[Rule Tuning] Timeline Templates For Windows and Linux (#1892)

* added comprehensive file timeline to Hosts File Modified rule * added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule * updated rules to have generic instead of comprehensive * updated several rules with timeline ID and timeline title values * changed updated_date for threat intel fleet integrations * added missing templates to timeline_templates dict in definitions.py * added comprehensive timeline templates to alerts after definitions.py was updated * updated rules with comprehensive timeline templates and added min stack comments and versions * removing timeline template changes which is tracked in #1904 * Update rules/linux/execution_python_tty_shell.toml Co-authored-by: Justin Ibarra <[email protected]> * Delete Pipfile Removing pipfile * Delete Pipfile.lock deleting pipfile.lock * Update rules/windows/execution_command_shell_started_by_svchost.toml updating title Co-authored-by: Justin Ibarra <[email protected]>
elastic · Apr 1, 2022 · 93edc44 · 93edc44
1 parent e72031a
commit 93edc44
Show file tree

Hide file tree

Showing 11 changed files with 57 additions and 12 deletions.
diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/07/07"
 maturity = "production"
-updated_date = "2021/10/27"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -24,6 +26,8 @@ risk_score = 47
 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"]
+timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
+timeline_title = "Comprehensive File Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/04/15"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -18,11 +20,14 @@ risk_score = 73
 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
+timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:process and event.type:(start or process_started) and process.name:python and
+event.category:process and event.type:(start or process_started) and 
+  process.name:python* and
   process.args:("import pty; pty.spawn(\"/bin/sh\")" or
                 "import pty; pty.spawn(\"/bin/dash\")" or
                 "import pty; pty.spawn(\"/bin/bash\")")

diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/05/26"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +33,8 @@ risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"]
+timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
+timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -29,6 +31,8 @@ risk_score = 47
 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"]
+timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
+timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +22,8 @@ risk_score = 73
 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
+timeline_title = "Comprehensive File Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +17,8 @@ risk_score = 21
 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
+timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/10/13"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +21,8 @@ risk_score = 47
 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
+timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -25,6 +27,8 @@ risk_score = 47
 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
+timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +17,8 @@ risk_score = 21
 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
+timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +21,8 @@ risk_score = 47
 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
+timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
+timeline_title = "Comprehensive Registry Timeline"
 timestamp_override = "event.ingested"
 type = "eql"
 

diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"
+min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
+min_stack_version = "8.2"
 
 
 [rule]
@@ -19,6 +21,8 @@ risk_score = 21
 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
+timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
+timeline_title = "Comprehensive Registry Timeline"
 timestamp_override = "event.ingested"
 type = "eql"