applications/workplace_search/__mocks__/content_sources.mock.ts +++ b/x-pack/plugins/enterprise_search/public/applications/workplace_search/__mocks__/content_sources.mock.ts @@ -376,7 +376,7 @@ export const exampleResult = { source: 'custom', }, ], - schemaFields: { cats: 'text', dogs: 'text' }, + schemaFields: {}, }; export const mostRecentIndexJob = { diff --git a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.test.tsx b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.test.tsx index eeb7f6b54f2c..82a421d85df0 100644 --- a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.test.tsx @@ -14,8 +14,6 @@ import React from 'react'; import { shallow } from 'enzyme'; -import { EuiText } from '@elastic/eui'; - import { ExampleResultDetailCard } from './example_result_detail_card'; describe('ExampleResultDetailCard', () => { @@ -38,32 +36,4 @@ describe('ExampleResultDetailCard', () => { expect(wrapper.find('[data-test-subj="DefaultUrlLabel"]')).toHaveLength(1); }); - - it('shows formatted value when date can be parsed', () => { - const date = '2021-06-28'; - setMockValues({ - ...exampleResult, - searchResultConfig: { detailFields: [{ fieldName: 'date', label: 'Date' }] }, - exampleDocuments: [{ date }], - schemaFields: { date: 'date' }, - }); - const wrapper = shallow(); - - expect(wrapper.find(EuiText).children().text()).toContain( - new Date(Date.parse(date)).toLocaleString() - ); - }); - - it('shows non-formatted value when not a date field', () => { - const value = '9999'; - setMockValues({ - ...exampleResult, - searchResultConfig: { detailFields: [{ fieldName: 'value', label: 'Value' }] }, - exampleDocuments: [{ value }], - schemaFields: { value: 'text' }, - }); - const wrapper = shallow(); - - expect(wrapper.find(EuiText).children().text()).toContain(value); - }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.tsx b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.tsx index 734e370e4c53..4abe24c87bfc 100644 --- a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/example_result_detail_card.tsx @@ -12,9 +12,7 @@ import { useValues } from 'kea'; import { EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiText, EuiTitle } from '@elastic/eui'; -import { SchemaType } from '../../../../../shared/schema/types'; import { URL_LABEL } from '../../../../constants'; -import { getAsLocalDateTimeString } from '../../../../utils'; import { CustomSourceIcon } from './custom_source_icon'; import { DisplaySettingsLogic } from './display_settings_logic'; @@ -27,7 +25,6 @@ export const ExampleResultDetailCard: React.FC = () => { titleFieldHover, urlFieldHover, exampleDocuments, - schemaFields, } = useValues(DisplaySettingsLogic); const result = exampleDocuments[0]; @@ -65,8 +62,6 @@ export const ExampleResultDetailCard: React.FC = () => { {detailFields.length > 0 ? ( detailFields.map(({ fieldName, label }, index) => { const value = result[fieldName]; - const fieldType = (schemaFields as { [key: string]: SchemaType })[fieldName]; - const dateValue = fieldType === SchemaType.Date && getAsLocalDateTimeString(value); return (
{

{label}

-
{dateValue || value}
+
{value}
); diff --git a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/result_detail.test.tsx b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/result_detail.test.tsx index bbc7460ea525..f400527c6c00 100644 --- a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/result_detail.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/display_settings/result_detail.test.tsx @@ -47,7 +47,7 @@ import { ExampleResultDetailCard } from './example_result_detail_card'; import { ResultDetail } from './result_detail'; describe('ResultDetail', () => { - const { searchResultConfig, exampleDocuments, schemaFields } = exampleResult; + const { searchResultConfig, exampleDocuments } = exampleResult; const availableFieldOptions = [ { value: 'foo', @@ -70,7 +70,6 @@ describe('ResultDetail', () => { searchResultConfig, availableFieldOptions, exampleDocuments, - schemaFields, }); }); @@ -95,7 +94,6 @@ describe('ResultDetail', () => { }, availableFieldOptions, exampleDocuments, - schemaFields, }); const wrapper = shallow(); @@ -124,7 +122,6 @@ describe('ResultDetail', () => { }, availableFieldOptions, exampleDocuments, - schemaFields, }); const wrapper = mount(); From 130c604c121b13f4a56fae129ee4d9b61e4258a5 Mon Sep 17 00:00:00 2001 From: Oliver Gupte Date: Tue, 16 Nov 2021 13:33:31 -0500 Subject: [PATCH 08/12] [APM] Fixes tutorial links to correct APM integration version (#118732) (#118733) --- x-pack/plugins/apm/public/tutorial/config_agent/index.tsx | 5 +++-- .../public/tutorial/tutorial_fleet_instructions/index.tsx | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/apm/public/tutorial/config_agent/index.tsx b/x-pack/plugins/apm/public/tutorial/config_agent/index.tsx index bce16ae6ef1f..8e8bf5cf3213 100644 --- a/x-pack/plugins/apm/public/tutorial/config_agent/index.tsx +++ b/x-pack/plugins/apm/public/tutorial/config_agent/index.tsx @@ -9,7 +9,8 @@ import { i18n } from '@kbn/i18n'; import { HttpStart } from 'kibana/public'; import React, { useEffect, useMemo, useState } from 'react'; import styled from 'styled-components'; -import { APIReturnType } from '../..//services/rest/createCallApmApi'; +import { SUPPORTED_APM_PACKAGE_VERSION } from '../../../common/fleet'; +import { APIReturnType } from '../../services/rest/createCallApmApi'; import { getCommands } from './commands/get_commands'; import { getPolicyOptions, PolicyOption } from './get_policy_options'; import { PolicySelector } from './policy_selector'; @@ -65,7 +66,7 @@ function getFleetLink({ } : { label: GET_STARTED_WITH_FLEET_LABEL, - href: `${basePath}/app/integrations#/detail/apm-0.4.0/overview`, + href: `${basePath}/app/integrations#/detail/apm-${SUPPORTED_APM_PACKAGE_VERSION}/overview`, }; } diff --git a/x-pack/plugins/apm/public/tutorial/tutorial_fleet_instructions/index.tsx b/x-pack/plugins/apm/public/tutorial/tutorial_fleet_instructions/index.tsx index 7df52b20376b..099d737affec 100644 --- a/x-pack/plugins/apm/public/tutorial/tutorial_fleet_instructions/index.tsx +++ b/x-pack/plugins/apm/public/tutorial/tutorial_fleet_instructions/index.tsx @@ -19,6 +19,7 @@ import { i18n } from '@kbn/i18n'; import { HttpStart } from 'kibana/public'; import React, { useEffect, useState } from 'react'; import styled from 'styled-components'; +import { SUPPORTED_APM_PACKAGE_VERSION } from '../../../common/fleet'; import { APIReturnType } from '../../services/rest/createCallApmApi'; interface Props { @@ -98,7 +99,7 @@ function TutorialFleetInstructions({ http, basePath, isDarkTheme }: Props) { {i18n.translate( 'xpack.apm.tutorial.apmServer.fleet.apmIntegration.button', From 83917e36c2fb39609cb0cc64e18ad14cb8cd3f18 Mon Sep 17 00:00:00 2001 From: Justin Kambic Date: Tue, 16 Nov 2021 13:36:09 -0500 Subject: [PATCH 09/12] [Exploratory View] Disable form row for super select (#118093) * Disable form row for super select. The super select seems not to receive focus when clicking the form row, even when it's enabled. * Improve report selection accessibility. * Implement style change from PR feedback. * Prepend label instead of expanding header size. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../series_editor/columns/report_type_select.tsx | 8 +++++++- .../series_editor/series_editor.tsx | 15 +++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_type_select.tsx b/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_type_select.tsx index 31a8c7cb7bfa..ddabdf83323c 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_type_select.tsx +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_type_select.tsx @@ -35,7 +35,11 @@ export const reportTypesList: Array<{ { reportType: 'device-data-distribution', label: DEVICE_DISTRIBUTION_LABEL }, ]; -export function ReportTypesSelect() { +interface Props { + prepend: string; +} + +export function ReportTypesSelect({ prepend }: Props) { const { setReportType, reportType: selectedReportType, allSeries } = useSeriesStorage(); const onReportTypeChange = (reportType: ReportViewType) => { @@ -52,12 +56,14 @@ export function ReportTypesSelect() { return ( onReportTypeChange(value as ReportViewType)} style={{ minWidth: 200 }} isInvalid={!selectedReportType && allSeries.length > 0} disabled={allSeries.length > 0} + prepend={prepend} /> ); } diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/series_editor.tsx b/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/series_editor.tsx index 4d77c04fc780..0402dcc4d990 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/series_editor.tsx +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/series_editor.tsx @@ -118,8 +118,12 @@ export const SeriesEditor = React.memo(function () {
- - + + @@ -205,3 +209,10 @@ export const REPORT_TYPE_LABEL = i18n.translate( defaultMessage: 'Report type', } ); + +export const REPORT_TYPE_ARIA_LABEL = i18n.translate( + 'xpack.observability.expView.seriesBuilder.reportType.aria', + { + defaultMessage: 'This select allows you to choose the type of report you wish to create', + } +); From 9aaee3c6de433b5d03ce1f87fe1793beb5d486b3 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 16 Nov 2021 09:58:55 -0900 Subject: [PATCH 10/12] [Detection Rules] Add 7.16 rules (#118657) --- ...ion_email_powershell_exchange_mailbox.json | 4 +- .../collection_posh_audio_capture.json | 70 ++ ...d_control_remote_file_copy_powershell.json | 4 +- ..._full_network_packet_capture_detected.json | 53 ++ .../credential_access_posh_minidump.json | 81 ++ ...asion_azure_blob_permissions_modified.json | 52 ++ ...e_evasion_clearing_windows_event_logs.json | 4 +- ...ion_defender_exclusion_via_powershell.json | 4 +- ...disabling_windows_defender_powershell.json | 4 +- ...efense_evasion_dns_over_https_enabled.json | 50 ++ ...n_execution_msbuild_started_by_script.json | 4 +- ...nse_evasion_kubernetes_events_deleted.json | 60 ++ ...isc_lolbin_connecting_to_the_internet.json | 4 +- ...picious_process_access_direct_syscall.json | 49 ++ ...evasion_suspicious_zoom_child_process.json | 4 +- ...scovery_posh_suspicious_api_functions.json | 90 ++ .../execution_posh_portable_executable.json | 52 ++ ...tion_scheduled_task_powershell_source.json | 4 +- .../execution_via_compiled_html_file.json | 4 +- .../exfiltration_rds_snapshot_export.json | 4 +- .../exfiltration_rds_snapshot_restored.json | 47 ++ ..._eventbridge_rule_disabled_or_deleted.json | 48 ++ ...mpact_efs_filesystem_or_mount_deleted.json | 55 ++ .../impact_hosts_file_modified.json | 6 +- .../impact_kubernetes_pod_deleted.json | 47 ++ ...mpact_virtual_network_device_modified.json | 47 ++ ...e_shadow_copy_deletion_via_powershell.json | 4 +- .../rules/prepackaged_rules/index.ts | 796 +++++++++--------- ...ious_ms_exchange_worker_child_process.json | 4 +- ...istence_local_scheduled_task_creation.json | 4 +- ...stence_local_scheduled_task_scripting.json | 4 +- ...ll_exch_mailbox_activesync_add_device.json | 4 +- ..._53_hosted_zone_associated_with_a_vpc.json | 54 ++ .../persistence_route_table_created.json | 51 ++ ...ersistence_system_shells_via_services.json | 4 +- .../persistence_webshell_detection.json | 4 +- ...calation_aws_suspicious_saml_activity.json | 76 ++ ...netes_rolebindings_created_or_patched.json | 47 ++ ...ilege_escalation_sts_assumerole_usage.json | 74 ++ .../threat_intel_module_match.json | 6 +- 40 files changed, 1562 insertions(+), 421 deletions(-) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json index 6e2073bbb82b..627cbfa77741 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" @@ -61,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json new file mode 100644 index 000000000000..9aad786eb459 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json @@ -0,0 +1,70 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "query": "event.code:\"4104\" and \n powershell.file.script_block_text : (\n Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n )\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1" + ], + "risk_score": 47, + "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1123", + "name": "Audio Capture", + "reference": "https://attack.mitre.org/techniques/T1123/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json index 45d61878990a..3ffd0391df86 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : \"powershell.exe\" and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", @@ -63,5 +63,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json new file mode 100644 index 000000000000..110345fd316b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "false_positives": [ + "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Full Network Packet Capture Detected", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and \nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "risk_score": 47, + "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json new file mode 100644 index 000000000000..f0ef3e493a41 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json @@ -0,0 +1,81 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", + "false_positives": [ + "Powershell Scripts that use this capability for troubleshooting." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell MiniDump Script", + "query": "event.code:\"4104\" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1" + ], + "risk_score": 73, + "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json new file mode 100644 index 000000000000..2b299df06266 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json @@ -0,0 +1,52 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", + "false_positives": [ + "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Blob Permissions Modification", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and \n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles" + ], + "risk_score": 47, + "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json index 2759055b0fe5..43e4ae918211 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", - "query": "process where event.type in (\"process_started\", \"start\") and\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n process.name : \"powershell.exe\" and process.args : \"Clear-EventLog\"\n", + "query": "process where event.type in (\"process_started\", \"start\") and\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Clear-EventLog\"\n", "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json index 716040d337c1..5e05108d7b85 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions\n\nMicrosoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more\nnotable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.\n\n#### Possible investigation steps:\n- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users\nusing scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to\nidentify the source of the activity first and determine if there is any mal-intent behind the events.\n- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original\nintent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs\nto be legitimately whitelisted from Windows Defender?\n\n### False Positive Analysis\n- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly\na network administrator. In order to validate the activity further, review the specific exclusion made and determine based\non the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made\nwith Windows Defender so it's important to gain context around the exclusion.\n\n### Related Rules\n- Windows Defender Disabled via Registry Modification\n- Disabling Windows Defender Security Settings via PowerShell\n\n### Response and Remediation\n- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and\npotentially isolate further activity\n- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove\nthe exclusion and ensure antimalware capability has not been disabled or deleted\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review\n", - "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name : (\"powershell.exe\", \"pwsh.exe\")) and\n process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n", + "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n", "references": [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" ], @@ -80,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json index 0222561c624a..b59d6f18370c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", - "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", + "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" ], @@ -55,5 +55,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json new file mode 100644 index 000000000000..2183daf7dc1f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "DNS-over-HTTPS Enabled via Registry", + "query": "registry where event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", + "references": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" + ], + "risk_score": 21, + "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json index 60b2a8f50c3f..ab74d4a99f6c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", - "query": "process where event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", + "query": "process where event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "severity": "low", @@ -61,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json new file mode 100644 index 000000000000..f31648a9bd5c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json @@ -0,0 +1,60 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "false_positives": [ + "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Events Deleted", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" + ], + "risk_score": 47, + "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json index 5f45aa836ddf..9e8519cb576e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", - "query": "sequence by process.entity_id\n [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "query": "sequence by process.entity_id\n [process where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -53,5 +53,5 @@ } ], "type": "eql", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json new file mode 100644 index 000000000000..a3da88721574 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json @@ -0,0 +1,49 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json index 9905feceb681..b1caf3a67765 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", @@ -47,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json new file mode 100644 index 000000000000..a1a60acd191b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json @@ -0,0 +1,90 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.,", + "false_positives": [ + "Legitimate Powershell Scripts that make use of these Functions" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Discovery Related Windows API Functions", + "query": "event.code:\"4104\" and \n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity\n )\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413" + ], + "risk_score": 47, + "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + }, + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json new file mode 100644 index 000000000000..e247f26a8f5a --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json @@ -0,0 +1,52 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to disk.,", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Portable Executable Encoded in Powershell Script", + "query": "event.code:\"4104\" and \n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n )\n", + "risk_score": 47, + "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json index 3814b0032141..84fd67fa7e03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" ], @@ -54,5 +54,5 @@ } ], "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json index 73c796c4e206..a8d42d4a93b7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "medium", @@ -74,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json index b59adc45b423..0048aae78e28 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json @@ -22,7 +22,7 @@ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" ], "risk_score": 21, - "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a5", + "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "severity": "low", "tags": [ "Elastic", @@ -45,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 1 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json new file mode 100644 index 000000000000..860cbe82eb20 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json @@ -0,0 +1,47 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", + "false_positives": [ + "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Restored", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py" + ], + "risk_score": 47, + "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json new file mode 100644 index 000000000000..b215ed36aba4 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json @@ -0,0 +1,48 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or breaking the flow with other AWS services.", + "false_positives": [ + "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EventBridge Rule Disabled or Deleted", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html" + ], + "risk_score": 21, + "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json new file mode 100644 index 000000000000..52fadfdf8ee1 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", + "false_positives": [ + "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EFS File System or Mount Deleted", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and \nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html" + ], + "risk_score": 47, + "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json index 56c943c85cb2..18f4f1c2e50e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json @@ -13,8 +13,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", - "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.", - "query": "file where event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") \n", + "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.", + "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", "references": [ "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" ], @@ -56,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json new file mode 100644 index 000000000000..318904f9029d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json @@ -0,0 +1,47 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment.", + "false_positives": [ + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Pods Deleted", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" + ], + "risk_score": 47, + "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json new file mode 100644 index 000000000000..a378a3d607ab --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json @@ -0,0 +1,47 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.", + "false_positives": [ + "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Virtual Network Device Modified or Deleted", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\"or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and \nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "risk_score": 21, + "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json index 43dce4acf4df..59aceaad39ec 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"powershell.exe\", \"pwsh.exe\") and \n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 1c5006f5e6f4..474f7f1181ab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -220,385 +220,404 @@ import rule207 from './initial_access_unusual_dns_service_file_writes.json'; import rule208 from './lateral_movement_dns_server_overflow.json'; import rule209 from './credential_access_root_console_failure_brute_force.json'; import rule210 from './initial_access_unsecure_elasticsearch_node.json'; -import rule211 from './credential_access_domain_backup_dpapi_private_keys.json'; -import rule212 from './persistence_gpo_schtask_service_creation.json'; -import rule213 from './credential_access_credentials_keychains.json'; -import rule214 from './credential_access_kerberosdump_kcc.json'; -import rule215 from './defense_evasion_attempt_del_quarantine_attrib.json'; -import rule216 from './execution_suspicious_psexesvc.json'; -import rule217 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; -import rule218 from './privilege_escalation_printspooler_service_suspicious_file.json'; -import rule219 from './privilege_escalation_printspooler_suspicious_spl_file.json'; -import rule220 from './defense_evasion_azure_diagnostic_settings_deletion.json'; -import rule221 from './execution_command_virtual_machine.json'; -import rule222 from './execution_via_hidden_shell_conhost.json'; -import rule223 from './impact_resource_group_deletion.json'; -import rule224 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; -import rule225 from './persistence_via_update_orchestrator_service_hijack.json'; -import rule226 from './collection_update_event_hub_auth_rule.json'; -import rule227 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; -import rule228 from './credential_access_iis_connectionstrings_dumping.json'; -import rule229 from './defense_evasion_event_hub_deletion.json'; -import rule230 from './defense_evasion_firewall_policy_deletion.json'; -import rule231 from './defense_evasion_sdelete_like_filename_rename.json'; -import rule232 from './lateral_movement_remote_ssh_login_enabled.json'; -import rule233 from './persistence_azure_automation_account_created.json'; -import rule234 from './persistence_azure_automation_runbook_created_or_modified.json'; -import rule235 from './persistence_azure_automation_webhook_created.json'; -import rule236 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; -import rule237 from './credential_access_attempts_to_brute_force_okta_user_account.json'; -import rule238 from './credential_access_storage_account_key_regenerated.json'; -import rule239 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; -import rule240 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; -import rule241 from './defense_evasion_unusual_system_vp_child_program.json'; -import rule242 from './discovery_blob_container_access_mod.json'; -import rule243 from './persistence_mfa_disabled_for_azure_user.json'; -import rule244 from './persistence_user_added_as_owner_for_azure_application.json'; -import rule245 from './persistence_user_added_as_owner_for_azure_service_principal.json'; -import rule246 from './defense_evasion_dotnet_compiler_parent_process.json'; -import rule247 from './defense_evasion_suspicious_managedcode_host_process.json'; -import rule248 from './execution_command_shell_started_by_unusual_process.json'; -import rule249 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; -import rule250 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; -import rule251 from './defense_evasion_masquerading_werfault.json'; -import rule252 from './credential_access_key_vault_modified.json'; -import rule253 from './credential_access_mimikatz_memssp_default_logs.json'; -import rule254 from './defense_evasion_code_injection_conhost.json'; -import rule255 from './defense_evasion_network_watcher_deletion.json'; -import rule256 from './initial_access_external_guest_user_invite.json'; -import rule257 from './defense_evasion_masquerading_renamed_autoit.json'; -import rule258 from './impact_azure_automation_runbook_deleted.json'; -import rule259 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; -import rule260 from './persistence_azure_conditional_access_policy_modified.json'; -import rule261 from './persistence_azure_privileged_identity_management_role_modified.json'; -import rule262 from './command_and_control_teamviewer_remote_file_copy.json'; -import rule263 from './defense_evasion_installutil_beacon.json'; -import rule264 from './defense_evasion_mshta_beacon.json'; -import rule265 from './defense_evasion_network_connection_from_windows_binary.json'; -import rule266 from './defense_evasion_rundll32_no_arguments.json'; -import rule267 from './defense_evasion_suspicious_scrobj_load.json'; -import rule268 from './defense_evasion_suspicious_wmi_script.json'; -import rule269 from './execution_ms_office_written_file.json'; -import rule270 from './execution_pdf_written_file.json'; -import rule271 from './lateral_movement_cmd_service.json'; -import rule272 from './persistence_app_compat_shim.json'; -import rule273 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; -import rule274 from './command_and_control_remote_file_copy_mpcmdrun.json'; -import rule275 from './defense_evasion_execution_suspicious_explorer_winword.json'; -import rule276 from './defense_evasion_suspicious_zoom_child_process.json'; -import rule277 from './ml_linux_anomalous_compiler_activity.json'; -import rule278 from './ml_linux_anomalous_kernel_module_arguments.json'; -import rule279 from './ml_linux_anomalous_sudo_activity.json'; -import rule280 from './ml_linux_system_information_discovery.json'; -import rule281 from './ml_linux_system_network_configuration_discovery.json'; -import rule282 from './ml_linux_system_network_connection_discovery.json'; -import rule283 from './ml_linux_system_process_discovery.json'; -import rule284 from './ml_linux_system_user_discovery.json'; -import rule285 from './discovery_post_exploitation_external_ip_lookup.json'; -import rule286 from './initial_access_zoom_meeting_with_no_passcode.json'; -import rule287 from './defense_evasion_gcp_logging_sink_deletion.json'; -import rule288 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; -import rule289 from './defense_evasion_gcp_firewall_rule_created.json'; -import rule290 from './defense_evasion_gcp_firewall_rule_deleted.json'; -import rule291 from './defense_evasion_gcp_firewall_rule_modified.json'; -import rule292 from './defense_evasion_gcp_logging_bucket_deletion.json'; -import rule293 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; -import rule294 from './impact_gcp_storage_bucket_deleted.json'; -import rule295 from './initial_access_gcp_iam_custom_role_creation.json'; -import rule296 from './persistence_gcp_iam_service_account_key_deletion.json'; -import rule297 from './persistence_gcp_key_created_for_service_account.json'; -import rule298 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; -import rule299 from './exfiltration_gcp_logging_sink_modification.json'; -import rule300 from './impact_gcp_iam_role_deletion.json'; -import rule301 from './impact_gcp_service_account_deleted.json'; -import rule302 from './impact_gcp_service_account_disabled.json'; -import rule303 from './impact_gcp_virtual_private_cloud_network_deleted.json'; -import rule304 from './impact_gcp_virtual_private_cloud_route_created.json'; -import rule305 from './impact_gcp_virtual_private_cloud_route_deleted.json'; -import rule306 from './ml_linux_anomalous_metadata_process.json'; -import rule307 from './ml_linux_anomalous_metadata_user.json'; -import rule308 from './ml_windows_anomalous_metadata_process.json'; -import rule309 from './ml_windows_anomalous_metadata_user.json'; -import rule310 from './persistence_gcp_service_account_created.json'; -import rule311 from './collection_gcp_pub_sub_subscription_creation.json'; -import rule312 from './collection_gcp_pub_sub_topic_creation.json'; -import rule313 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; -import rule314 from './persistence_azure_pim_user_added_global_admin.json'; -import rule315 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; -import rule316 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; -import rule317 from './defense_evasion_execution_lolbas_wuauclt.json'; -import rule318 from './privilege_escalation_unusual_svchost_childproc_childless.json'; -import rule319 from './command_and_control_rdp_tunnel_plink.json'; -import rule320 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; -import rule321 from './persistence_ms_office_addins_file.json'; -import rule322 from './discovery_adfind_command_activity.json'; -import rule323 from './discovery_security_software_wmic.json'; -import rule324 from './execution_command_shell_via_rundll32.json'; -import rule325 from './execution_suspicious_cmd_wmi.json'; -import rule326 from './lateral_movement_via_startup_folder_rdp_smb.json'; -import rule327 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; -import rule328 from './privilege_escalation_uac_bypass_mock_windir.json'; -import rule329 from './defense_evasion_potential_processherpaderping.json'; -import rule330 from './privilege_escalation_uac_bypass_dll_sideloading.json'; -import rule331 from './execution_shared_modules_local_sxs_dll.json'; -import rule332 from './privilege_escalation_uac_bypass_com_clipup.json'; -import rule333 from './initial_access_via_explorer_suspicious_child_parent_args.json'; -import rule334 from './execution_from_unusual_directory.json'; -import rule335 from './execution_from_unusual_path_cmdline.json'; -import rule336 from './credential_access_kerberoasting_unusual_process.json'; -import rule337 from './discovery_peripheral_device.json'; -import rule338 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; -import rule339 from './defense_evasion_deleting_websvr_access_logs.json'; -import rule340 from './defense_evasion_log_files_deleted.json'; -import rule341 from './defense_evasion_timestomp_touch.json'; -import rule342 from './lateral_movement_dcom_hta.json'; -import rule343 from './lateral_movement_execution_via_file_shares_sequence.json'; -import rule344 from './privilege_escalation_uac_bypass_com_ieinstal.json'; -import rule345 from './command_and_control_common_webservices.json'; -import rule346 from './command_and_control_encrypted_channel_freesslcert.json'; -import rule347 from './defense_evasion_process_termination_followed_by_deletion.json'; -import rule348 from './lateral_movement_remote_file_copy_hidden_share.json'; -import rule349 from './attempt_to_deactivate_okta_network_zone.json'; -import rule350 from './attempt_to_delete_okta_network_zone.json'; -import rule351 from './lateral_movement_dcom_mmc20.json'; -import rule352 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; -import rule353 from './okta_attempt_to_deactivate_okta_application.json'; -import rule354 from './okta_attempt_to_delete_okta_application.json'; -import rule355 from './okta_attempt_to_delete_okta_policy_rule.json'; -import rule356 from './okta_attempt_to_modify_okta_application.json'; -import rule357 from './persistence_administrator_role_assigned_to_okta_user.json'; -import rule358 from './lateral_movement_executable_tool_transfer_smb.json'; -import rule359 from './command_and_control_dns_tunneling_nslookup.json'; -import rule360 from './lateral_movement_execution_from_tsclient_mup.json'; -import rule361 from './lateral_movement_rdp_sharprdp_target.json'; -import rule362 from './defense_evasion_clearing_windows_security_logs.json'; -import rule363 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; -import rule364 from './execution_suspicious_short_program_name.json'; -import rule365 from './lateral_movement_incoming_wmi.json'; -import rule366 from './persistence_via_hidden_run_key_valuename.json'; -import rule367 from './credential_access_potential_ssh_bruteforce.json'; -import rule368 from './credential_access_promt_for_pwd_via_osascript.json'; -import rule369 from './lateral_movement_remote_services.json'; -import rule370 from './application_added_to_google_workspace_domain.json'; -import rule371 from './domain_added_to_google_workspace_trusted_domains.json'; -import rule372 from './execution_suspicious_image_load_wmi_ms_office.json'; -import rule373 from './execution_suspicious_powershell_imgload.json'; -import rule374 from './google_workspace_admin_role_deletion.json'; -import rule375 from './google_workspace_mfa_enforcement_disabled.json'; -import rule376 from './google_workspace_policy_modified.json'; -import rule377 from './mfa_disabled_for_google_workspace_organization.json'; -import rule378 from './persistence_evasion_registry_ifeo_injection.json'; -import rule379 from './persistence_google_workspace_admin_role_assigned_to_user.json'; -import rule380 from './persistence_google_workspace_custom_admin_role_created.json'; -import rule381 from './persistence_google_workspace_role_modified.json'; -import rule382 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; -import rule383 from './defense_evasion_masquerading_trusted_directory.json'; -import rule384 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; -import rule385 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; -import rule386 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; -import rule387 from './persistence_appcertdlls_registry.json'; -import rule388 from './persistence_appinitdlls_registry.json'; -import rule389 from './persistence_registry_uncommon.json'; -import rule390 from './persistence_run_key_and_startup_broad.json'; -import rule391 from './persistence_services_registry.json'; -import rule392 from './persistence_startup_folder_file_written_by_suspicious_process.json'; -import rule393 from './persistence_startup_folder_scripts.json'; -import rule394 from './persistence_suspicious_com_hijack_registry.json'; -import rule395 from './persistence_via_lsa_security_support_provider_registry.json'; -import rule396 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; -import rule397 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; -import rule398 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; -import rule399 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; -import rule400 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; -import rule401 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; -import rule402 from './lateral_movement_suspicious_rdp_client_imageload.json'; -import rule403 from './persistence_runtime_run_key_startup_susp_procs.json'; -import rule404 from './persistence_suspicious_scheduled_task_runtime.json'; -import rule405 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; -import rule406 from './lateral_movement_scheduled_task_target.json'; -import rule407 from './persistence_microsoft_365_exchange_management_role_assignment.json'; -import rule408 from './persistence_microsoft_365_teams_guest_access_enabled.json'; -import rule409 from './credential_access_dump_registry_hives.json'; -import rule410 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; -import rule411 from './persistence_ms_outlook_vba_template.json'; -import rule412 from './persistence_suspicious_service_created_registry.json'; -import rule413 from './privilege_escalation_named_pipe_impersonation.json'; -import rule414 from './credential_access_cmdline_dump_tool.json'; -import rule415 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; -import rule416 from './credential_access_lsass_memdump_file_created.json'; -import rule417 from './lateral_movement_incoming_winrm_shell_execution.json'; -import rule418 from './lateral_movement_powershell_remoting_target.json'; -import rule419 from './command_and_control_port_forwarding_added_registry.json'; -import rule420 from './defense_evasion_hide_encoded_executable_registry.json'; -import rule421 from './lateral_movement_rdp_enabled_registry.json'; -import rule422 from './privilege_escalation_printspooler_registry_copyfiles.json'; -import rule423 from './privilege_escalation_rogue_windir_environment_var.json'; -import rule424 from './initial_access_scripts_process_started_via_wmi.json'; -import rule425 from './command_and_control_iexplore_via_com.json'; -import rule426 from './command_and_control_remote_file_copy_scripts.json'; -import rule427 from './persistence_local_scheduled_task_scripting.json'; -import rule428 from './persistence_startup_folder_file_written_by_unsigned_process.json'; -import rule429 from './command_and_control_remote_file_copy_powershell.json'; -import rule430 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; -import rule431 from './microsoft_365_teams_custom_app_interaction_allowed.json'; -import rule432 from './persistence_microsoft_365_teams_external_access_enabled.json'; -import rule433 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; -import rule434 from './impact_stop_process_service_threshold.json'; -import rule435 from './collection_winrar_encryption.json'; -import rule436 from './defense_evasion_unusual_dir_ads.json'; -import rule437 from './discovery_admin_recon.json'; -import rule438 from './discovery_file_dir_discovery.json'; -import rule439 from './discovery_net_view.json'; -import rule440 from './discovery_remote_system_discovery_commands_windows.json'; -import rule441 from './persistence_via_windows_management_instrumentation_event_subscription.json'; -import rule442 from './execution_scripting_osascript_exec_followed_by_netcon.json'; -import rule443 from './execution_shell_execution_via_apple_scripting.json'; -import rule444 from './persistence_creation_change_launch_agents_file.json'; -import rule445 from './persistence_creation_modif_launch_deamon_sequence.json'; -import rule446 from './persistence_folder_action_scripts_runtime.json'; -import rule447 from './persistence_login_logout_hooks_defaults.json'; -import rule448 from './privilege_escalation_explicit_creds_via_scripting.json'; -import rule449 from './command_and_control_sunburst_c2_activity_detected.json'; -import rule450 from './defense_evasion_azure_application_credential_modification.json'; -import rule451 from './defense_evasion_azure_service_principal_addition.json'; -import rule452 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; -import rule453 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; -import rule454 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; -import rule455 from './initial_access_azure_active_directory_powershell_signin.json'; -import rule456 from './collection_email_powershell_exchange_mailbox.json'; -import rule457 from './execution_scheduled_task_powershell_source.json'; -import rule458 from './persistence_powershell_exch_mailbox_activesync_add_device.json'; -import rule459 from './persistence_docker_shortcuts_plist_modification.json'; -import rule460 from './persistence_evasion_hidden_local_account_creation.json'; -import rule461 from './persistence_finder_sync_plugin_pluginkit.json'; -import rule462 from './discovery_security_software_grep.json'; -import rule463 from './credential_access_cookies_chromium_browsers_debugging.json'; -import rule464 from './credential_access_ssh_backdoor_log.json'; -import rule465 from './persistence_credential_access_modify_auth_module_or_config.json'; -import rule466 from './persistence_credential_access_modify_ssh_binaries.json'; -import rule467 from './credential_access_collection_sensitive_files.json'; -import rule468 from './persistence_ssh_authorized_keys_modification.json'; -import rule469 from './defense_evasion_defender_disabled_via_registry.json'; -import rule470 from './defense_evasion_privacy_controls_tcc_database_modification.json'; -import rule471 from './execution_initial_access_suspicious_browser_childproc.json'; -import rule472 from './execution_script_via_automator_workflows.json'; -import rule473 from './persistence_modification_sublime_app_plugin_or_script.json'; -import rule474 from './privilege_escalation_applescript_with_admin_privs.json'; -import rule475 from './credential_access_dumping_keychain_security.json'; -import rule476 from './initial_access_azure_active_directory_high_risk_signin.json'; -import rule477 from './initial_access_suspicious_mac_ms_office_child_process.json'; -import rule478 from './credential_access_mitm_localhost_webproxy.json'; -import rule479 from './persistence_kde_autostart_modification.json'; -import rule480 from './persistence_user_account_added_to_privileged_group_ad.json'; -import rule481 from './defense_evasion_attempt_to_disable_gatekeeper.json'; -import rule482 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; -import rule483 from './persistence_emond_rules_file_creation.json'; -import rule484 from './persistence_emond_rules_process_execution.json'; -import rule485 from './discovery_users_domain_built_in_commands.json'; -import rule486 from './execution_pentest_eggshell_remote_admin_tool.json'; -import rule487 from './defense_evasion_install_root_certificate.json'; -import rule488 from './persistence_credential_access_authorization_plugin_creation.json'; -import rule489 from './persistence_directory_services_plugins_modification.json'; -import rule490 from './defense_evasion_modify_environment_launchctl.json'; -import rule491 from './defense_evasion_safari_config_change.json'; -import rule492 from './defense_evasion_apple_softupdates_modification.json'; -import