Adds timeline_id to all network rules

- Uses the ID for the 'Generic Network Timeline' from Elastic
elastic · Jul 27, 2020 · 3617781 · 3617781
1 parent d15da0a
commit 3617781
Show file tree

Hide file tree

Showing 21 changed files with 49 additions and 6 deletions.
diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml
@@ -33,10 +33,11 @@ risk_score = 47
 rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
-event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) 
+event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)
 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
   172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
 '''
@@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml
@@ -30,6 +30,7 @@ risk_score = 21
 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -63,3 +64,4 @@ reference = "https://attack.mitre.org/techniques/T1048/"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/...etwork/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/...etwork/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml
@@ -29,6 +29,7 @@ risk_score = 47
 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -62,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1048/"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -47,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
@@ -29,6 +29,7 @@ risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1048/"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml
@@ -27,6 +27,7 @@ risk_score = 21
 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -46,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml
@@ -15,11 +15,12 @@ false_positives = [
     """
     Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this
     rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually
-    local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or
-    destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not
-    in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this
-    rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in
-    the range by coincidence. In this case, such servers can be excluded if desired.
+    local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to
+    allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source
+    or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are
+    not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range,
+    this rule may false under certain conditions such as when a NATed web server replies to a client which has used a
+    port in the range by coincidence. In this case, such servers can be excluded if desired.
     """,
 ]
 index = ["filebeat-*", "packetbeat-*"]
@@ -30,6 +31,7 @@ risk_score = 47
 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -51,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -30,6 +30,7 @@ risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -75,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml
@@ -26,6 +26,7 @@ risk_score = 21
 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -59,3 +60,4 @@ reference = "https://attack.mitre.org/techniques/T1048/"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -48,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml
@@ -30,6 +30,7 @@ risk_score = 47
 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -75,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml
@@ -29,6 +29,7 @@ risk_score = 21
 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -50,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1043/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml
@@ -29,6 +29,7 @@ risk_score = 47
 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -72,3 +73,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0011"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1188/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
@@ -28,6 +28,7 @@ risk_score = 73
 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 severity = "high"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -61,3 +62,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
@@ -28,6 +28,7 @@ risk_score = 47
 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 severity = "medium"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1219/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml
@@ -29,6 +29,7 @@ risk_score = 21
 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5"
 severity = "low"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -62,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1048/"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0011"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0011"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "high"
 tags = ["Elastic", "Network"]
+timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -53,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1048/"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
+