Change the security_rule structure to match other Kibana assets

elastic · Mar 30, 2021 · f9f5807 · f9f5807
1 parent 1de305e
commit f9f5807
Show file tree

Hide file tree

Showing 545 changed files with 28,745 additions and 26,565 deletions.
diff --git a/...rity_detection_engine/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/...rity_detection_engine/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json
@@ -1,37 +1,41 @@
 {
-    "author": [
-        "Elastic"
-    ],
-    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
-    "false_positives": [
-        "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
-    ],
-    "index": [
-        "filebeat-*",
-        "logs-okta*"
-    ],
-    "language": "kuery",
-    "license": "Elastic License v2",
-    "name": "Attempt to Modify an Okta Policy Rule",
-    "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
-    "query": "event.dataset:okta.system and event.action:policy.rule.update",
-    "references": [
-        "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
-        "https://developer.okta.com/docs/reference/api/system-log/",
-        "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
-    "risk_score": 21,
-    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
-    "severity": "low",
-    "tags": [
-        "Elastic",
-        "Identity",
-        "Okta",
-        "Continuous Monitoring",
-        "SecOps",
-        "Identity and Access"
-    ],
-    "timestamp_override": "event.ingested",
-    "type": "query",
-    "version": 5
+    "attributes": {
+        "author": [
+            "Elastic"
+        ],
+        "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+        "false_positives": [
+            "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+        ],
+        "index": [
+            "filebeat-*",
+            "logs-okta*"
+        ],
+        "language": "kuery",
+        "license": "Elastic License v2",
+        "name": "Attempt to Modify an Okta Policy Rule",
+        "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
+        "query": "event.dataset:okta.system and event.action:policy.rule.update",
+        "references": [
+            "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+            "https://developer.okta.com/docs/reference/api/system-log/",
+            "https://developer.okta.com/docs/reference/api/event-types/"
+        ],
+        "risk_score": 21,
+        "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+        "severity": "low",
+        "tags": [
+            "Elastic",
+            "Identity",
+            "Okta",
+            "Continuous Monitoring",
+            "SecOps",
+            "Identity and Access"
+        ],
+        "timestamp_override": "event.ingested",
+        "type": "query",
+        "version": 5
+    },
+    "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "type": "security_rule"
 }
diff --git a/...rity_detection_engine/kibana/security_rule/rule-00140285-b827-4aee-aa09-8113f58a08f3.json b/...rity_detection_engine/kibana/security_rule/rule-00140285-b827-4aee-aa09-8113f58a08f3.json
@@ -1,49 +1,53 @@
 {
-    "author": [
-        "Elastic"
-    ],
-    "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
-    "from": "now-9m",
-    "index": [
-        "winlogbeat-*",
-        "logs-endpoint.events.*",
-        "logs-windows.*"
-    ],
-    "language": "eql",
-    "license": "Elastic License v2",
-    "name": "Potential Credential Access via Windows Utilities",
-    "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
-    "references": [
-        "https://lolbas-project.github.io/"
-    ],
-    "risk_score": 73,
-    "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
-    "severity": "high",
-    "tags": [
-        "Elastic",
-        "Host",
-        "Windows",
-        "Threat Detection",
-        "Credential Access"
-    ],
-    "threat": [
-        {
-            "framework": "MITRE ATT\u0026CK",
-            "tactic": {
-                "id": "TA0006",
-                "name": "Credential Access",
-                "reference": "https://attack.mitre.org/tactics/TA0006/"
-            },
-            "technique": [
-                {
-                    "id": "T1003",
-                    "name": "OS Credential Dumping",
-                    "reference": "https://attack.mitre.org/techniques/T1003/"
-                }
-            ]
-        }
-    ],
-    "timestamp_override": "event.ingested",
-    "type": "eql",
-    "version": 3
+    "attributes": {
+        "author": [
+            "Elastic"
+        ],
+        "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
+        "from": "now-9m",
+        "index": [
+            "winlogbeat-*",
+            "logs-endpoint.events.*",
+            "logs-windows.*"
+        ],
+        "language": "eql",
+        "license": "Elastic License v2",
+        "name": "Potential Credential Access via Windows Utilities",