rule493 from './credential_access_mod_wdigest_security_provider.json'; -import rule494 from './credential_access_saved_creds_vaultcmd.json'; -import rule495 from './defense_evasion_file_creation_mult_extension.json'; -import rule496 from './execution_enumeration_via_wmiprvse.json'; -import rule497 from './execution_suspicious_jar_child_process.json'; -import rule498 from './persistence_shell_profile_modification.json'; -import rule499 from './persistence_suspicious_calendar_modification.json'; -import rule500 from './persistence_time_provider_mod.json'; -import rule501 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; -import rule502 from './defense_evasion_sip_provider_mod.json'; -import rule503 from './execution_com_object_xwizard.json'; -import rule504 from './privilege_escalation_disable_uac_registry.json'; -import rule505 from './defense_evasion_unusual_ads_file_creation.json'; -import rule506 from './persistence_loginwindow_plist_modification.json'; -import rule507 from './persistence_periodic_tasks_file_mdofiy.json'; -import rule508 from './persistence_via_atom_init_file_modification.json'; -import rule509 from './privilege_escalation_lsa_auth_package.json'; -import rule510 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; -import rule511 from './credential_access_dumping_hashes_bi_cmds.json'; -import rule512 from './lateral_movement_mounting_smb_share.json'; -import rule513 from './privilege_escalation_echo_nopasswd_sudoers.json'; -import rule514 from './privilege_escalation_ld_preload_shared_object_modif.json'; -import rule515 from './privilege_escalation_root_crontab_filemod.json'; -import rule516 from './defense_evasion_create_mod_root_certificate.json'; -import rule517 from './privilege_escalation_sudo_buffer_overflow.json'; -import rule518 from './execution_installer_spawned_network_event.json'; -import rule519 from './initial_access_suspicious_ms_exchange_files.json'; -import rule520 from './initial_access_suspicious_ms_exchange_process.json'; -import rule521 from './initial_access_suspicious_ms_exchange_worker_child_process.json'; -import rule522 from './persistence_evasion_registry_startup_shell_folder_modified.json'; -import rule523 from './persistence_local_scheduled_job_creation.json'; -import rule524 from './persistence_via_wmi_stdregprov_run_services.json'; -import rule525 from './credential_access_persistence_network_logon_provider_modification.json'; -import rule526 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json'; -import rule527 from './collection_microsoft_365_new_inbox_rule.json'; -import rule528 from './ml_high_count_network_denies.json'; -import rule529 from './ml_high_count_network_events.json'; -import rule530 from './ml_rare_destination_country.json'; -import rule531 from './ml_spike_in_traffic_to_a_country.json'; -import rule532 from './command_and_control_tunneling_via_earthworm.json'; -import rule533 from './lateral_movement_evasion_rdp_shadowing.json'; -import rule534 from './threat_intel_module_match.json'; -import rule535 from './exfiltration_ec2_vm_export_failure.json'; -import rule536 from './exfiltration_ec2_full_network_packet_capture_detected.json'; -import rule537 from './impact_azure_service_principal_credentials_added.json'; -import rule538 from './persistence_ec2_security_group_configuration_change_detection.json'; -import rule539 from './defense_evasion_disabling_windows_logs.json'; -import rule540 from './persistence_route_53_domain_transfer_lock_disabled.json'; -import rule541 from './persistence_route_53_domain_transferred_to_another_account.json'; -import rule542 from './initial_access_okta_user_attempted_unauthorized_access.json'; -import rule543 from './credential_access_user_excessive_sso_logon_errors.json'; -import rule544 from './persistence_exchange_suspicious_mailbox_right_delegation.json'; -import rule545 from './privilege_escalation_new_or_modified_federation_domain.json'; -import rule546 from './privilege_escalation_sts_getsessiontoken_abuse.json'; -import rule547 from './defense_evasion_suspicious_execution_from_mounted_device.json'; -import rule548 from './defense_evasion_unusual_network_connection_via_dllhost.json'; -import rule549 from './defense_evasion_amsienable_key_mod.json'; -import rule550 from './impact_rds_group_deletion.json'; -import rule551 from './persistence_rds_group_creation.json'; -import rule552 from './persistence_route_table_modified_or_deleted.json'; -import rule553 from './exfiltration_rds_snapshot_export.json'; -import rule554 from './persistence_rds_instance_creation.json'; -import rule555 from './ml_auth_rare_hour_for_a_user_to_logon.json'; -import rule556 from './ml_auth_rare_source_ip_for_a_user.json'; -import rule557 from './ml_auth_rare_user_logon.json'; -import rule558 from './ml_auth_spike_in_failed_logon_events.json'; -import rule559 from './ml_auth_spike_in_logon_events.json'; -import rule560 from './ml_auth_spike_in_logon_events_from_a_source_ip.json'; -import rule561 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json'; -import rule562 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json'; -import rule563 from './privilege_escalation_printspooler_malicious_driver_file_changes.json'; -import rule564 from './privilege_escalation_printspooler_malicious_registry_modification.json'; -import rule565 from './privilege_escalation_printspooler_suspicious_file_deletion.json'; -import rule566 from './privilege_escalation_unusual_printspooler_childprocess.json'; -import rule567 from './defense_evasion_disabling_windows_defender_powershell.json'; -import rule568 from './defense_evasion_enable_network_discovery_with_netsh.json'; -import rule569 from './defense_evasion_execution_windefend_unusual_path.json'; -import rule570 from './defense_evasion_agent_spoofing_mismatched_id.json'; -import rule571 from './defense_evasion_agent_spoofing_multiple_hosts.json'; -import rule572 from './defense_evasion_parent_process_pid_spoofing.json'; -import rule573 from './impact_microsoft_365_potential_ransomware_activity.json'; -import rule574 from './impact_microsoft_365_unusual_volume_of_file_deletion.json'; -import rule575 from './initial_access_microsoft_365_user_restricted_from_sending_email.json'; -import rule576 from './defense_evasion_elasticache_security_group_creation.json'; -import rule577 from './defense_evasion_elasticache_security_group_modified_or_deleted.json'; -import rule578 from './impact_volume_shadow_copy_deletion_via_powershell.json'; -import rule579 from './defense_evasion_defender_exclusion_via_powershell.json'; -import rule580 from './defense_evasion_whitespace_padding_in_command_line.json'; -import rule581 from './defense_evasion_frontdoor_firewall_policy_deletion.json'; -import rule582 from './persistence_webshell_detection.json'; -import rule583 from './defense_evasion_execution_control_panel_suspicious_args.json'; -import rule584 from './credential_access_potential_lsa_memdump_via_mirrordump.json'; -import rule585 from './discovery_virtual_machine_fingerprinting_grep.json'; -import rule586 from './impact_backup_file_deletion.json'; -import rule587 from './persistence_screensaver_engine_unexpected_child_process.json'; -import rule588 from './persistence_screensaver_plist_file_modification.json'; -import rule589 from './persistence_via_bits_job_notify_command.json'; +import rule211 from './impact_virtual_network_device_modified.json'; +import rule212 from './credential_access_domain_backup_dpapi_private_keys.json'; +import rule213 from './persistence_gpo_schtask_service_creation.json'; +import rule214 from './credential_access_credentials_keychains.json'; +import rule215 from './credential_access_kerberosdump_kcc.json'; +import rule216 from './defense_evasion_attempt_del_quarantine_attrib.json'; +import rule217 from './execution_suspicious_psexesvc.json'; +import rule218 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; +import rule219 from './privilege_escalation_printspooler_service_suspicious_file.json'; +import rule220 from './privilege_escalation_printspooler_suspicious_spl_file.json'; +import rule221 from './defense_evasion_azure_diagnostic_settings_deletion.json'; +import rule222 from './execution_command_virtual_machine.json'; +import rule223 from './execution_via_hidden_shell_conhost.json'; +import rule224 from './impact_resource_group_deletion.json'; +import rule225 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; +import rule226 from './persistence_via_update_orchestrator_service_hijack.json'; +import rule227 from './collection_update_event_hub_auth_rule.json'; +import rule228 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; +import rule229 from './credential_access_iis_connectionstrings_dumping.json'; +import rule230 from './defense_evasion_event_hub_deletion.json'; +import rule231 from './defense_evasion_firewall_policy_deletion.json'; +import rule232 from './defense_evasion_sdelete_like_filename_rename.json'; +import rule233 from './lateral_movement_remote_ssh_login_enabled.json'; +import rule234 from './persistence_azure_automation_account_created.json'; +import rule235 from './persistence_azure_automation_runbook_created_or_modified.json'; +import rule236 from './persistence_azure_automation_webhook_created.json'; +import rule237 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; +import rule238 from './credential_access_attempts_to_brute_force_okta_user_account.json'; +import rule239 from './credential_access_storage_account_key_regenerated.json'; +import rule240 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; +import rule241 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; +import rule242 from './defense_evasion_unusual_system_vp_child_program.json'; +import rule243 from './discovery_blob_container_access_mod.json'; +import rule244 from './persistence_mfa_disabled_for_azure_user.json'; +import rule245 from './persistence_user_added_as_owner_for_azure_application.json'; +import rule246 from './persistence_user_added_as_owner_for_azure_service_principal.json'; +import rule247 from './defense_evasion_dotnet_compiler_parent_process.json'; +import rule248 from './defense_evasion_suspicious_managedcode_host_process.json'; +import rule249 from './execution_command_shell_started_by_unusual_process.json'; +import rule250 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; +import rule251 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; +import rule252 from './defense_evasion_masquerading_werfault.json'; +import rule253 from './credential_access_key_vault_modified.json'; +import rule254 from './credential_access_mimikatz_memssp_default_logs.json'; +import rule255 from './defense_evasion_code_injection_conhost.json'; +import rule256 from './defense_evasion_network_watcher_deletion.json'; +import rule257 from './initial_access_external_guest_user_invite.json'; +import rule258 from './defense_evasion_masquerading_renamed_autoit.json'; +import rule259 from './impact_azure_automation_runbook_deleted.json'; +import rule260 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; +import rule261 from './persistence_azure_conditional_access_policy_modified.json'; +import