[Security Solution] Historical rules packages PoC

fleet-packages/detection-rules-composite/LICENSE.txt

@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

fleet-packages/detection-rules-composite/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link

fleet-packages/detection-rules-composite/docs/README.md

@@ -0,0 +1,84 @@
+<!-- Use this template language as a starting point, replacing {placeholder text} with details about the integration. -->
+<!-- Find more detailed documentation guidelines in https://github.com/elastic/integrations/blob/main/docs/documentation_guidelines.md -->
+
+# New Package
+
+<!-- The New Package integration allows you to monitor {name of service}. {name of service} is {describe service}.
+
+Use the New Package integration to {purpose}. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference {data stream type} when troubleshooting an issue.
+
+For example, if you wanted to {sample use case} you could {action}. Then you can {visualize|alert|troubleshoot} by {action}. -->
+
+## Data streams
+
+<!-- The New Package integration collects {one|two} type{s} of data streams: {logs and/or metrics}. -->
+
+<!-- If applicable -->
+<!-- **Logs** help you keep a record of events happening in {service}.
+Log data streams collected by the {name} integration include {sample data stream(s)} and more. See more details in the [Logs](#logs-reference). -->
+
+<!-- If applicable -->
+<!-- **Metrics** give you insight into the state of {service}.
+Metric data streams collected by the {name} integration include {sample data stream(s)} and more. See more details in the [Metrics](#metrics-reference). -->
+
+<!-- Optional: Any additional notes on data streams -->
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+<!--
+	Optional: Other requirements including:
+	* System compatibility
+	* Supported versions of third-party products
+	* Permissions needed
+	* Anything else that could block a user from successfully using the integration
+-->
+
+## Setup
+
+<!-- Any prerequisite instructions -->
+
+For step-by-step instructions on how to set up an integration, see the
+[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
+
+<!-- Additional set up instructions -->
+
+<!-- If applicable -->
+<!-- ## Logs reference -->
+
+<!-- Repeat for each data stream of the current type -->
+<!-- ### {Data stream name}
+
+The `{data stream name}` data stream provides events from {source} of the following types: {list types}. -->
+
+<!-- Optional -->
+<!-- #### Example
+
+An example event for `{data stream name}` looks as following:
+
+{code block with example} -->
+
+<!-- #### Exported fields
+
+{insert table} -->
+
+<!-- If applicable -->
+<!-- ## Metrics reference -->
+
+<!-- Repeat for each data stream of the current type -->
+<!-- ### {Data stream name}
+
+The `{data stream name}` data stream provides events from {source} of the following types: {list types}. -->
+
+<!-- Optional -->
+<!-- #### Example
+
+An example event for `{data stream name}` looks as following:
+
+{code block with example} -->
+
+<!-- #### Exported fields
+
+{insert table} -->

fleet-packages/detection-rules-composite/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json

@@ -0,0 +1 @@
+{"attributes":{"rule_id":"000047bb-b27a-47ec-8b62-ef1a5d2c9e19","versions":[{"name":"Attempt to Modify an Okta Policy Rule v102.0.0","rule_version":"102.0.0","stack_version_min":"8.5.0","stack_version_max":"8.7.0","description":"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.","risk_score":21,"severity":"low","license":"Elastic License v2","note":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."],"references":["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm","https://developer.okta.com/docs/reference/api/system-log/","https://developer.okta.com/docs/reference/api/event-types/","https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"],"tags":["Elastic","Identity","Okta","Continuous Monitoring","SecOps","Identity and Access","Defense Evasion"],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1562","name":"Impair Defenses","reference":"https://attack.mitre.org/techniques/T1562/","subtechnique":[{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","reference":"https://attack.mitre.org/techniques/T1562/007/"}]}]}],"type":"query","index":["filebeat-*","logs-okta*"],"language":"kuery","query":"event.dataset:okta.system and event.action:policy.rule.update\n","related_integrations":[{"package":"okta","version":"^1.3.0"}],"required_fields":[{"ecs":true,"name":"event.action","type":"keyword"},{"ecs":true,"name":"event.dataset","type":"keyword"}],"setup":"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."},{"name":"Attempt to Modify an Okta Policy Rule v102.0.1","rule_version":"102.0.1","stack_version_min":"8.5.0","stack_version_max":"8.7.0","description":"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.","risk_score":21,"severity":"low","license":"Elastic License v2","note":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."],"references":["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm","https://developer.okta.com/docs/reference/api/system-log/","https://developer.okta.com/docs/reference/api/event-types/","https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"],"tags":["Elastic","Identity","Okta","Continuous Monitoring","SecOps","Identity and Access","Defense Evasion"],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1562","name":"Impair Defenses","reference":"https://attack.mitre.org/techniques/T1562/","subtechnique":[{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","reference":"https://attack.mitre.org/techniques/T1562/007/"}]}]}],"type":"query","index":["filebeat-*","logs-okta*"],"language":"kuery","query":"event.dataset:okta.system and event.action:policy.rule.update\n","related_integrations":[{"package":"okta","version":"^1.3.0"}],"required_fields":[{"ecs":true,"name":"event.action","type":"keyword"},{"ecs":true,"name":"event.dataset","type":"keyword"}],"setup":"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."},{"name":"Attempt to Modify an Okta Policy Rule v102.0.2","rule_version":"102.0.2","stack_version_min":"8.5.0","stack_version_max":"8.7.0","description":"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.","risk_score":21,"severity":"low","license":"Elastic License v2","note":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."],"references":["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm","https://developer.okta.com/docs/reference/api/system-log/","https://developer.okta.com/docs/reference/api/event-types/","https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"],"tags":["Elastic","Identity","Okta","Continuous Monitoring","SecOps","Identity and Access","Defense Evasion"],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1562","name":"Impair Defenses","reference":"https://attack.mitre.org/techniques/T1562/","subtechnique":[{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","reference":"https://attack.mitre.org/techniques/T1562/007/"}]}]}],"type":"query","index":["filebeat-*","logs-okta*"],"language":"kuery","query":"event.dataset:okta.system and event.action:policy.rule.update\n","related_integrations":[{"package":"okta","version":"^1.3.0"}],"required_fields":[{"ecs":true,"name":"event.action","type":"keyword"},{"ecs":true,"name":"event.dataset","type":"keyword"}],"setup":"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."}]},"id":"000047bb-b27a-47ec-8b62-ef1a5d2c9e19","type":"security-rule"}