diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml index 098e75d3dbb..43fa3fa9579 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to -immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior detections only, and does not include prevention alerts. +Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule +allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend +behavior detections only, and does not include prevention alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Behavior - Detected - Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/behavior", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 47 rule_id = "0f615fe4-eaa2-11ee-ae33-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior and message: *detection* +event.kind : alert and event.code : behavior and (event.type : allowed or (event.type: denied and event.outcome: failure)) ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml index 26e673966a6..10d1e92bec4 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to -immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior preventions only, and does not include detection only alerts. +Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule +allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend +behavior preventions only, and does not include detection only alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Behavior - Prevented - Endpoint Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/behavior", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 21 rule_id = "eb804972-ea34-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior and message: *prevention* +event.kind : alert and event.code : behavior and event.type : denied and event.outcome : success ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml index 28faf09017c..347592733f9 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to -immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts. +Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows +you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend +malicious file detections only, and does not include prevention alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Malicious File - Detected - Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/yara", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 47 rule_id = "f2c3caa6-ea34-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: malicious_file and message: *detection* +event.kind : alert and event.code : malicious_file and (event.type : allowed or (event.type: denied and event.outcome: failure)) ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml index 1f6f220f61f..00cf8268593 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to -immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts. +Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows +you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend +malicious file preventions only, and does not include detection only alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Malicious File - Prevented - Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/yara", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 21 rule_id = "f87e6122-ea34-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: malicious_file and message: *prevention* +event.kind : alert and event.code : malicious_file and event.type : denied and event.outcome : success ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml index 55d6ddf972f..31686ebfde5 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to -immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts. +Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule +allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend +memory signature detections only, and does not include prevention alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Memory Signature - Detected - Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/yara", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 47 rule_id = "017de1e4-ea35-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: (memory_signature or shellcode_thread) and message: *detection* +event.kind : alert and event.code : (memory_signature or shellcode_thread) and (event.type : allowed or (event.type: denied and event.outcome: failure)) ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml index ed76ce6ea5e..991beaad57f 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to -immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts. +Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule +allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend +memory signature preventions only, and does not include detection only alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Memory Signature - Prevented- Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/yara", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 21 rule_id = "06f3a26c-ea35-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: (memory_signature or shellcode_thread) and message: *prevention* +event.kind : alert and event.code : (memory_signature or shellcode_thread) or event.type : denied or event.outcome : success ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml index 3a27e3c1c7b..52e705c9084 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to -immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts. +Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you +to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware +detections only, and does not include prevention alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Ransomware - Detected - Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/ransomware", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 47 rule_id = "0c74cd7e-ea35-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: ransomware and message: *detection* +event.kind : alert and event.code : ransomware and (event.type : allowed or (event.type: denied and event.outcome: failure)) ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml index 89c96ce9920..64439f39621 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml @@ -4,14 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.16.0" -updated_date = "2024/11/26" promotion = true +updated_date = "2024/11/26" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to -immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts. +Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you +to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware +preventions only, and does not include detection only alerts. """ enabled = true from = "now-10m" @@ -22,7 +23,7 @@ max_signals = 10000 name = "Ransomware - Prevented - Elastic Defend" references = [ "https://github.com/elastic/protections-artifacts/tree/main/ransomware", - "https://docs.elastic.co/en/integrations/endpoint" + "https://docs.elastic.co/en/integrations/endpoint", ] risk_score = 21 rule_id = "10f3d520-ea35-11ee-a417-f661ea17fbce" @@ -33,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) and event.code: ransomware and message: *prevention* +event.kind : alert and event.code : ransomware and event.type : denied and event.outcome : success '''