rule262 from './persistence_azure_privileged_identity_management_role_modified.json'; +import rule263 from './command_and_control_teamviewer_remote_file_copy.json'; +import rule264 from './defense_evasion_installutil_beacon.json'; +import rule265 from './defense_evasion_mshta_beacon.json'; +import rule266 from './defense_evasion_network_connection_from_windows_binary.json'; +import rule267 from './defense_evasion_rundll32_no_arguments.json'; +import rule268 from './defense_evasion_suspicious_scrobj_load.json'; +import rule269 from './defense_evasion_suspicious_wmi_script.json'; +import rule270 from './execution_ms_office_written_file.json'; +import rule271 from './execution_pdf_written_file.json'; +import rule272 from './lateral_movement_cmd_service.json'; +import rule273 from './persistence_app_compat_shim.json'; +import rule274 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; +import rule275 from './command_and_control_remote_file_copy_mpcmdrun.json'; +import rule276 from './defense_evasion_execution_suspicious_explorer_winword.json'; +import rule277 from './defense_evasion_suspicious_zoom_child_process.json'; +import rule278 from './ml_linux_anomalous_compiler_activity.json'; +import rule279 from './ml_linux_anomalous_kernel_module_arguments.json'; +import rule280 from './ml_linux_anomalous_sudo_activity.json'; +import rule281 from './ml_linux_system_information_discovery.json'; +import rule282 from './ml_linux_system_network_configuration_discovery.json'; +import rule283 from './ml_linux_system_network_connection_discovery.json'; +import rule284 from './ml_linux_system_process_discovery.json'; +import rule285 from './ml_linux_system_user_discovery.json'; +import rule286 from './discovery_post_exploitation_external_ip_lookup.json'; +import rule287 from './initial_access_zoom_meeting_with_no_passcode.json'; +import rule288 from './defense_evasion_gcp_logging_sink_deletion.json'; +import rule289 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; +import rule290 from './defense_evasion_gcp_firewall_rule_created.json'; +import rule291 from './defense_evasion_gcp_firewall_rule_deleted.json'; +import rule292 from './defense_evasion_gcp_firewall_rule_modified.json'; +import rule293 from './defense_evasion_gcp_logging_bucket_deletion.json'; +import rule294 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; +import rule295 from './impact_gcp_storage_bucket_deleted.json'; +import rule296 from './initial_access_gcp_iam_custom_role_creation.json'; +import rule297 from './persistence_gcp_iam_service_account_key_deletion.json'; +import rule298 from './persistence_gcp_key_created_for_service_account.json'; +import rule299 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; +import rule300 from './exfiltration_gcp_logging_sink_modification.json'; +import rule301 from './impact_gcp_iam_role_deletion.json'; +import rule302 from './impact_gcp_service_account_deleted.json'; +import rule303 from './impact_gcp_service_account_disabled.json'; +import rule304 from './impact_gcp_virtual_private_cloud_network_deleted.json'; +import rule305 from './impact_gcp_virtual_private_cloud_route_created.json'; +import rule306 from './impact_gcp_virtual_private_cloud_route_deleted.json'; +import rule307 from './ml_linux_anomalous_metadata_process.json'; +import rule308 from './ml_linux_anomalous_metadata_user.json'; +import rule309 from './ml_windows_anomalous_metadata_process.json'; +import rule310 from './ml_windows_anomalous_metadata_user.json'; +import rule311 from './persistence_gcp_service_account_created.json'; +import rule312 from './collection_gcp_pub_sub_subscription_creation.json'; +import rule313 from './collection_gcp_pub_sub_topic_creation.json'; +import rule314 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; +import rule315 from './persistence_azure_pim_user_added_global_admin.json'; +import rule316 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; +import rule317 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; +import rule318 from './defense_evasion_execution_lolbas_wuauclt.json'; +import rule319 from './privilege_escalation_unusual_svchost_childproc_childless.json'; +import rule320 from './command_and_control_rdp_tunnel_plink.json'; +import rule321 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; +import rule322 from './persistence_ms_office_addins_file.json'; +import rule323 from './discovery_adfind_command_activity.json'; +import rule324 from './discovery_security_software_wmic.json'; +import rule325 from './execution_command_shell_via_rundll32.json'; +import rule326 from './execution_suspicious_cmd_wmi.json'; +import rule327 from './lateral_movement_via_startup_folder_rdp_smb.json'; +import rule328 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; +import rule329 from './privilege_escalation_uac_bypass_mock_windir.json'; +import rule330 from './defense_evasion_potential_processherpaderping.json'; +import rule331 from './privilege_escalation_uac_bypass_dll_sideloading.json'; +import rule332 from './execution_shared_modules_local_sxs_dll.json'; +import rule333 from './privilege_escalation_uac_bypass_com_clipup.json'; +import rule334 from './initial_access_via_explorer_suspicious_child_parent_args.json'; +import rule335 from './execution_from_unusual_directory.json'; +import rule336 from './execution_from_unusual_path_cmdline.json'; +import rule337 from './credential_access_kerberoasting_unusual_process.json'; +import rule338 from './discovery_peripheral_device.json'; +import rule339 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; +import rule340 from './defense_evasion_deleting_websvr_access_logs.json'; +import rule341 from './defense_evasion_log_files_deleted.json'; +import rule342 from './defense_evasion_timestomp_touch.json'; +import rule343 from './lateral_movement_dcom_hta.json'; +import rule344 from './lateral_movement_execution_via_file_shares_sequence.json'; +import rule345 from './privilege_escalation_uac_bypass_com_ieinstal.json'; +import rule346 from './command_and_control_common_webservices.json'; +import rule347 from './command_and_control_encrypted_channel_freesslcert.json'; +import rule348 from './defense_evasion_process_termination_followed_by_deletion.json'; +import rule349 from './lateral_movement_remote_file_copy_hidden_share.json'; +import rule350 from './attempt_to_deactivate_okta_network_zone.json'; +import rule351 from './attempt_to_delete_okta_network_zone.json'; +import rule352 from './lateral_movement_dcom_mmc20.json'; +import rule353 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; +import rule354 from './okta_attempt_to_deactivate_okta_application.json'; +import rule355 from './okta_attempt_to_delete_okta_application.json'; +import rule356 from './okta_attempt_to_delete_okta_policy_rule.json'; +import rule357 from './okta_attempt_to_modify_okta_application.json'; +import rule358 from './persistence_administrator_role_assigned_to_okta_user.json'; +import rule359 from './lateral_movement_executable_tool_transfer_smb.json'; +import rule360 from './command_and_control_dns_tunneling_nslookup.json'; +import rule361 from './lateral_movement_execution_from_tsclient_mup.json'; +import rule362 from './lateral_movement_rdp_sharprdp_target.json'; +import rule363 from './defense_evasion_clearing_windows_security_logs.json'; +import rule364 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; +import rule365 from './execution_suspicious_short_program_name.json'; +import rule366 from './lateral_movement_incoming_wmi.json'; +import rule367 from './persistence_via_hidden_run_key_valuename.json'; +import rule368 from './credential_access_potential_ssh_bruteforce.json'; +import rule369 from './credential_access_promt_for_pwd_via_osascript.json'; +import rule370 from './lateral_movement_remote_services.json'; +import rule371 from './application_added_to_google_workspace_domain.json'; +import rule372 from './domain_added_to_google_workspace_trusted_domains.json'; +import rule373 from './execution_suspicious_image_load_wmi_ms_office.json'; +import rule374 from './execution_suspicious_powershell_imgload.json'; +import rule375 from './google_workspace_admin_role_deletion.json'; +import rule376 from './google_workspace_mfa_enforcement_disabled.json'; +import rule377 from './google_workspace_policy_modified.json'; +import rule378 from './mfa_disabled_for_google_workspace_organization.json'; +import rule379 from './persistence_evasion_registry_ifeo_injection.json'; +import rule380 from './persistence_google_workspace_admin_role_assigned_to_user.json'; +import rule381 from './persistence_google_workspace_custom_admin_role_created.json'; +import rule382 from './persistence_google_workspace_role_modified.json'; +import rule383 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; +import rule384 from './defense_evasion_masquerading_trusted_directory.json'; +import rule385 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; +import rule386 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; +import rule387 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; +import rule388 from './persistence_appcertdlls_registry.json'; +import rule389 from './persistence_appinitdlls_registry.json'; +import rule390 from './persistence_registry_uncommon.json'; +import rule391 from './persistence_run_key_and_startup_broad.json'; +import rule392 from './persistence_services_registry.json'; +import rule393 from './persistence_startup_folder_file_written_by_suspicious_process.json'; +import rule394 from './persistence_startup_folder_scripts.json'; +import rule395 from './persistence_suspicious_com_hijack_registry.json'; +import rule396 from './persistence_via_lsa_security_support_provider_registry.json'; +import rule397 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; +import rule398 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; +import rule399 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; +import rule400 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; +import rule401 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; +import rule402 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; +import rule403 from './lateral_movement_suspicious_rdp_client_imageload.json'; +import rule404 from './persistence_runtime_run_key_startup_susp_procs.json'; +import rule405 from './persistence_suspicious_scheduled_task_runtime.json'; +import rule406 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; +import rule407 from './lateral_movement_scheduled_task_target.json'; +import rule408 from './persistence_microsoft_365_exchange_management_role_assignment.json'; +import rule409 from './persistence_microsoft_365_teams_guest_access_enabled.json'; +import rule410 from './credential_access_dump_registry_hives.json'; +import rule411 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; +import rule412 from './persistence_ms_outlook_vba_template.json'; +import rule413 from './persistence_suspicious_service_created_registry.json'; +import rule414 from './privilege_escalation_named_pipe_impersonation.json'; +import rule415 from './credential_access_cmdline_dump_tool.json'; +import rule416 