[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

terrancedejesus · 2024-03-24T23:31:42Z

Issues

https://github.com/elastic/security-team/issues/6287

Summary

This pull request includes 8 new promotional rules. These promotional rules are for the Elastic Defend integration, more specifically, the Endpoint Security feature and alerts.

Before this pull request, we had a single promotional rule that captured all Elastic Endpoint Security alerts.

Additional notes:

event.code was used to distinguish between each Defend policy feature
Responses.message was used to distinguish between prevention and detection. The Responses. fields are only available in alert docs if prevention measures were taken or assigned to the rule or feature.
Since shellcode_thread is not a specific feature in the Defend policy, it was added to the memory_signature alerts.

Please refer to the issue linked for further information or to continue conversation and considerations for these changes.

Testing Evidence

TBD

rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

…astic/detection-rules into new-rule-endpoint-security-promotions

botelastic · 2024-05-27T14:46:50Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic · 2024-06-03T14:48:41Z

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

Samirbous

other than severity that need to be bumped, rest looks fine

botelastic · 2024-08-24T17:41:49Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Mikaayenson · 2024-10-18T18:43:47Z

@terrancedejesus re: testing we need to coordinate with @banderror and the RM team to double check on what they expect from the rules side. Moving to blocked in the interim.

…revented.toml Co-authored-by: Terrance DeJesus <[email protected]>

….toml Co-authored-by: Terrance DeJesus <[email protected]>

…d.toml Co-authored-by: Terrance DeJesus <[email protected]>

…eat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]>

…d.toml Co-authored-by: Terrance DeJesus <[email protected]>

…eat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]>

…eat_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]>

…etected.toml Co-authored-by: Terrance DeJesus <[email protected]>

approksiu

The new rules should not be enabled out of the box. + added Natasha's change in the relevant places. The rest looks good to me! Thanks!

rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

…b.com/elastic/detection-rules into new-rule-endpoint-security-promotions

Samirbous · 2024-12-19T13:19:16Z

The new rules should not be enabled out of the box. + added Natasha's change in the relevant places. The rest looks good to me! Thanks!

@approksiu thanks for the review, suggested changes applied (enabled= true -> enabled = false and adjusted the setup guide sentence).

QQ - why don't make those new promotion rules by default enabled and switch the existing one to false ? (maybe users won't notice those new promotion rules and don't get the benefit of this change)

approksiu

Thanks team! Looks good!

* new endpoint security rules for specific alerts * updated risk scores * fixed rule names and UUIDs * changed logic to use message field for detection vs prevention * reverting changes * reverting changes * reverting to old commit * reverting to old commit * reverting to old commit * reverting to old commit * changed naming to Elastic Defend * updated rule dates and min-stacks * linted; adjusted queries * updated ransomware, memory sig or shellcode risk * Update rules/integrations/endpoint/elastic_endpoint_security.toml * updated promotion rule * fixed typos in naming * updated setup guides * added intervals * added MITRE * added investigation guide for Memory Threat * ++ * ++ * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Co-authored-by: natasha-moore-elastic <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml Co-authored-by: Samirbous <[email protected]> * ++ * ++ * ++ * ++ * Update rules/integrations/endpoint/elastic_endpoint_security.toml * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml * Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml * ++ * ++ * ++ * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update defense_evasion_elastic_memory_threat_prevented.toml * toml-lint * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <[email protected]> * ++ --------- Co-authored-by: Mika Ayenson <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: natasha-moore-elastic <[email protected]> Co-authored-by: Samirbous <[email protected]> (cherry picked from commit 9fb2dea)

new endpoint security rules for specific alerts

5dd7970

terrancedejesus added Rule: New Proposal for new rule Integration: Endpoint Elastic Endpoint Security labels Mar 24, 2024

