[Detection Engine] Adds 8.2 rules #130338
Conversation
terrancedejesus
added
release_note:skip
| @@ -12,7 +12,7 @@ | |||
| "language": "eql", | |||
| "license": "Elastic License v2", | |||
| "name": "Remote File Download via MpCmdRun", | |||
| "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", | |||
| "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.\n - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement any temporary network rules, procedures, and segmentation required to contain the malware.\n - Immediately block the IoCs identified.\n- Remove and block malicious artifacts identified on the triage.\n- Disable the involved accounts, or restrict their ability to log on remotely.\n- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).\n- Investigate the initial attack vector.\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", | |||
There was a problem hiding this comment.
No version bump because updates from #129526 were not version locked yet. This is expected for "some" rules.
💚 Build SucceededMetrics [docs]
To update your PR or re-run it, just comment with: |
|
LGTM. Checks:
|
...b/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json
Show resolved
Hide resolved
| @@ -56,5 +56,5 @@ | |||
| "timeline_title": "Comprehensive File Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 6 | |||
| "version": 7 | |||
There was a problem hiding this comment.
This looks to be an unnecessary version bump? Was it missed in the previous batch of 8.2 updates? Sounds like a bug somewhere... 🤔
| @@ -61,5 +61,5 @@ | |||
| "timeline_title": "Comprehensive Process Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 10 | |||
| "version": 11 | |||
There was a problem hiding this comment.
Another unnecessary version bump? Or was it missed in the previous batch of 8.2 updates, or bug in the Kibana rule generator?
| @@ -48,5 +48,5 @@ | |||
| "timeline_title": "Comprehensive Process Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 4 | |||
| "version": 5 | |||
There was a problem hiding this comment.
As above -- is this an unnecessary version bump? Or was it missed in the previous batch of 8.2 updates?
| @@ -52,5 +52,5 @@ | |||
| "timeline_title": "Comprehensive Process Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 11 | |||
| "version": 12 | |||
There was a problem hiding this comment.
As above -- is this an unnecessary version bump? Or was it missed in the previous batch of 8.2 updates?
| @@ -40,5 +40,5 @@ | |||
| ], | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 7 | |||
| "version": 8 | |||
There was a problem hiding this comment.
As above -- is this an unnecessary version bump? Or was it missed in the previous batch of 8.2 updates?
...tection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json
Show resolved
Hide resolved
| @@ -45,5 +45,5 @@ | |||
| "timeline_title": "Comprehensive Process Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 9 | |||
| "version": 10 | |||
There was a problem hiding this comment.
This version was already incremented from 8 to 9 in 8.2, see: https://github.com/elastic/kibana/pull/129526/files#diff-8b7ec1d27abcbdb4894cf73ea6a91fef47bd29c0fbd8886ed7e9a658035e4200R48
...erver/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json
Show resolved
Hide resolved
| @@ -50,5 +50,5 @@ | |||
| ], | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 4 | |||
| "version": 5 | |||
There was a problem hiding this comment.
Version bump occurred in last 8.2 Rules PR: https://github.com/elastic/kibana/pull/129526/files#diff-d5b20e6da8c51ab3d8d52bf3e6006c2e4cf089ac8108c799e9793131cb7da3baR53
| @@ -67,5 +67,5 @@ | |||
| "timeline_title": "Comprehensive Registry Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 6 | |||
| "version": 7 | |||
There was a problem hiding this comment.
Already bumped 5 to 6 in previous 8.2 Rules PR: https://github.com/elastic/kibana/pull/129526/files#diff-d4ec3ab4ef485491b700e1ecc3ab83d91940ae66f8e8dd81c5fb538f310c3d20R70
| @@ -51,5 +51,5 @@ | |||
| } | |||
| ], | |||
| "type": "eql", | |||
| "version": 11 | |||
| "version": 12 | |||
There was a problem hiding this comment.
Version already bumped in previous 8.2 Rules PR: https://github.com/elastic/kibana/pull/129526/files#diff-548404a51453422eb3260dd0bfe31d2fbcb4a451d2629a598aea5df3991ccab5R54
...lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json
Show resolved
Hide resolved
...n_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json
Show resolved
Hide resolved
...persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json
Show resolved
Hide resolved
...engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json
Show resolved
Hide resolved
...detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json
Show resolved
Hide resolved
| @@ -58,5 +58,5 @@ | |||
| "timeline_title": "Comprehensive File Timeline", | |||
| "timestamp_override": "event.ingested", | |||
| "type": "eql", | |||
| "version": 7 | |||
| "version": 8 | |||
There was a problem hiding this comment.
This was already version bumped in the last 8.2 Rules PR: https://github.com/elastic/kibana/pull/129526/files#diff-ce969c996a1c400debb065fec595e7d3ff5235fc151eeefa853c58963b02e45fR61
...on/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json
Show resolved
Hide resolved
.../lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json
Show resolved
Hide resolved
There was a problem hiding this comment.
Looks like we've got a bug in the Kibana PR generator perhaps? Seeing a bunch of unnecessary version bumps (no content change other than version), some that are new to this PR, and other additional version bumps from those made in the previous 8.2 Rules PR.
Also seeing double version bumps with these same cases, so a rule like domain_added_to_google_workspace_trusted_domains.json would be going from version: 6 to version: 10 between 8.1 and 8.2 with no content changes.
Can you please take a look at the PR generation script and see what might be causing this? While unnecessary version bumps don't technically break system functionality, these rules will be picked up by the docs scripts and included as 'updated' for a release when they really aren't. This also means we'll show more updates in the UI than there actually are.
Perhaps this is a byproduct of out-of-band releases and version changes there? Though that doesn't fully make sense as there aren't content changes, so those specific rules wouldn't need to be bumped, no?
Hey @spong thank you for catching these. We will take a look the code to see if we can find a bug that is causing this. |
There was a problem hiding this comment.
In discussions with @brokensound77, these no-content version bumps appear to be to be a combination of the below three scenarios:
- Double bumps: expected - occurs when OOB releases on a rule in between kibana updates. Can even be multiple bumps.
- No version bump: expected - this is because the first push to kibana was pre version locked, so the changes are expected and are only now locked
- As an exception, we did have a few rules that snuck out in a recent release without the correct version bump, but those rules and the code allowing that were rectified. So that explains a few double bumps too
Going to unblock this PR with the above explanation for these version changes, and @brokensound77 and I are going to meet Monday to further discuss rule versioning and compare against the latest package release versions to ensure one final spot-check here.
There was a problem hiding this comment.
LGTM (based on manual fixes from 1870 that pushed the versions forward.
|
@spong we are going to merge these just based on time and because the +1 changes with no actual changes to the rule will not break anything as you stated. We will then investigate this offline as to why it happened and if an actual bug exists, address and fix it. So 10 rules appear to have a version bump of +1 without any changes at the moment for unknown reasons. Worked on this directly with @Mikaayenson and had a conversation with @brokensound77. The double bumps were addressed and found to be the result of elastic/detection-rules#1870. |
(cherry picked from commit b01c4bc)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
(cherry picked from commit b01c4bc) Co-authored-by: Terrance DeJesus <[email protected]>
terrancedejesus
added
the
trade-artifacts
Summary
Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/6241b28484838630571592a6291eb545037c5dc5.
Checklist
Delete any items that are not applicable to this PR.
uses sentence case text and includes i18n support