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; +import rule417 from './credential_access_lsass_memdump_file_created.json'; +import rule418 from './lateral_movement_incoming_winrm_shell_execution.json'; +import rule419 from './lateral_movement_powershell_remoting_target.json'; +import rule420 from './command_and_control_port_forwarding_added_registry.json'; +import rule421 from './defense_evasion_hide_encoded_executable_registry.json'; +import rule422 from './lateral_movement_rdp_enabled_registry.json'; +import rule423 from './privilege_escalation_printspooler_registry_copyfiles.json'; +import rule424 from './privilege_escalation_rogue_windir_environment_var.json'; +import rule425 from './initial_access_scripts_process_started_via_wmi.json'; +import rule426 from './command_and_control_iexplore_via_com.json'; +import rule427 from './command_and_control_remote_file_copy_scripts.json'; +import rule428 from './persistence_local_scheduled_task_scripting.json'; +import rule429 from './persistence_startup_folder_file_written_by_unsigned_process.json'; +import rule430 from './command_and_control_remote_file_copy_powershell.json'; +import rule431 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; +import rule432 from './microsoft_365_teams_custom_app_interaction_allowed.json'; +import rule433 from './persistence_microsoft_365_teams_external_access_enabled.json'; +import rule434 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; +import rule435 from './impact_stop_process_service_threshold.json'; +import rule436 from './collection_winrar_encryption.json'; +import rule437 from './defense_evasion_unusual_dir_ads.json'; +import rule438 from './discovery_admin_recon.json'; +import rule439 from './discovery_file_dir_discovery.json'; +import rule440 from './discovery_net_view.json'; +import rule441 from './discovery_remote_system_discovery_commands_windows.json'; +import rule442 from './persistence_via_windows_management_instrumentation_event_subscription.json'; +import rule443 from './execution_scripting_osascript_exec_followed_by_netcon.json'; +import rule444 from './execution_shell_execution_via_apple_scripting.json'; +import rule445 from './persistence_creation_change_launch_agents_file.json'; +import rule446 from './persistence_creation_modif_launch_deamon_sequence.json'; +import rule447 from './persistence_folder_action_scripts_runtime.json'; +import rule448 from './persistence_login_logout_hooks_defaults.json'; +import rule449 from './privilege_escalation_explicit_creds_via_scripting.json'; +import rule450 from './command_and_control_sunburst_c2_activity_detected.json'; +import rule451 from './defense_evasion_azure_application_credential_modification.json'; +import rule452 from './defense_evasion_azure_service_principal_addition.json'; +import rule453 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; +import rule454 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; +import rule455 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; +import rule456 from './initial_access_azure_active_directory_powershell_signin.json'; +import rule457 from './collection_email_powershell_exchange_mailbox.json'; +import rule458 from './execution_scheduled_task_powershell_source.json'; +import rule459 from './persistence_powershell_exch_mailbox_activesync_add_device.json'; +import rule460 from './persistence_docker_shortcuts_plist_modification.json'; +import rule461 from './persistence_evasion_hidden_local_account_creation.json'; +import rule462 from './persistence_finder_sync_plugin_pluginkit.json'; +import rule463 from './discovery_security_software_grep.json'; +import rule464 from './credential_access_cookies_chromium_browsers_debugging.json'; +import rule465 from './credential_access_ssh_backdoor_log.json'; +import rule466 from './persistence_credential_access_modify_auth_module_or_config.json'; +import rule467 from './persistence_credential_access_modify_ssh_binaries.json'; +import rule468 from './credential_access_collection_sensitive_files.json'; +import rule469 from './persistence_ssh_authorized_keys_modification.json'; +import rule470 from './defense_evasion_defender_disabled_via_registry.json'; +import rule471 from './defense_evasion_privacy_controls_tcc_database_modification.json'; +import rule472 from './execution_initial_access_suspicious_browser_childproc.json'; +import rule473 from './execution_script_via_automator_workflows.json'; +import rule474 from './persistence_modification_sublime_app_plugin_or_script.json'; +import rule475 from './privilege_escalation_applescript_with_admin_privs.json'; +import rule476 from './credential_access_dumping_keychain_security.json'; +import rule477 from './initial_access_azure_active_directory_high_risk_signin.json'; +import rule478 from './initial_access_suspicious_mac_ms_office_child_process.json'; +import rule479 from './credential_access_mitm_localhost_webproxy.json'; +import rule480 from './persistence_kde_autostart_modification.json'; +import rule481 from './persistence_user_account_added_to_privileged_group_ad.json'; +import rule482 from './defense_evasion_attempt_to_disable_gatekeeper.json'; +import rule483 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; +import rule484 from './persistence_emond_rules_file_creation.json'; +import rule485 from './persistence_emond_rules_process_execution.json'; +import rule486 from './discovery_users_domain_built_in_commands.json'; +import rule487 from './execution_pentest_eggshell_remote_admin_tool.json'; +import rule488 from './defense_evasion_install_root_certificate.json'; +import rule489 from './persistence_credential_access_authorization_plugin_creation.json'; +import rule490 from './persistence_directory_services_plugins_modification.json'; +import rule491 from './defense_evasion_modify_environment_launchctl.json'; +import rule492 from './defense_evasion_safari_config_change.json'; +import rule493 from './defense_evasion_apple_softupdates_modification.json'; +import rule494 from './credential_access_mod_wdigest_security_provider.json'; +import rule495 from './credential_access_saved_creds_vaultcmd.json'; +import rule496 from './defense_evasion_file_creation_mult_extension.json'; +import rule497 from './execution_enumeration_via_wmiprvse.json'; +import rule498 from './execution_suspicious_jar_child_process.json'; +import rule499 from './persistence_shell_profile_modification.json'; +import rule500 from './persistence_suspicious_calendar_modification.json'; +import rule501 from './persistence_time_provider_mod.json'; +import rule502 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; +import rule503 from './defense_evasion_sip_provider_mod.json'; +import rule504 from './execution_com_object_xwizard.json'; +import rule505 from './privilege_escalation_disable_uac_registry.json'; +import rule506 from './defense_evasion_unusual_ads_file_creation.json'; +import rule507 from './persistence_loginwindow_plist_modification.json'; +import rule508 from './persistence_periodic_tasks_file_mdofiy.json'; +import rule509 from './persistence_via_atom_init_file_modification.json'; +import rule510 from './privilege_escalation_lsa_auth_package.json'; +import rule511 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; +import rule512 from './credential_access_dumping_hashes_bi_cmds.json'; +import rule513 from './lateral_movement_mounting_smb_share.json'; +import rule514 from './privilege_escalation_echo_nopasswd_sudoers.json'; +import rule515 from './privilege_escalation_ld_preload_shared_object_modif.json'; +import rule516 from './privilege_escalation_root_crontab_filemod.json'; +import rule517 from './defense_evasion_create_mod_root_certificate.json'; +import rule518 from './privilege_escalation_sudo_buffer_overflow.json'; +import rule519 from './execution_installer_spawned_network_event.json'; +import rule520 from './initial_access_suspicious_ms_exchange_files.json'; +import rule521 from './initial_access_suspicious_ms_exchange_process.json'; +import rule522 from './initial_access_suspicious_ms_exchange_worker_child_process.json'; +import rule523 from './persistence_evasion_registry_startup_shell_folder_modified.json'; +import rule524 from './persistence_local_scheduled_job_creation.json'; +import rule525 from './persistence_via_wmi_stdregprov_run_services.json'; +import rule526 from './credential_access_persistence_network_logon_provider_modification.json'; +import rule527 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json'; +import rule528 from './collection_microsoft_365_new_inbox_rule.json'; +import rule529 from './ml_high_count_network_denies.json'; +import rule530 from './ml_high_count_network_events.json'; +import rule531 from './ml_rare_destination_country.json'; +import rule532 from './ml_spike_in_traffic_to_a_country.json'; +import rule533 from './command_and_control_tunneling_via_earthworm.json'; +import rule534 from './lateral_movement_evasion_rdp_shadowing.json'; +import rule535 from './threat_intel_module_match.json'; +import rule536 from './exfiltration_ec2_vm_export_failure.json'; +import rule537 from './exfiltration_ec2_full_network_packet_capture_detected.json'; +import rule538 from './impact_azure_service_principal_credentials_added.json'; +import rule539 from './persistence_ec2_security_group_configuration_change_detection.json'; +import rule540 from './defense_evasion_disabling_windows_logs.json'; +import rule541 from './persistence_route_53_domain_transfer_lock_disabled.json'; +import rule542 from './persistence_route_53_domain_transferred_to_another_account.json'; +import rule543 from './initial_access_okta_user_attempted_unauthorized_access.json'; +import rule544 from './credential_access_user_excessive_sso_logon_errors.json'; +import rule545 from './persistence_exchange_suspicious_mailbox_right_delegation.json'; +import rule546 from './privilege_escalation_new_or_modified_federation_domain.json'; +import rule547 from './privilege_escalation_sts_assumerole_usage.json'; +import rule548 from './privilege_escalation_sts_getsessiontoken_abuse.json'; +import rule549 from './defense_evasion_suspicious_execution_from_mounted_device.json'; +import rule550 from './defense_evasion_unusual_network_connection_via_dllhost.json'; +import rule551 from './defense_evasion_amsienable_key_mod.json'; +import rule552 from './impact_rds_group_deletion.json'; +import rule553 from './persistence_rds_group_creation.json'; +import rule554 from './persistence_route_table_created.json'; +import rule555 from './persistence_route_table_modified_or_deleted.json'; +import rule556 from './exfiltration_rds_snapshot_export.json'; +import rule557 from './persistence_rds_instance_creation.json'; +import rule558 from './privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json'; +import rule559 from './ml_auth_rare_hour_for_a_user_to_logon.json'; +import rule560 from './ml_auth_rare_source_ip_for_a_user.json'; +import rule561 from './ml_auth_rare_user_logon.json'; +import rule562 from './ml_auth_spike_in_failed_logon_events.json'; +import rule563 from './ml_auth_spike_in_logon_events.json'; +import rule564 from './ml_auth_spike_in_logon_events_from_a_source_ip.json'; +import rule565 