[New Rule] Endpoint Security Promotion Rules for Specific Events

rules/integrations/endpoint/elastic_endpoint_security.toml

@@ -4,13 +4,13 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
 promotion = true
+updated_date = "2024/03/24"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
+Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to
 immediately begin investigating your Endpoint alerts.
 """
 enabled = true
@@ -19,7 +19,22 @@ index = ["logs-endpoint.alerts-*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
-name = "Endpoint Security"
+name = "Elastic Defend"
+note = """
+If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.
+
+If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.
+
+Related rules:
+- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
+- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
+- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
+- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
+- Memory Signature - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
+- Memory Signature - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
+- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
+- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)
+"""
 risk_score = 47
 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
 rule_name_override = "message"

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2024/03/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/27"
+promotion = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to
+immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior detections only, and does not include prevention alerts.
+"""
+enabled = true
+from = "now-10m"
+index = ["logs-endpoint.alerts-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 10000
+name = "Behavior - Detected - Elastic Defend"
+references = [
+    "https://github.com/elastic/protections-artifacts/tree/main/behavior",
+    "https://docs.elastic.co/en/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "0f615fe4-eaa2-11ee-ae33-f661ea17fbce"
+rule_name_override = "message"
+severity = "medium"
+tags = ["Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior and message: *detection*
+'''
+
+
+[[rule.exceptions_list]]
+id = "endpoint_list"
+list_id = "endpoint_list"
+namespace_type = "agnostic"
+type = "endpoint"
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2024/03/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/27"
+promotion = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to
+immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior preventions only, and does not include detection only alerts.
+"""
+enabled = true
+from = "now-10m"
+index = ["logs-endpoint.alerts-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 10000
+name = "Behavior - Prevented - Endpoint Defend"
+references = [
+    "https://github.com/elastic/protections-artifacts/tree/main/behavior",
+    "https://docs.elastic.co/en/integrations/endpoint"
+]
+risk_score = 21
+rule_id = "eb804972-ea34-11ee-a417-f661ea17fbce"
+rule_name_override = "message"
+severity = "low"
+tags = ["Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior and message: *prevention*
+'''
+
+
+[[rule.exceptions_list]]
+id = "endpoint_list"
+list_id = "endpoint_list"
+namespace_type = "agnostic"
+type = "endpoint"
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2024/03/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/27"
+promotion = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to
+immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts.
+"""
+enabled = true
+from = "now-10m"
+index = ["logs-endpoint.alerts-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 10000
+name = "Malicious File - Detected - Elastic Defend"
+references = [
+    "https://github.com/elastic/protections-artifacts/tree/main/yara",
+    "https://docs.elastic.co/en/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "f2c3caa6-ea34-11ee-a417-f661ea17fbce"
+rule_name_override = "message"
+severity = "medium"
+tags = ["Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:(endpoint and not endgame) and event.code: malicious_file and message: *detection*
+'''
+
+
+[[rule.exceptions_list]]
+id = "endpoint_list"
+list_id = "endpoint_list"
+namespace_type = "agnostic"
+type = "endpoint"
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2024/03/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/27"
+promotion = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to
+immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts.
+"""
+enabled = true
+from = "now-10m"
+index = ["logs-endpoint.alerts-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 10000
+name = "Malicious File - Prevented - Elastic Defend"
+references = [
+    "https://github.com/elastic/protections-artifacts/tree/main/yara",
+    "https://docs.elastic.co/en/integrations/endpoint"
+]
+risk_score = 21
+rule_id = "f87e6122-ea34-11ee-a417-f661ea17fbce"
+rule_name_override = "message"
+severity = "low"
+tags = ["Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:(endpoint and not endgame) and event.code: malicious_file and message: *prevention*
+'''
+
+
+[[rule.exceptions_list]]
+id = "endpoint_list"
+list_id = "endpoint_list"
+namespace_type = "agnostic"
+type = "endpoint"
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+