+        "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+        "references": [
+            "https://lolbas-project.github.io/"
+        ],
+        "risk_score": 73,
+        "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
+        "severity": "high",
+        "tags": [
+            "Elastic",
+            "Host",
+            "Windows",
+            "Threat Detection",
+            "Credential Access"
+        ],
+        "threat": [
+            {
+                "framework": "MITRE ATT\u0026CK",
+                "tactic": {
+                    "id": "TA0006",
+                    "name": "Credential Access",
+                    "reference": "https://attack.mitre.org/tactics/TA0006/"
+                },
+                "technique": [
+                    {
+                        "id": "T1003",
+                        "name": "OS Credential Dumping",
+                        "reference": "https://attack.mitre.org/techniques/T1003/"
+                    }
+                ]
+            }
+        ],
+        "timestamp_override": "event.ingested",
+        "type": "eql",
+        "version": 3
+    },
+    "id": "00140285-b827-4aee-aa09-8113f58a08f3",
+    "type": "security_rule"
 }
diff --git a/...rity_detection_engine/kibana/security_rule/rule-0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json b/...rity_detection_engine/kibana/security_rule/rule-0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json
@@ -1,53 +1,57 @@
 {
-    "author": [
-        "Elastic"
-    ],
-    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
-    "from": "now-9m",
-    "index": [
-        "winlogbeat-*",
-        "logs-endpoint.events.*",
-        "logs-windows.*"
-    ],
-    "language": "kuery",
-    "license": "Elastic License v2",
-    "name": "System Shells via Services",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
-    "risk_score": 47,
-    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
-    "severity": "medium",
-    "tags": [
-        "Elastic",
-        "Host",
-        "Windows",
-        "Threat Detection",
-        "Persistence"
-    ],
-    "threat": [
-        {
-            "framework": "MITRE ATT\u0026CK",
-            "tactic": {
-                "id": "TA0003",
-                "name": "Persistence",
-                "reference": "https://attack.mitre.org/tactics/TA0003/"
-            },
-            "technique": [
-                {
-                    "id": "T1543",
-                    "name": "Create or Modify System Process",
-                    "reference": "https://attack.mitre.org/techniques/T1543/",
-                    "subtechnique": [
-                        {
-                            "id": "T1543.003",
-                            "name": "Windows Service",
-                            "reference": "https://attack.mitre.org/techniques/T1543/003/"
-                        }
-                    ]
-                }
-            ]
-        }
-    ],
-    "timestamp_override": "event.ingested",
-    "type": "query",
-    "version": 8
+    "attributes": {
+        "author": [
+            "Elastic"
+        ],
+        "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
+        "from": "now-9m",
+        "index": [
+            "winlogbeat-*",
+            "logs-endpoint.events.*",
+            "logs-windows.*"
+        ],
+        "language": "kuery",
+        "license": "Elastic License v2",
+        "name": "System Shells via Services",
+        "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+        "risk_score": 47,
+        "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+        "severity": "medium",
+        "tags": [
+            "Elastic",
+            "Host",
+            "Windows",
+            "Threat Detection",
+            "Persistence"
+        ],
+        "threat": [
+            {
+                "framework": "MITRE ATT\u0026CK",
+                "tactic": {
+                    "id": "TA0003",
+                    "name": "Persistence",
+                    "reference": "https://attack.mitre.org/tactics/TA0003/"
+                },
+                "technique": [
+                    {
+                        "id": "T1543",
+                        "name": "Create or Modify System Process",
+                        "reference": "https://attack.mitre.org/techniques/T1543/",
+                        "subtechnique": [
+                            {
+                                "id": "T1543.003",
+                                "name": "Windows Service",
+                                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+                            }
+                        ]
+                    }
+                ]
+            }
+        ],
+        "timestamp_override": "event.ingested",
+        "type": "query",
+        "version": 8
+    },
+    "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "type": "security_rule"
 }