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json'; +import rule566 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json'; +import rule567 from './defense_evasion_kubernetes_events_deleted.json'; +import rule568 from './impact_kubernetes_pod_deleted.json'; +import rule569 from './exfiltration_rds_snapshot_restored.json'; +import rule570 from './privilege_escalation_printspooler_malicious_driver_file_changes.json'; +import rule571 from './privilege_escalation_printspooler_malicious_registry_modification.json'; +import rule572 from './privilege_escalation_printspooler_suspicious_file_deletion.json'; +import rule573 from './privilege_escalation_unusual_printspooler_childprocess.json'; +import rule574 from './defense_evasion_disabling_windows_defender_powershell.json'; +import rule575 from './defense_evasion_enable_network_discovery_with_netsh.json'; +import rule576 from './defense_evasion_execution_windefend_unusual_path.json'; +import rule577 from './defense_evasion_agent_spoofing_mismatched_id.json'; +import rule578 from './defense_evasion_agent_spoofing_multiple_hosts.json'; +import rule579 from './defense_evasion_parent_process_pid_spoofing.json'; +import rule580 from './impact_microsoft_365_potential_ransomware_activity.json'; +import rule581 from './impact_microsoft_365_unusual_volume_of_file_deletion.json'; +import rule582 from './initial_access_microsoft_365_user_restricted_from_sending_email.json'; +import rule583 from './defense_evasion_elasticache_security_group_creation.json'; +import rule584 from './defense_evasion_elasticache_security_group_modified_or_deleted.json'; +import rule585 from './impact_volume_shadow_copy_deletion_via_powershell.json'; +import rule586 from './persistence_route_53_hosted_zone_associated_with_a_vpc.json'; +import rule587 from './defense_evasion_defender_exclusion_via_powershell.json'; +import rule588 from './defense_evasion_dns_over_https_enabled.json'; +import rule589 from './defense_evasion_whitespace_padding_in_command_line.json'; +import rule590 from './defense_evasion_frontdoor_firewall_policy_deletion.json'; +import rule591 from './credential_access_azure_full_network_packet_capture_detected.json'; +import rule592 from './persistence_webshell_detection.json'; +import rule593 from './impact_efs_filesystem_or_mount_deleted.json'; +import rule594 from './defense_evasion_execution_control_panel_suspicious_args.json'; +import rule595 from './defense_evasion_azure_blob_permissions_modified.json'; +import rule596 from './privilege_escalation_aws_suspicious_saml_activity.json'; +import rule597 from './credential_access_potential_lsa_memdump_via_mirrordump.json'; +import rule598 from './discovery_virtual_machine_fingerprinting_grep.json'; +import rule599 from './impact_backup_file_deletion.json'; +import rule600 from './credential_access_posh_minidump.json'; +import rule601 from './persistence_screensaver_engine_unexpected_child_process.json'; +import rule602 from './persistence_screensaver_plist_file_modification.json'; +import rule603 from './defense_evasion_suspicious_process_access_direct_syscall.json'; +import rule604 from './discovery_posh_suspicious_api_functions.json'; +import rule605 from './execution_posh_portable_executable.json'; +import rule606 from './impact_aws_eventbridge_rule_disabled_or_deleted.json'; +import rule607 from './collection_posh_audio_capture.json'; +import rule608 from './persistence_via_bits_job_notify_command.json'; export const rawRules = [ rule1, @@ -1190,4 +1209,23 @@ export const rawRules = [ rule587, rule588, rule589, + rule590, + rule591, + rule592, + rule593, + rule594, + rule595, + rule596, + rule597, + rule598, + rule599, + rule600, + rule601, + rule602, + rule603, + rule604, + rule605, + rule606, + rule607, + rule608, ]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json index a095c0ab582d..ea4d8c6eae21 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "query": "process where event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\"))\n", + "query": "process where event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", @@ -47,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json index 8b6fa370f4ab..3c9626dcf551 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", - "query": "sequence with maxspan=1m\n [process where event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n", + "query": "sequence with maxspan=1m\n [process where event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n", "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", @@ -52,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json index 128fdd9de557..1489cb58d011 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", - "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", @@ -52,5 +52,5 @@ } ], "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json index 75044e20ca5f..6973f97220bc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" @@ -56,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json new file mode 100644 index 000000000000..93b8da585c9f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json @@ -0,0 +1,54 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", + "false_positives": [ + "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route53 private hosted zone associated with a VPC", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and \nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html" + ], + "risk_score": 21, + "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json new file mode 100644 index 000000000000..1784c34feb08 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json @@ -0,0 +1,51 @@ +{ + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been created.", + "false_positives": [ + "Route Table being created may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that uses Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Created", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and \nevent.outcome:success\n", + "references": [ + "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable" + ], + "risk_score": 21, + "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json index 709396a5eaf2..4d069dd56132 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n \n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n \n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json index 8da3be0b69d9..3d8a9fc545b1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "Webshell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.", - "query": "process where event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\")\n", + "query": "process where event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": [ "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/" ], @@ -71,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json new file mode 100644 index 000000000000..22e3aa6cce8d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json @@ -0,0 +1,76 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", + "false_positives": [ + "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS SAML Activity", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or \nUpdateSAMLProvider) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html" + ], + "risk_score": 21, + "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json new file mode 100644 index 000000000000..fbba3ff42957 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json @@ -0,0 +1,47 @@ +{ + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings.", + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Kubernetes Rolebindings Created or Patched", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or \nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or \nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success\n", + "references": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control" + ], + "risk_score": 47, + "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json new file mode 100644 index 000000000000..37fcef44719a --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json @@ -0,0 +1,74 @@ +{ + "author": [ + "Austin Songer" + ], + "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", + "false_positives": [ + "Automated processes that uses Terraform may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Security Token Service (STS) AssumeRole Usage", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and \naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" + ], + "risk_score": 21, + "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json index e4b1309c4264..72cc903ef1ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json @@ -3,7 +3,7 @@ "Elastic" ], "description": "This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.", - "from": "now-10m", + "from": "now-65m", "index": [ "auditbeat-*", "endgame-*", @@ -12,7 +12,7 @@ "packetbeat-*", "winlogbeat-*" ], - "interval": "9m", + "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Filebeat Module Indicator Match", @@ -194,5 +194,5 @@ "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", - "version": 2 + "version": 3 } From 2705cc95fa67a9fd9656058620656d7b8e5fd0d8 Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Tue, 16 Nov 2021 11:13:23 -0800 Subject: [PATCH 11/12] skip flaky suite (#106631) --- .../apps/discover/feature_controls/discover_security.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts b/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts index 0a12de3fb44d..7032f25debb8 100644 --- a/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts +++ b/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts @@ -31,7 +31,8 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.timePicker.setDefaultAbsoluteRange(); } - describe('discover feature controls security', () => { + // Failing: See https://github.com/elastic/kibana/issues/106631 + describe.skip('discover feature controls security', () => { before(async () => { await kibanaServer.importExport.load( 'x-pack/test/functional/fixtures/kbn_archiver/discover/feature_controls/security' From 66aca8b486342727de3f5c95821bbeb22fae3d29 Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Tue, 16 Nov 2021 11:14:15 -0800 Subject: [PATCH 12/12] skip flaky suite (#118745) --- x-pack/test/functional/apps/maps/sample_data.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/functional/apps/maps/sample_data.js b/x-pack/test/functional/apps/maps/sample_data.js index 483379b2f491..00549d3cb92d 100644 --- a/x-pack/test/functional/apps/maps/sample_data.js +++ b/x-pack/test/functional/apps/maps/sample_data.js @@ -18,7 +18,8 @@ export default function ({ getPageObjects, getService, updateBaselines }) { // Only update the baseline images from Jenkins session images after comparing them // These tests might fail locally because of scaling factors and resolution. - describe('maps loaded from sample data', () => { + // Failing: See https://github.com/elastic/kibana/issues/118745 + describe.skip('maps loaded from sample data', () => { before(async () => { //installing the sample data with test user with super user role and then switching roles with limited privileges await security.testUser.setRoles(['superuser'], false);