terrancedejesus self-assigned this Mar 24, 2024

terrancedejesus added 2 commits March 24, 2024 19:36

updated risk scores

d47b135

fixed rule names and UUIDs

bbd3d90

Samirbous reviewed Mar 27, 2024

View reviewed changes

terrancedejesus added 9 commits March 27, 2024 20:36

changed logic to use message field for detection vs prevention

1f9ff5b

reverting changes

2539301

reverting changes

b3c1393

reverting to old commit

fb760f2

Merge branch 'new-rule-endpoint-security-promotions' of github.com:el…

36c1984

…astic/detection-rules into new-rule-endpoint-security-promotions

reverting to old commit

9030c6c

reverting to old commit

552f2b2

reverting to old commit

cb7ec5a

changed naming to Elastic Defend

ecae598

terrancedejesus added the Area: RAD label Mar 28, 2024

botelastic bot added the stale 60 days of inactivity label May 27, 2024

botelastic bot closed this Jun 3, 2024

terrancedejesus reopened this Jun 25, 2024

botelastic bot removed the stale 60 days of inactivity label Jun 25, 2024

Samirbous approved these changes Jun 25, 2024

View reviewed changes

botelastic bot added the stale 60 days of inactivity label Aug 24, 2024

Mikaayenson added backlog and removed stale 60 days of inactivity labels Aug 26, 2024

Mikaayenson reviewed Oct 10, 2024

View reviewed changes

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Outdated Show resolved Hide resolved

Samirbous and others added 15 commits December 18, 2024 15:28

Update rules/integrations/endpoint/execution_elastic_malicious_file_p…

a547658

…revented.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/impact_elastic_ransomware_detected…

4114261

….toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/impact_elastic_ransomware_detected…

36e5e48

….toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/impact_elastic_ransomware_detected…

72443d4

….toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…

0382942

…d.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…

ddef417

…d.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…

c91de4e

…eat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…

09098c6

…d.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…

30c0d1a

…eat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…

fd86f63

…eat_detected.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…

a7be955

…eat_prevented.toml Co-authored-by: Terrance DeJesus <[email protected]>

Update defense_evasion_elastic_memory_threat_prevented.toml

4d45523

toml-lint

d343994

Update rules/integrations/endpoint/execution_elastic_malicious_file_d…

1e7f000

…etected.toml Co-authored-by: Terrance DeJesus <[email protected]>

Merge branch 'main' into new-rule-endpoint-security-promotions

90869e8

approksiu requested changes Dec 19, 2024

View reviewed changes

Samirbous added 2 commits December 19, 2024 13:15

++

e1b565d

Merge branch 'new-rule-endpoint-security-promotions' of https://githu…

9f76999

…b.com/elastic/detection-rules into new-rule-endpoint-security-promotions

Samirbous self-assigned this Dec 19, 2024

approksiu approved these changes Dec 19, 2024

View reviewed changes

Merge branch 'main' into new-rule-endpoint-security-promotions

b78a44f

terrancedejesus merged commit 9fb2dea into main Dec 19, 2024
9 checks passed

terrancedejesus deleted the new-rule-endpoint-security-promotions branch December 19, 2024 18:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

terrancedejesus commented Mar 24, 2024 •

edited

Loading

botelastic bot commented May 27, 2024

botelastic bot commented Jun 3, 2024

Samirbous left a comment

botelastic bot commented Aug 24, 2024

Mikaayenson commented Oct 18, 2024 •

edited

Loading

approksiu left a comment

Samirbous commented Dec 19, 2024 •

edited

Loading

approksiu left a comment

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

Conversation

terrancedejesus commented Mar 24, 2024 • edited Loading

Issues

Summary

Testing Evidence

botelastic bot commented May 27, 2024

botelastic bot commented Jun 3, 2024

Samirbous left a comment

Choose a reason for hiding this comment

botelastic bot commented Aug 24, 2024

Mikaayenson commented Oct 18, 2024 • edited Loading

approksiu left a comment

Choose a reason for hiding this comment

Samirbous commented Dec 19, 2024 • edited Loading

approksiu left a comment

Choose a reason for hiding this comment

terrancedejesus commented Mar 24, 2024 •

edited

Loading

Mikaayenson commented Oct 18, 2024 •

edited

Loading

Samirbous commented Dec 19, 2024 •

edited

Loading