diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index ae1a0968aa9..71d17154fdb 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -33,10 +33,11 @@ risk_score = 47 rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' -event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) +event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb") ''' @@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index afcbb5416ec..83487ff496a 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -30,6 +30,7 @@ risk_score = 21 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -63,3 +64,4 @@ reference = "https://attack.mitre.org/techniques/T1048/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 09ec11d311d..c094ae7654b 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -29,6 +29,7 @@ risk_score = 47 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -62,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1048/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 1818d2ed8eb..2aa9e93295e 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -28,6 +28,7 @@ risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -47,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 41d2fbf0f71..cd434655ada 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -29,6 +29,7 @@ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1048/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index bbec1485cb8..87515a7906b 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -28,6 +28,7 @@ risk_score = 21 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index 81c86311426..fee59e1db74 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -27,6 +27,7 @@ risk_score = 21 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -46,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 03460c0e4d2..272c4aee893 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -15,11 +15,12 @@ false_positives = [ """ Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually - local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or - destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not - in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this - rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in - the range by coincidence. In this case, such servers can be excluded if desired. + local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to + allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source + or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are + not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, + this rule may false under certain conditions such as when a NATed web server replies to a client which has used a + port in the range by coincidence. In this case, such servers can be excluded if desired. """, ] index = ["filebeat-*", "packetbeat-*"] @@ -30,6 +31,7 @@ risk_score = 47 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -51,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index aab6c7e029e..5f847f8cfef 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -30,6 +30,7 @@ risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -75,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index d6a4be6aef0..f2b22f09212 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -26,6 +26,7 @@ risk_score = 21 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -59,3 +60,4 @@ reference = "https://attack.mitre.org/techniques/T1048/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index 9ed68e477b6..546f2deab6b 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -48,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 5cd842bba3b..5b215f77792 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -30,6 +30,7 @@ risk_score = 47 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -75,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index 733a2ea2ac6..14ea9d5d3ec 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -29,6 +29,7 @@ risk_score = 21 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -50,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1043/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index cb01228c467..8bc7a0ac243 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -29,6 +29,7 @@ risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -72,3 +73,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0011" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index c65541dd669..2fd5937305c 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1188/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 88a7705e71d..3b5e087b10a 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -28,6 +28,7 @@ risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -61,3 +62,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index bd2fd6ae244..2eb53e0d26f 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -28,6 +28,7 @@ risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1219/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index dbb30e282b1..e4dd061f0be 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -29,6 +29,7 @@ risk_score = 21 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" severity = "low" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -62,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1048/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index a0a6c27e789..9f02aa28443 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0011" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index e17dc9174c4..8237190d717 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0011" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 43b30d89fe6..33da021198f 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" tags = ["Elastic", "Network"] +timeline_id = "5471edb0-c738-11ea-ba51-73504b186a82" type = "query" query = ''' @@ -53,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1048/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +