From 28fa873d21af1a81273e0465d6839df4434e03d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20St=C3=BCrmer?= Date: Thu, 18 Feb 2021 11:52:14 +0100 Subject: [PATCH 01/15] [Logs UI] Wrap log stream embeddable with proper providers (#91725) This declares the correct dependencies for the `LogStreamEmbeddable` and replaces parts of the custom provider hierarchy used therein with the common Logs UI `CoreProviders`. --- .../infra/public/apps/common_providers.tsx | 6 ++-- .../log_stream/log_stream_embeddable.tsx | 34 +++++++++---------- .../log_stream_embeddable_factory.ts | 13 +++---- x-pack/plugins/infra/public/plugin.ts | 4 +-- 4 files changed, 27 insertions(+), 30 deletions(-) diff --git a/x-pack/plugins/infra/public/apps/common_providers.tsx b/x-pack/plugins/infra/public/apps/common_providers.tsx index 972c6f8b14f8c4..64867c5743d0d4 100644 --- a/x-pack/plugins/infra/public/apps/common_providers.tsx +++ b/x-pack/plugins/infra/public/apps/common_providers.tsx @@ -7,18 +7,18 @@ import { AppMountParameters, CoreStart } from 'kibana/public'; import React, { useMemo } from 'react'; +import { EuiThemeProvider } from '../../../../../src/plugins/kibana_react/common'; import { - useUiSetting$, KibanaContextProvider, + useUiSetting$, } from '../../../../../src/plugins/kibana_react/public'; -import { EuiThemeProvider } from '../../../../../src/plugins/kibana_react/common'; +import { Storage } from '../../../../../src/plugins/kibana_utils/public'; import { TriggersAndActionsUIPublicPluginStart } from '../../../triggers_actions_ui/public'; import { createKibanaContextForPlugin } from '../hooks/use_kibana'; import { InfraClientStartDeps } from '../types'; import { HeaderActionMenuProvider } from '../utils/header_action_menu_provider'; import { NavigationWarningPromptProvider } from '../utils/navigation_warning_prompt'; import { TriggersActionsProvider } from '../utils/triggers_actions_context'; -import { Storage } from '../../../../../src/plugins/kibana_utils/public'; export const CommonInfraProviders: React.FC<{ appName: string; diff --git a/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable.tsx b/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable.tsx index 766b8076bc93dc..e1427bc96e7e0b 100644 --- a/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable.tsx +++ b/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable.tsx @@ -5,19 +5,18 @@ * 2.0. */ +import { CoreStart } from 'kibana/public'; import React from 'react'; import ReactDOM from 'react-dom'; -import { CoreStart } from 'kibana/public'; - -import { I18nProvider } from '@kbn/i18n/react'; -import { KibanaContextProvider } from '../../../../../../src/plugins/kibana_react/public'; -import { EuiThemeProvider } from '../../../../../../src/plugins/kibana_react/common'; import { Query, TimeRange } from '../../../../../../src/plugins/data/public'; import { Embeddable, EmbeddableInput, IContainer, } from '../../../../../../src/plugins/embeddable/public'; +import { EuiThemeProvider } from '../../../../../../src/plugins/kibana_react/common'; +import { CoreProviders } from '../../apps/common_providers'; +import { InfraClientStartDeps } from '../../types'; import { datemathToEpochMillis } from '../../utils/datemath'; import { LazyLogStreamWrapper } from './lazy_log_stream_wrapper'; @@ -33,7 +32,8 @@ export class LogStreamEmbeddable extends Embeddable { private node?: HTMLElement; constructor( - private services: CoreStart, + private core: CoreStart, + private pluginDeps: InfraClientStartDeps, initialInput: LogStreamEmbeddableInput, parent?: IContainer ) { @@ -73,20 +73,18 @@ export class LogStreamEmbeddable extends Embeddable { } ReactDOM.render( - + - -
- -
- +
+ +
- , + , this.node ); } diff --git a/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable_factory.ts b/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable_factory.ts index 609a29e5842fe2..d621cae3e628cb 100644 --- a/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable_factory.ts +++ b/x-pack/plugins/infra/public/components/log_stream/log_stream_embeddable_factory.ts @@ -5,31 +5,32 @@ * 2.0. */ -import { CoreStart } from 'kibana/public'; +import { StartServicesAccessor } from 'kibana/public'; import { EmbeddableFactoryDefinition, IContainer, } from '../../../../../../src/plugins/embeddable/public'; +import { InfraClientStartDeps } from '../../types'; import { LogStreamEmbeddable, - LOG_STREAM_EMBEDDABLE, LogStreamEmbeddableInput, + LOG_STREAM_EMBEDDABLE, } from './log_stream_embeddable'; export class LogStreamEmbeddableFactoryDefinition implements EmbeddableFactoryDefinition { public readonly type = LOG_STREAM_EMBEDDABLE; - constructor(private getCoreServices: () => Promise) {} + constructor(private getStartServices: StartServicesAccessor) {} public async isEditable() { - const { application } = await this.getCoreServices(); + const [{ application }] = await this.getStartServices(); return application.capabilities.logs.save as boolean; } public async create(initialInput: LogStreamEmbeddableInput, parent?: IContainer) { - const services = await this.getCoreServices(); - return new LogStreamEmbeddable(services, initialInput, parent); + const [core, plugins] = await this.getStartServices(); + return new LogStreamEmbeddable(core, plugins, initialInput, parent); } public getDisplayName() { diff --git a/x-pack/plugins/infra/public/plugin.ts b/x-pack/plugins/infra/public/plugin.ts index d4bb83e8668ba5..07afbfdb5d4ed6 100644 --- a/x-pack/plugins/infra/public/plugin.ts +++ b/x-pack/plugins/infra/public/plugin.ts @@ -52,11 +52,9 @@ export class Plugin implements InfraClientPluginClass { }); } - const getCoreServices = async () => (await core.getStartServices())[0]; - pluginsSetup.embeddable.registerEmbeddableFactory( LOG_STREAM_EMBEDDABLE, - new LogStreamEmbeddableFactoryDefinition(getCoreServices) + new LogStreamEmbeddableFactoryDefinition(core.getStartServices) ); core.application.register({ From 1e3b13a55c2799878fa96bde878b8d8ac61cdd98 Mon Sep 17 00:00:00 2001 From: Christos Nasikas Date: Thu, 18 Feb 2021 14:02:43 +0200 Subject: [PATCH 02/15] [Security Solution][Case] Add the ability to mark cases in progress in cases table. (#89341) --- .../integration/cases/creation.spec.ts | 6 +- .../cypress/screens/all_cases.ts | 6 +- .../cases/components/all_cases/actions.tsx | 81 ++++++++++------ .../cases/components/all_cases/index.test.tsx | 43 +++++++++ .../cases/components/bulk_actions/index.tsx | 95 +++++++++++++------ .../components/bulk_actions/translations.ts | 14 --- .../components/property_actions/constants.ts | 8 -- .../cases/components/status/button.test.tsx | 4 +- .../public/cases/components/status/button.tsx | 2 +- .../public/cases/components/status/config.ts | 43 ++++++++- .../cases/components/status/translations.ts | 28 ++++++ .../public/cases/containers/translations.ts | 15 ++- .../cases/containers/use_bulk_update_case.tsx | 30 +++++- .../public/cases/translations.ts | 4 + 14 files changed, 279 insertions(+), 100 deletions(-) delete mode 100644 x-pack/plugins/security_solution/public/cases/components/property_actions/constants.ts diff --git a/x-pack/plugins/security_solution/cypress/integration/cases/creation.spec.ts b/x-pack/plugins/security_solution/cypress/integration/cases/creation.spec.ts index 5a2cf5408b04de..64ce6be9ec457b 100644 --- a/x-pack/plugins/security_solution/cypress/integration/cases/creation.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/cases/creation.spec.ts @@ -8,11 +8,10 @@ import { case1 } from '../../objects/case'; import { - ALL_CASES_CLOSE_ACTION, ALL_CASES_CLOSED_CASES_STATS, ALL_CASES_COMMENTS_COUNT, - ALL_CASES_DELETE_ACTION, ALL_CASES_IN_PROGRESS_CASES_STATS, + ALL_CASES_ITEM_ACTIONS_BTN, ALL_CASES_NAME, ALL_CASES_OPEN_CASES_COUNT, ALL_CASES_OPEN_CASES_STATS, @@ -91,8 +90,7 @@ describe('Cases', () => { cy.get(ALL_CASES_COMMENTS_COUNT).should('have.text', '0'); cy.get(ALL_CASES_OPENED_ON).should('include.text', 'ago'); cy.get(ALL_CASES_SERVICE_NOW_INCIDENT).should('have.text', 'Not pushed'); - cy.get(ALL_CASES_DELETE_ACTION).should('exist'); - cy.get(ALL_CASES_CLOSE_ACTION).should('exist'); + cy.get(ALL_CASES_ITEM_ACTIONS_BTN).should('exist'); goToCaseDetails(); diff --git a/x-pack/plugins/security_solution/cypress/screens/all_cases.ts b/x-pack/plugins/security_solution/cypress/screens/all_cases.ts index 06d1a9fca91c67..e9c5ff89dd8c4b 100644 --- a/x-pack/plugins/security_solution/cypress/screens/all_cases.ts +++ b/x-pack/plugins/security_solution/cypress/screens/all_cases.ts @@ -9,8 +9,6 @@ export const ALL_CASES_CASE = (id: string) => { return `[data-test-subj="cases-table-row-${id}"]`; }; -export const ALL_CASES_CLOSE_ACTION = '[data-test-subj="action-close"]'; - export const ALL_CASES_CLOSED_CASES_STATS = '[data-test-subj="closedStatsHeader"]'; export const ALL_CASES_COMMENTS_COUNT = '[data-test-subj="case-table-column-commentCount"]'; @@ -19,10 +17,10 @@ export const ALL_CASES_CREATE_NEW_CASE_BTN = '[data-test-subj="createNewCaseBtn" export const ALL_CASES_CREATE_NEW_CASE_TABLE_BTN = '[data-test-subj="cases-table-add-case"]'; -export const ALL_CASES_DELETE_ACTION = '[data-test-subj="action-delete"]'; - export const ALL_CASES_IN_PROGRESS_CASES_STATS = '[data-test-subj="inProgressStatsHeader"]'; +export const ALL_CASES_ITEM_ACTIONS_BTN = '[data-test-subj="euiCollapsedItemActionsButton"]'; + export const ALL_CASES_NAME = '[data-test-subj="case-details-link"]'; export const ALL_CASES_OPEN_CASES_COUNT = '[data-test-subj="case-status-filter"]'; diff --git a/x-pack/plugins/security_solution/public/cases/components/all_cases/actions.tsx b/x-pack/plugins/security_solution/public/cases/components/all_cases/actions.tsx index 8178e7e9f9e8f8..66563deae54227 100644 --- a/x-pack/plugins/security_solution/public/cases/components/all_cases/actions.tsx +++ b/x-pack/plugins/security_solution/public/cases/components/all_cases/actions.tsx @@ -11,6 +11,7 @@ import { DefaultItemIconButtonAction } from '@elastic/eui/src/components/basic_t import { CaseStatuses } from '../../../../../case/common/api'; import { Case, SubCase } from '../../containers/types'; import { UpdateCase } from '../../containers/use_get_cases'; +import { statuses } from '../status'; import * as i18n from './translations'; interface GetActions { @@ -26,43 +27,67 @@ export const getActions = ({ caseStatus, dispatchUpdate, deleteCaseOnClick, -}: GetActions): Array> => [ - { - description: i18n.DELETE_CASE, - icon: 'trash', - name: i18n.DELETE_CASE, - onClick: deleteCaseOnClick, - type: 'icon', - 'data-test-subj': 'action-delete', - }, - { - available: (item) => caseStatus === CaseStatuses.open && !hasSubCases(item.subCases), - description: i18n.CLOSE_CASE, - icon: 'folderCheck', - name: i18n.CLOSE_CASE, +}: GetActions): Array> => { + const openCaseAction = { + available: (item: Case) => caseStatus !== CaseStatuses.open && !hasSubCases(item.subCases), + description: statuses[CaseStatuses.open].actions.single.title, + icon: statuses[CaseStatuses.open].icon, + name: statuses[CaseStatuses.open].actions.single.title, onClick: (theCase: Case) => dispatchUpdate({ updateKey: 'status', - updateValue: CaseStatuses.closed, + updateValue: CaseStatuses.open, caseId: theCase.id, version: theCase.version, }), - type: 'icon', - 'data-test-subj': 'action-close', - }, - { - available: (item) => caseStatus !== CaseStatuses.open && !hasSubCases(item.subCases), - description: i18n.REOPEN_CASE, - icon: 'folderExclamation', - name: i18n.REOPEN_CASE, + type: 'icon' as const, + 'data-test-subj': 'action-open', + }; + + const makeInProgressAction = { + available: (item: Case) => + caseStatus !== CaseStatuses['in-progress'] && !hasSubCases(item.subCases), + description: statuses[CaseStatuses['in-progress']].actions.single.title, + icon: statuses[CaseStatuses['in-progress']].icon, + name: statuses[CaseStatuses['in-progress']].actions.single.title, onClick: (theCase: Case) => dispatchUpdate({ updateKey: 'status', - updateValue: CaseStatuses.open, + updateValue: CaseStatuses['in-progress'], caseId: theCase.id, version: theCase.version, }), - type: 'icon', - 'data-test-subj': 'action-open', - }, -]; + type: 'icon' as const, + 'data-test-subj': 'action-in-progress', + }; + + const closeCaseAction = { + available: (item: Case) => caseStatus !== CaseStatuses.closed && !hasSubCases(item.subCases), + description: statuses[CaseStatuses.closed].actions.single.title, + icon: statuses[CaseStatuses.closed].icon, + name: statuses[CaseStatuses.closed].actions.single.title, + onClick: (theCase: Case) => + dispatchUpdate({ + updateKey: 'status', + updateValue: CaseStatuses.closed, + caseId: theCase.id, + version: theCase.version, + }), + type: 'icon' as const, + 'data-test-subj': 'action-close', + }; + + return [ + { + description: i18n.DELETE_CASE, + icon: 'trash', + name: i18n.DELETE_CASE, + onClick: deleteCaseOnClick, + type: 'icon', + 'data-test-subj': 'action-delete', + }, + openCaseAction, + makeInProgressAction, + closeCaseAction, + ]; +}; diff --git a/x-pack/plugins/security_solution/public/cases/components/all_cases/index.test.tsx b/x-pack/plugins/security_solution/public/cases/components/all_cases/index.test.tsx index a44ccd2384843c..a145bdf117813e 100644 --- a/x-pack/plugins/security_solution/public/cases/components/all_cases/index.test.tsx +++ b/x-pack/plugins/security_solution/public/cases/components/all_cases/index.test.tsx @@ -281,6 +281,7 @@ describe('AllCases', () => { ); await waitFor(() => { + wrapper.find('[data-test-subj="euiCollapsedItemActionsButton"]').first().simulate('click'); wrapper.find('[data-test-subj="action-close"]').first().simulate('click'); const firstCase = useGetCasesMockState.data.cases[0]; expect(dispatchUpdateCaseProperty).toBeCalledWith({ @@ -305,6 +306,7 @@ describe('AllCases', () => { ); await waitFor(() => { + wrapper.find('[data-test-subj="euiCollapsedItemActionsButton"]').first().simulate('click'); wrapper.find('[data-test-subj="action-open"]').first().simulate('click'); const firstCase = useGetCasesMockState.data.cases[0]; expect(dispatchUpdateCaseProperty).toBeCalledWith({ @@ -317,6 +319,26 @@ describe('AllCases', () => { }); }); + it('put case in progress when row action icon clicked', async () => { + const wrapper = mount( + + + + ); + await waitFor(() => { + wrapper.find('[data-test-subj="euiCollapsedItemActionsButton"]').first().simulate('click'); + wrapper.find('[data-test-subj="action-in-progress"]').first().simulate('click'); + const firstCase = useGetCasesMockState.data.cases[0]; + expect(dispatchUpdateCaseProperty).toBeCalledWith({ + caseId: firstCase.id, + updateKey: 'status', + updateValue: CaseStatuses['in-progress'], + refetchCasesStatus: fetchCasesStatus, + version: firstCase.version, + }); + }); + }); + it('Bulk delete', async () => { useGetCasesMock.mockReturnValue({ ...defaultGetCases, @@ -395,6 +417,27 @@ describe('AllCases', () => { }); }); + it('Bulk in-progress status update', async () => { + useGetCasesMock.mockReturnValue({ + ...defaultGetCases, + selectedCases: useGetCasesMockState.data.cases, + }); + + const wrapper = mount( + + + + ); + await waitFor(() => { + wrapper.find('[data-test-subj="case-table-bulk-actions"] button').first().simulate('click'); + wrapper.find('[data-test-subj="cases-bulk-in-progress-button"]').first().simulate('click'); + expect(updateBulkStatus).toBeCalledWith( + useGetCasesMockState.data.cases, + CaseStatuses['in-progress'] + ); + }); + }); + it('isDeleted is true, refetch', async () => { useDeleteCasesMock.mockReturnValue({ ...defaultDeleteCases, diff --git a/x-pack/plugins/security_solution/public/cases/components/bulk_actions/index.tsx b/x-pack/plugins/security_solution/public/cases/components/bulk_actions/index.tsx index f9722b3903b122..ec3b391cdcbfee 100644 --- a/x-pack/plugins/security_solution/public/cases/components/bulk_actions/index.tsx +++ b/x-pack/plugins/security_solution/public/cases/components/bulk_actions/index.tsx @@ -9,10 +9,11 @@ import React from 'react'; import { EuiContextMenuItem } from '@elastic/eui'; import { CaseStatuses } from '../../../../../case/common/api'; +import { statuses } from '../status'; import * as i18n from './translations'; interface GetBulkItems { - caseStatus: string; + caseStatus: CaseStatuses; closePopover: () => void; deleteCasesAction: (cases: string[]) => void; selectedCaseIds: string[]; @@ -26,34 +27,72 @@ export const getBulkItems = ({ selectedCaseIds, updateCaseStatus, }: GetBulkItems) => { + let statusMenuItems: JSX.Element[] = []; + + const openMenuItem = ( + { + closePopover(); + updateCaseStatus(CaseStatuses.open); + }} + > + {statuses[CaseStatuses.open].actions.bulk.title} + + ); + + const inProgressMenuItem = ( + { + closePopover(); + updateCaseStatus(CaseStatuses['in-progress']); + }} + > + {statuses[CaseStatuses['in-progress']].actions.bulk.title} + + ); + + const closeMenuItem = ( + { + closePopover(); + updateCaseStatus(CaseStatuses.closed); + }} + > + {statuses[CaseStatuses.closed].actions.bulk.title} + + ); + + switch (caseStatus) { + case CaseStatuses.open: + statusMenuItems = [inProgressMenuItem, closeMenuItem]; + break; + + case CaseStatuses['in-progress']: + statusMenuItems = [openMenuItem, closeMenuItem]; + break; + + case CaseStatuses.closed: + statusMenuItems = [openMenuItem, inProgressMenuItem]; + break; + + default: + break; + } + return [ - caseStatus === CaseStatuses.open ? ( - { - closePopover(); - updateCaseStatus(CaseStatuses.closed); - }} - > - {i18n.BULK_ACTION_CLOSE_SELECTED} - - ) : ( - { - closePopover(); - updateCaseStatus(CaseStatuses.open); - }} - > - {i18n.BULK_ACTION_OPEN_SELECTED} - - ), + ...statusMenuItems, { expect( wrapper.find(`[data-test-subj="case-view-status-action-button"]`).first().prop('iconType') - ).toBe('folderCheck'); + ).toBe('folderClosed'); }); it('it renders the correct button icon: status closed', () => { @@ -50,7 +50,7 @@ describe('StatusActionButton', () => { expect( wrapper.find(`[data-test-subj="case-view-status-action-button"]`).first().prop('iconType') - ).toBe('folderCheck'); + ).toBe('folderOpen'); }); }); diff --git a/x-pack/plugins/security_solution/public/cases/components/status/button.tsx b/x-pack/plugins/security_solution/public/cases/components/status/button.tsx index 2ec0ccd245b1ef..4ee69766fe1287 100644 --- a/x-pack/plugins/security_solution/public/cases/components/status/button.tsx +++ b/x-pack/plugins/security_solution/public/cases/components/status/button.tsx @@ -40,7 +40,7 @@ const StatusActionButtonComponent: React.FC = ({ return ( i18n.translate('xpack.securitySolution.containers.case.reopenedCases', { values: { caseTitle, totalCases }, - defaultMessage: 'Reopened {totalCases, plural, =1 {"{caseTitle}"} other {{totalCases} cases}}', + defaultMessage: 'Opened {totalCases, plural, =1 {"{caseTitle}"} other {{totalCases} cases}}', + }); + +export const MARK_IN_PROGRESS_CASES = ({ + totalCases, + caseTitle, +}: { + totalCases: number; + caseTitle?: string; +}) => + i18n.translate('xpack.securitySolution.containers.case.markInProgressCases', { + values: { caseTitle, totalCases }, + defaultMessage: + 'Marked {totalCases, plural, =1 {"{caseTitle}"} other {{totalCases} cases}} as in progress', }); export const SUCCESS_SEND_TO_EXTERNAL_SERVICE = (serviceName: string) => diff --git a/x-pack/plugins/security_solution/public/cases/containers/use_bulk_update_case.tsx b/x-pack/plugins/security_solution/public/cases/containers/use_bulk_update_case.tsx index 5fd181a4bbd414..0fe45aaab799b9 100644 --- a/x-pack/plugins/security_solution/public/cases/containers/use_bulk_update_case.tsx +++ b/x-pack/plugins/security_solution/public/cases/containers/use_bulk_update_case.tsx @@ -62,6 +62,24 @@ export interface UseUpdateCases extends UpdateState { dispatchResetIsUpdated: () => void; } +const getStatusToasterMessage = ( + status: CaseStatuses, + messageArgs: { + totalCases: number; + caseTitle?: string; + } +): string => { + if (status === CaseStatuses.open) { + return i18n.REOPENED_CASES(messageArgs); + } else if (status === CaseStatuses['in-progress']) { + return i18n.MARK_IN_PROGRESS_CASES(messageArgs); + } else if (status === CaseStatuses.closed) { + return i18n.CLOSED_CASES(messageArgs); + } + + return ''; +}; + export const useUpdateCases = (): UseUpdateCases => { const [state, dispatch] = useReducer(dataFetchReducer, { isLoading: false, @@ -70,7 +88,7 @@ export const useUpdateCases = (): UseUpdateCases => { }); const [, dispatchToaster] = useStateToaster(); - const dispatchUpdateCases = useCallback((cases: BulkUpdateStatus[]) => { + const dispatchUpdateCases = useCallback((cases: BulkUpdateStatus[], action: string) => { let cancel = false; const abortCtrl = new AbortController(); @@ -83,14 +101,16 @@ export const useUpdateCases = (): UseUpdateCases => { const firstTitle = patchResponse[0].title; dispatch({ type: 'FETCH_SUCCESS', payload: true }); + const messageArgs = { totalCases: resultCount, caseTitle: resultCount === 1 ? firstTitle : '', }; + const message = - resultCount && patchResponse[0].status === CaseStatuses.open - ? i18n.REOPENED_CASES(messageArgs) - : i18n.CLOSED_CASES(messageArgs); + action === 'status' + ? getStatusToasterMessage(patchResponse[0].status, messageArgs) + : ''; displaySuccessToast(message, dispatchToaster); } @@ -123,7 +143,7 @@ export const useUpdateCases = (): UseUpdateCases => { id: theCase.id, version: theCase.version, })); - dispatchUpdateCases(updateCasesStatus); + dispatchUpdateCases(updateCasesStatus, 'status'); // eslint-disable-next-line react-hooks/exhaustive-deps }, []); return { ...state, updateBulkStatus, dispatchResetIsUpdated }; diff --git a/x-pack/plugins/security_solution/public/cases/translations.ts b/x-pack/plugins/security_solution/public/cases/translations.ts index 156cb91994468e..caaa1f6e248ea6 100644 --- a/x-pack/plugins/security_solution/public/cases/translations.ts +++ b/x-pack/plugins/security_solution/public/cases/translations.ts @@ -131,6 +131,10 @@ export const REOPEN_CASE = i18n.translate('xpack.securitySolution.case.caseView. defaultMessage: 'Reopen case', }); +export const OPEN_CASE = i18n.translate('xpack.securitySolution.case.caseView.openCase', { + defaultMessage: 'Open case', +}); + export const CASE_NAME = i18n.translate('xpack.securitySolution.case.caseView.caseName', { defaultMessage: 'Case name', }); From 2aaeea7ce83a5acaf452d79c9ec4218808b033d2 Mon Sep 17 00:00:00 2001 From: Bhavya RM Date: Thu, 18 Feb 2021 07:56:18 -0500 Subject: [PATCH 03/15] Unskip import saved objects test --- test/functional/apps/management/_import_objects.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/functional/apps/management/_import_objects.ts b/test/functional/apps/management/_import_objects.ts index e2a056359b48e2..ca8d8c392ce49b 100644 --- a/test/functional/apps/management/_import_objects.ts +++ b/test/functional/apps/management/_import_objects.ts @@ -24,7 +24,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const log = getService('log'); // FLAKY: https://github.com/elastic/kibana/issues/89478 - describe.skip('import objects', function describeIndexTests() { + describe('import objects', function describeIndexTests() { describe('.ndjson file', () => { beforeEach(async function () { await esArchiver.load('management'); From 8c9eaa2fbaf649d5d215b2ac86b8a636c4ff8bb9 Mon Sep 17 00:00:00 2001 From: Jason Stoltzfus Date: Thu, 18 Feb 2021 08:07:14 -0500 Subject: [PATCH 04/15] [App Search] First cut of the Relevance Tuning UI (#90621) --- .../relevance_tuning/boost_icon.test.tsx | 26 ++++ .../relevance_tuning/boost_icon.tsx | 28 ++++ .../components/relevance_tuning/constants.ts | 41 ++++- .../relevance_tuning.test.tsx | 20 ++- .../relevance_tuning/relevance_tuning.tsx | 44 +++++- .../relevance_tuning_form/index.ts | 8 + .../relevance_tuning_form.scss | 20 +++ .../relevance_tuning_form.test.tsx | 140 ++++++++++++++++++ .../relevance_tuning_form.tsx | 106 +++++++++++++ .../relevance_tuning_item.test.tsx | 126 ++++++++++++++++ .../relevance_tuning_item.tsx | 60 ++++++++ .../boosts/boost_item.tsx | 53 +++++++ .../boosts/boosts.scss | 28 ++++ .../boosts/boosts.test.tsx | 71 +++++++++ .../boosts/boosts.tsx | 118 +++++++++++++++ .../boosts/get_boost_summary.test.ts | 73 +++++++++ .../boosts/get_boost_summary.ts | 18 +++ .../boosts/index.ts | 8 + .../relevance_tuning_item_content/index.ts | 8 + .../relevance_tuning_item_content.scss | 6 + .../relevance_tuning_item_content.test.tsx | 65 ++++++++ .../relevance_tuning_item_content.tsx | 39 +++++ .../text_search_toggle.test.tsx | 122 +++++++++++++++ .../text_search_toggle.tsx | 62 ++++++++ .../weight_slider.test.tsx | 50 +++++++ .../weight_slider.tsx | 53 +++++++ .../relevance_tuning_form/value_badge.scss | 23 +++ .../relevance_tuning_form/value_badge.tsx | 22 +++ .../relevance_tuning_logic.test.ts | 122 +++++++++------ .../relevance_tuning_logic.ts | 21 ++- .../components/relevance_tuning/types.ts | 33 +++-- .../components/relevance_tuning/utils.test.ts | 45 +++--- 32 files changed, 1564 insertions(+), 95 deletions(-) create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/index.ts create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.scss create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boost_item.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.scss create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.test.ts create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.ts create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/index.ts create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/index.ts create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.scss create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.test.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.tsx create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.scss create mode 100644 x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.tsx diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.test.tsx new file mode 100644 index 00000000000000..fd567f52ada249 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.test.tsx @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { shallow } from 'enzyme'; + +import { EuiToken } from '@elastic/eui'; + +import { BoostIcon } from './boost_icon'; +import { BoostType } from './types'; + +describe('BoostIcon', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('renders a token according to the provided type', () => { + const wrapper = shallow(); + expect(wrapper.find(EuiToken).prop('iconType')).toBe('tokenNumber'); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.tsx new file mode 100644 index 00000000000000..2570a29274d069 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/boost_icon.tsx @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { EuiToken } from '@elastic/eui'; + +import { BOOST_TYPE_TO_ICON_MAP } from './constants'; +import { BoostType } from './types'; + +interface Props { + type: BoostType; +} + +export const BoostIcon: React.FC = ({ type }) => { + return ( + + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/constants.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/constants.ts index 211995b2a7d188..9fdbb8e979b316 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/constants.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/constants.ts @@ -7,33 +7,66 @@ import { i18n } from '@kbn/i18n'; +import { BoostType } from './types'; + +export const FIELD_FILTER_CUTOFF = 10; + export const RELEVANCE_TUNING_TITLE = i18n.translate( 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.title', { defaultMessage: 'Relevance Tuning' } ); export const UPDATE_SUCCESS_MESSAGE = i18n.translate( - 'xpack.enterpriseSearch.appSearch.relevanceTuning.messages.updateSuccess', + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.messages.updateSuccess', { defaultMessage: 'Relevance successfully tuned. The changes will impact your results shortly.', } ); export const DELETE_SUCCESS_MESSAGE = i18n.translate( - 'xpack.enterpriseSearch.appSearch.relevanceTuning.messages.deleteSuccess', + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.messages.deleteSuccess', { defaultMessage: 'Relevance has been reset to default values. The change will impact your results shortly.', } ); export const RESET_CONFIRMATION_MESSAGE = i18n.translate( - 'xpack.enterpriseSearch.appSearch.relevanceTuning.messages.resetConfirmation', + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.messages.resetConfirmation', { defaultMessage: 'Are you sure you want to restore relevance defaults?', } ); export const DELETE_CONFIRMATION_MESSAGE = i18n.translate( - 'xpack.enterpriseSearch.appSearch.relevanceTuning.messages.deleteConfirmation', + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.messages.deleteConfirmation', { defaultMessage: 'Are you sure you want to delete this boost?', } ); +export const PROXIMITY_DISPLAY = i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.boosts.proximityDropDownOptionLabel', + { + defaultMessage: 'Proximity', + } +); +export const FUNCTIONAL_DISPLAY = i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.boosts.functionalDropDownOptionLabel', + { + defaultMessage: 'Functional', + } +); +export const VALUE_DISPLAY = i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.boosts.valueDropDownOptionLabel', + { + defaultMessage: 'Value', + } +); +export const BOOST_TYPE_TO_DISPLAY_MAP = { + [BoostType.Proximity]: PROXIMITY_DISPLAY, + [BoostType.Functional]: FUNCTIONAL_DISPLAY, + [BoostType.Value]: VALUE_DISPLAY, +}; + +export const BOOST_TYPE_TO_ICON_MAP = { + [BoostType.Value]: 'tokenNumber', + [BoostType.Functional]: 'tokenFunction', + [BoostType.Proximity]: 'tokenGeo', +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.test.tsx index ea8d43d183ef0f..85cf3dd8a68c97 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.test.tsx @@ -4,20 +4,34 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import '../../../__mocks__/shallow_useeffect.mock'; +import { setMockActions } from '../../../__mocks__/kea.mock'; import React from 'react'; -import { shallow } from 'enzyme'; +import { shallow, ShallowWrapper } from 'enzyme'; import { RelevanceTuning } from './relevance_tuning'; +import { RelevanceTuningForm } from './relevance_tuning_form'; describe('RelevanceTuning', () => { + let wrapper: ShallowWrapper; + + const actions = { + initializeRelevanceTuning: jest.fn(), + }; + beforeEach(() => { jest.clearAllMocks(); + setMockActions(actions); + wrapper = shallow(); }); it('renders', () => { - const wrapper = shallow(); - expect(wrapper.isEmptyRender()).toBe(false); + expect(wrapper.find(RelevanceTuningForm).exists()).toBe(true); + }); + + it('initializes relevance tuning data', () => { + expect(actions.initializeRelevanceTuning).toHaveBeenCalled(); }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.tsx index 83e83c0f9ea43e..f65a86b1e02f0a 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning.tsx @@ -5,26 +5,41 @@ * 2.0. */ -import React from 'react'; +import React, { useEffect } from 'react'; + +import { useActions } from 'kea'; import { EuiPageHeader, EuiPageHeaderSection, EuiTitle, - EuiPageContentBody, - EuiPageContent, + EuiText, + EuiSpacer, + EuiFlexGroup, + EuiFlexItem, + EuiTextColor, } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; + import { FlashMessages } from '../../../shared/flash_messages'; import { SetAppSearchChrome as SetPageChrome } from '../../../shared/kibana_chrome'; import { RELEVANCE_TUNING_TITLE } from './constants'; +import { RelevanceTuningForm } from './relevance_tuning_form'; +import { RelevanceTuningLogic } from './relevance_tuning_logic'; interface Props { engineBreadcrumb: string[]; } export const RelevanceTuning: React.FC = ({ engineBreadcrumb }) => { + const { initializeRelevanceTuning } = useActions(RelevanceTuningLogic); + + useEffect(() => { + initializeRelevanceTuning(); + }, []); + return ( <> @@ -33,13 +48,26 @@ export const RelevanceTuning: React.FC = ({ engineBreadcrumb }) => {

{RELEVANCE_TUNING_TITLE}

 + + + {i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.description', + { + defaultMessage: 'Set field weights and boosts', + } + )} + + - - - - - + + + + + + + + ); }; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/index.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/index.ts new file mode 100644 index 00000000000000..89e344860b2eb8 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { RelevanceTuningForm } from './relevance_tuning_form'; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.scss b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.scss new file mode 100644 index 00000000000000..749fca6f798110 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.scss @@ -0,0 +1,20 @@ +.relevanceTuningForm { + &__item { + width: 100%; + margin-left: $euiSizeS; + } + + &__panel + &__panel { + margin-top: $euiSizeM; + } + + &__panel .euiAccordion__button { + &:hover, + &:focus { + text-decoration: none; + h3 { + text-decoration: underline; + } + } + } +} diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.test.tsx new file mode 100644 index 00000000000000..3965e9e81d1ba3 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.test.tsx @@ -0,0 +1,140 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { setMockValues, setMockActions } from '../../../../__mocks__/kea.mock'; + +import React from 'react'; + +import { shallow, mount, ReactWrapper, ShallowWrapper } from 'enzyme'; + +import { EuiFieldSearch } from '@elastic/eui'; + +import { BoostType } from '../types'; + +import { RelevanceTuningForm } from './relevance_tuning_form'; +import { RelevanceTuningItem } from './relevance_tuning_item'; + +describe('RelevanceTuningForm', () => { + const values = { + filterInputValue: '', + schemaFields: ['foo', 'bar', 'baz'], + filteredSchemaFields: ['foo', 'bar'], + schema: { + foo: 'text', + bar: 'number', + }, + searchSettings: { + boosts: { + foo: [ + { + factor: 2, + type: BoostType.Value, + }, + ], + }, + search_fields: { + bar: { + weight: 1, + }, + }, + }, + }; + const actions = { + setFilterValue: jest.fn(), + }; + + beforeEach(() => { + jest.clearAllMocks(); + setMockActions(actions); + }); + + describe('fields', () => { + let wrapper: ReactWrapper; + let relevantTuningItems: any; + + beforeAll(() => { + setMockValues(values); + + wrapper = mount(); + relevantTuningItems = wrapper.find(RelevanceTuningItem); + }); + + it('renders a list of fields that may or may not have been filterd by user input', () => { + // The length is 2 because we're only pulling values from `filteredSchemaFields`, which + // is the list of schema fields that has been filtered by user input down to 2 + expect(relevantTuningItems.length).toBe(2); + }); + + it('will pass the schema field name in the "name" prop of each list item', () => { + expect(relevantTuningItems.at(0).prop('name')).toBe('foo'); + expect(relevantTuningItems.at(1).prop('name')).toBe('bar'); + }); + + it('will pass the schema type of the field in the "type" prop of each list item', () => { + expect(relevantTuningItems.at(0).prop('type')).toBe('text'); + expect(relevantTuningItems.at(1).prop('type')).toBe('number'); + }); + + it('will pass a list of boosts in the "boosts" field of each list item, or undefined if none exist', () => { + expect(relevantTuningItems.at(0).prop('boosts')).toEqual([ + { + factor: 2, + type: BoostType.Value, + }, + ]); + expect(relevantTuningItems.at(1).prop('boosts')).toBeUndefined(); + }); + + it('will pass the search_field configuration for the field in the "field" prop of each list item, or undefined if none exists', () => { + expect(relevantTuningItems.at(0).prop('field')).toBeUndefined(); + expect(relevantTuningItems.at(1).prop('field')).toEqual({ + weight: 1, + }); + }); + }); + + describe('field filtering', () => { + let searchField: ShallowWrapper; + + beforeEach(() => { + setMockValues({ + ...values, + filterInputValue: 'test', + schemaFields: ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11'], + }); + const wrapper = shallow(); + searchField = wrapper.find(EuiFieldSearch); + }); + + it('renders an input box for filtering the field list in case there is a large quantity of fields', () => { + expect(searchField.exists()).toBe(true); + }); + + it('initializes the input box with the user input value stored in state', () => { + expect(searchField.prop('value')).toBe('test'); + }); + + it('updates the user input value stored in state whenever the input box value changes', () => { + searchField.simulate('change', { + target: { + value: 'new value', + }, + }); + + expect(actions.setFilterValue).toHaveBeenCalledWith('new value'); + }); + + it('will not render a field filter if there are 10 or less fields', () => { + setMockValues({ + ...values, + schemaFields: ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10'], + }); + const wrapper = shallow(); + expect(wrapper.find(EuiFieldSearch).exists()).toBe(false); + }); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.tsx new file mode 100644 index 00000000000000..e39c93fd5de3cb --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_form.tsx @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { useActions, useValues } from 'kea'; + +import { + EuiPageHeader, + EuiPageHeaderSection, + EuiTitle, + EuiFieldSearch, + EuiSpacer, + EuiAccordion, + EuiPanel, +} from '@elastic/eui'; + +import { i18n } from '@kbn/i18n'; + +import { FIELD_FILTER_CUTOFF } from '../constants'; +import { RelevanceTuningLogic } from '../relevance_tuning_logic'; + +import { RelevanceTuningItem } from './relevance_tuning_item'; +import { RelevanceTuningItemContent } from './relevance_tuning_item_content'; + +import './relevance_tuning_form.scss'; + +export const RelevanceTuningForm: React.FC = () => { + const { + filterInputValue, + schemaFields, + filteredSchemaFields, + schema, + searchSettings, + } = useValues(RelevanceTuningLogic); + const { setFilterValue } = useActions(RelevanceTuningLogic); + + return ( +
+
+ {/* TODO SchemaConflictCallout */} + + + + +

+ {i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.manageFields.title', + { + defaultMessage: 'Manage fields', + } + )} +

+ + + + {schemaFields.length > FIELD_FILTER_CUTOFF && ( + setFilterValue(e.target.value)} + placeholder={i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.manageFields.filterPlaceholder', + { + defaultMessage: 'Filter {schemaFieldsLength} fields...', + values: { + schemaFieldsLength: schemaFields.length, + }, + } + )} + fullWidth + /> + )} + + {filteredSchemaFields.map((fieldName) => ( + + + } + paddingSize="s" + > + + + + ))} + +
+ ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.test.tsx new file mode 100644 index 00000000000000..6043e7ae65b268 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.test.tsx @@ -0,0 +1,126 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { shallow } from 'enzyme'; + +import { SchemaTypes } from '../../../../shared/types'; + +import { BoostIcon } from '../boost_icon'; +import { Boost, BoostType, SearchField } from '../types'; + +import { RelevanceTuningItem } from './relevance_tuning_item'; +import { ValueBadge } from './value_badge'; + +describe('RelevanceTuningItem', () => { + const props = { + name: 'foo', + type: 'text' as SchemaTypes, + boosts: [ + { + factor: 2, + type: BoostType.Value, + }, + ], + field: { + weight: 1, + }, + }; + + beforeEach(() => { + jest.clearAllMocks(); + }); + + describe('boosts prop', () => { + const renderComponentWithBoostsConfig = (boosts?: Boost[]) => { + return shallow( + + ); + }; + + describe('when there are boosts for this field', () => { + it('renders an icon for each boost that is applied', () => { + const wrapper = renderComponentWithBoostsConfig([ + { + factor: 2, + type: BoostType.Value, + }, + { + factor: 3, + type: BoostType.Proximity, + }, + ]); + expect(wrapper.find(BoostIcon).length).toBe(2); + expect(wrapper.find(BoostIcon).map((euiToken) => euiToken.prop('type'))).toEqual([ + BoostType.Value, + BoostType.Proximity, + ]); + }); + }); + + describe('when there are no boosts for this field', () => { + const wrapper = renderComponentWithBoostsConfig(); + + it('renders an icon for each boost that is applied', () => { + expect(wrapper.find(BoostIcon).length).toBe(0); + }); + }); + }); + + describe('field prop', () => { + const renderComponentWithFieldConfig = (field?: SearchField) => { + return shallow( + + ); + }; + + describe('when weight is set to any positive number', () => { + const wrapper = renderComponentWithFieldConfig({ + weight: 1, + }); + + it('will show the weight with an "enabled" style', () => { + const valueBadge = wrapper.find(ValueBadge); + expect(valueBadge.dive().text()).toContain('1'); + expect(valueBadge.prop('disabled')).toBe(false); + }); + }); + + describe('when weight set to "0", which means this field will not be searched', () => { + const wrapper = renderComponentWithFieldConfig({ + weight: 0, + }); + + it('will show 0 with a "disabled" style', () => { + const valueBadge = wrapper.find(ValueBadge); + expect(valueBadge.dive().text()).toContain('0'); + expect(valueBadge.prop('disabled')).toBe(true); + }); + }); + + describe('when there is no weight set, which means this field will not be searched', () => { + const wrapper = renderComponentWithFieldConfig(); + + it('will show "0" with a "disabled" style', () => { + const valueBadge = wrapper.find(ValueBadge); + expect(valueBadge.dive().text()).toContain('0'); + expect(valueBadge.prop('disabled')).toBe(true); + }); + }); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.tsx new file mode 100644 index 00000000000000..38cec4825cfe7f --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item.tsx @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { EuiText, EuiFlexGroup, EuiFlexItem, EuiTitle, EuiTextColor, EuiIcon } from '@elastic/eui'; + +import { SchemaTypes } from '../../../../shared/types'; + +import { BoostIcon } from '../boost_icon'; +import { Boost, SearchField } from '../types'; + +import { ValueBadge } from './value_badge'; + +interface Props { + name: string; + type: SchemaTypes; + boosts?: Boost[]; + field?: SearchField; +} + +export const RelevanceTuningItem: React.FC = ({ name, type, boosts = [], field }) => { + return ( + + + +

{name}

+ + + {type} + + + + + {boosts.map((boost, index) => ( + + + + ))} + + + + {!!field ? field.weight : 0} + + + + + + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boost_item.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boost_item.tsx new file mode 100644 index 00000000000000..e5a76bc586b80c --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boost_item.tsx @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useMemo } from 'react'; + +import { EuiFlexItem, EuiAccordion, EuiFlexGroup, EuiHideFor } from '@elastic/eui'; + +import { BoostIcon } from '../../../boost_icon'; +import { BOOST_TYPE_TO_DISPLAY_MAP } from '../../../constants'; +import { Boost } from '../../../types'; +import { ValueBadge } from '../../value_badge'; + +import { getBoostSummary } from './get_boost_summary'; + +interface Props { + boost: Boost; + id: string; +} + +export const BoostItem: React.FC = ({ id, boost }) => { + const summary = useMemo(() => getBoostSummary(boost), [boost]); + + return ( + + + + + + + {BOOST_TYPE_TO_DISPLAY_MAP[boost.type]} + + {summary} + + + + + {boost.factor} + + + } + paddingSize="s" + /> + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.scss b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.scss new file mode 100644 index 00000000000000..53b3c233301b08 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.scss @@ -0,0 +1,28 @@ +.boosts { + &__select { + min-width: $euiSizeXXL * 4; + } + + &__itemContent { + width: 100%; + } + + &__item { + margin-top: $euiSize; + + & + & { + margin-top: $euiSizeS; + } + } +} + +.boostSelectOption { + .euiContextMenuItem__text { + display: flex; + align-items: center; + + .euiToken { + margin-right: $euiSizeS; + } + } +} diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.test.tsx new file mode 100644 index 00000000000000..b313e16c0bda11 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.test.tsx @@ -0,0 +1,71 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { setMockActions } from '../../../../../../__mocks__/kea.mock'; + +import React from 'react'; + +import { shallow } from 'enzyme'; + +import { EuiSuperSelect } from '@elastic/eui'; + +import { SchemaTypes } from '../../../../../../shared/types'; + +import { Boosts } from './boosts'; + +describe('Boosts', () => { + const actions = { + addBoost: jest.fn(), + }; + + beforeAll(() => { + setMockActions(actions); + }); + + beforeEach(() => { + jest.clearAllMocks(); + }); + + const props = { + name: 'foo', + type: 'number' as SchemaTypes, + }; + + it('renders a select box that allows users to create boosts of various types', () => { + const wrapper = shallow(); + + const select = wrapper.find(EuiSuperSelect); + expect(select.prop('options').map((o: any) => o.value)).toEqual([ + 'add-boost', + 'functional', + 'proximity', + 'value', + ]); + }); + + it('will not render functional or proximity options if "type" prop is "text"', () => { + const wrapper = shallow( + + ); + + const select = wrapper.find(EuiSuperSelect); + expect(select.prop('options').map((o: any) => o.value)).toEqual(['add-boost', 'value']); + }); + + it('will add a boost of the selected type when a selection is made', () => { + const wrapper = shallow(); + + wrapper.find(EuiSuperSelect).simulate('change', 'functional'); + + expect(actions.addBoost).toHaveBeenCalledWith('foo', 'functional'); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.tsx new file mode 100644 index 00000000000000..1ad27346d2630e --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/boosts.tsx @@ -0,0 +1,118 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useMemo } from 'react'; + +import { useActions } from 'kea'; + +import { EuiFlexGroup, EuiFlexItem, EuiPanel, EuiTitle, EuiSuperSelect } from '@elastic/eui'; + +import { i18n } from '@kbn/i18n'; + +import { TEXT } from '../../../../../../shared/constants/field_types'; +import { SchemaTypes } from '../../../../../../shared/types'; + +import { BoostIcon } from '../../../boost_icon'; +import { FUNCTIONAL_DISPLAY, PROXIMITY_DISPLAY, VALUE_DISPLAY } from '../../../constants'; +import { RelevanceTuningLogic } from '../../../relevance_tuning_logic'; +import { Boost, BoostType } from '../../../types'; + +import { BoostItem } from './boost_item'; + +import './boosts.scss'; + +const BASE_OPTIONS = [ + { + value: 'add-boost', + inputDisplay: i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.boosts.addBoostDropDownOptionLabel', + { + defaultMessage: 'Add boost', + } + ), + disabled: true, + }, + { + value: BoostType.Functional, + inputDisplay: ( + <> + + {FUNCTIONAL_DISPLAY} + + ), + }, + { + value: BoostType.Proximity, + inputDisplay: ( + <> + + {PROXIMITY_DISPLAY} + + ), + }, + { + value: BoostType.Value, + inputDisplay: ( + <> + + {VALUE_DISPLAY} + + ), + }, +]; + +const filterInvalidOptions = (value: BoostType, type: SchemaTypes) => { + // Proximity and Functional boost types are not valid for text fields + if (type === TEXT && [BoostType.Proximity, BoostType.Functional].includes(value)) return false; + return true; +}; + +interface Props { + name: string; + type: SchemaTypes; + boosts?: Boost[]; +} + +export const Boosts: React.FC = ({ name, type, boosts = [] }) => { + const { addBoost } = useActions(RelevanceTuningLogic); + + const selectOptions = useMemo( + () => BASE_OPTIONS.filter((option) => filterInvalidOptions(option.value as BoostType, type)), + [type] + ); + + return ( + + + + +

+ {i18n.translate( + 'xpack.enterpriseSearch.appSearch.engine.relevanceTuning.boosts.title', + { + defaultMessage: 'Boosts', + } + )} +

+ + + + addBoost(name, value as BoostType)} + /> + + + {boosts.map((boost, index) => ( + + ))} + + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.test.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.test.ts new file mode 100644 index 00000000000000..f6852569213a68 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.test.ts @@ -0,0 +1,73 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Boost, BoostFunction, BoostType, BoostOperation } from '../../../types'; + +import { getBoostSummary } from './get_boost_summary'; + +describe('getBoostSummary', () => { + describe('when the boost type is "value"', () => { + const boost: Boost = { + type: BoostType.Value, + value: ['1', '2'], + factor: 5, + }; + + it('creates a summary that is the joined values', () => { + expect(getBoostSummary(boost)).toEqual('1,2'); + }); + + it('creates an empty summary if there is no value', () => { + expect( + getBoostSummary({ + ...boost, + value: undefined, + }) + ).toEqual(''); + }); + }); + + describe('when the boost type is "proximity"', () => { + const boost: Boost = { + type: BoostType.Proximity, + function: 'gaussian' as BoostFunction, + factor: 5, + }; + + it('creates a summary that is just the name of the function', () => { + expect(getBoostSummary(boost)).toEqual('gaussian'); + }); + + it('creates an empty summary if there is no function', () => { + expect( + getBoostSummary({ + ...boost, + function: undefined, + }) + ).toEqual(''); + }); + }); + + describe('when the boost type is "functional"', () => { + const boost: Boost = { + type: BoostType.Functional, + function: BoostFunction.Gaussian, + operation: BoostOperation.Add, + factor: 5, + }; + + it('creates a summary that is name of the function and operation', () => { + expect(getBoostSummary(boost)).toEqual('gaussian add'); + }); + + it('prints empty if function or operation is missing', () => { + expect(getBoostSummary({ ...boost, function: undefined })).toEqual(BoostOperation.Add); + expect(getBoostSummary({ ...boost, operation: undefined })).toEqual(BoostFunction.Gaussian); + expect(getBoostSummary({ ...boost, function: undefined, operation: undefined })).toEqual(''); + }); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.ts new file mode 100644 index 00000000000000..f3922ebb0fffe9 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/get_boost_summary.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Boost, BoostType } from '../../../types'; + +export const getBoostSummary = (boost: Boost): string => { + if (boost.type === BoostType.Value) { + return !boost.value ? '' : boost.value.join(','); + } else if (boost.type === BoostType.Proximity) { + return boost.function || ''; + } else { + return [boost.function || '', boost.operation || ''].join(' ').trim(); + } +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/index.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/index.ts new file mode 100644 index 00000000000000..dc269132769b81 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/boosts/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { Boosts } from './boosts'; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/index.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/index.ts new file mode 100644 index 00000000000000..dc5b95320d4db6 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { RelevanceTuningItemContent } from './relevance_tuning_item_content'; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.scss b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.scss new file mode 100644 index 00000000000000..63718a95551fa5 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.scss @@ -0,0 +1,6 @@ +.relevanceTuningForm { + &__itemContent { + border: none; + border-top: $euiBorderThin; + } +} diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.test.tsx new file mode 100644 index 00000000000000..18a75766cd67be --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.test.tsx @@ -0,0 +1,65 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { shallow } from 'enzyme'; + +import { SchemaTypes } from '../../../../../shared/types'; +import { BoostType } from '../../types'; + +import { RelevanceTuningItemContent } from './relevance_tuning_item_content'; +import { TextSearchToggle } from './text_search_toggle'; +import { WeightSlider } from './weight_slider'; + +describe('RelevanceTuningItemContent', () => { + const props = { + name: 'foo', + type: 'text' as SchemaTypes, + boosts: [ + { + factor: 2, + type: BoostType.Value, + }, + ], + field: { + weight: 1, + }, + }; + + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('renders', () => { + const wrapper = shallow(); + + const textSearchToggle = wrapper.find(TextSearchToggle); + expect(textSearchToggle.exists()).toBe(true); + expect(textSearchToggle.prop('name')).toBe(props.name); + expect(textSearchToggle.prop('type')).toBe(props.type); + expect(textSearchToggle.prop('field')).toBe(props.field); + + const weightSlider = wrapper.find(WeightSlider); + expect(weightSlider.exists()).toBe(true); + expect(weightSlider.prop('name')).toBe(props.name); + expect(weightSlider.prop('field')).toBe(props.field); + }); + + it('will not render a WeightSlider if the field prop is empty', () => { + const wrapper = shallow( + + ); + + expect(wrapper.find(WeightSlider).exists()).toBe(false); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.tsx new file mode 100644 index 00000000000000..29ab559485d776 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/relevance_tuning_item_content.tsx @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { EuiPanel } from '@elastic/eui'; + +import { SchemaTypes } from '../../../../../shared/types'; + +import { Boost, SearchField } from '../../types'; + +import { Boosts } from './boosts'; +import { TextSearchToggle } from './text_search_toggle'; +import { WeightSlider } from './weight_slider'; + +import './relevance_tuning_item_content.scss'; + +interface Props { + name: string; + type: SchemaTypes; + boosts?: Boost[]; + field?: SearchField; +} + +export const RelevanceTuningItemContent: React.FC = ({ name, type, boosts, field }) => { + return ( + <> + + + {field && } + + + + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.test.tsx new file mode 100644 index 00000000000000..7225fce5daa611 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.test.tsx @@ -0,0 +1,122 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { setMockActions } from '../../../../../__mocks__/kea.mock'; + +import React from 'react'; + +import { shallow, ShallowWrapper } from 'enzyme'; + +import { EuiSwitch } from '@elastic/eui'; + +import { SchemaTypes } from '../../../../../shared/types'; + +import { TextSearchToggle } from './text_search_toggle'; + +describe('TextSearchToggle', () => { + const actions = { + toggleSearchField: jest.fn(), + }; + + beforeAll(() => { + setMockActions(actions); + }); + + beforeEach(() => { + jest.clearAllMocks(); + }); + + describe('typical render', () => { + let wrapper: ShallowWrapper; + + const props = { + name: 'foo', + type: 'text' as SchemaTypes, + field: { + weight: 1, + }, + }; + + beforeAll(() => { + wrapper = shallow(); + }); + + it('renders a toggle button', () => { + expect(wrapper.find(EuiSwitch).exists()).toBe(true); + }); + + it('shows the toggle button as checked if any value was passed in the "field" prop', () => { + expect(wrapper.find(EuiSwitch).prop('checked')).toBe(true); + }); + + it('shows the toggle as enabled if "text" was passed in the "type" prop', () => { + expect(wrapper.find(EuiSwitch).prop('disabled')).toBe(false); + }); + + it('shows a relevant label if "text" was passed in the "type" prop', () => { + expect(wrapper.find(EuiSwitch).prop('label')).toBe('Search this field'); + }); + + it('will update toggled state when clicked', () => { + wrapper.find(EuiSwitch).simulate('change'); + expect(actions.toggleSearchField).toHaveBeenCalledWith('foo', true); + }); + }); + + describe('when a non-"text" type is passed in the "type" prop', () => { + let wrapper: ShallowWrapper; + + const props = { + name: 'foo', + type: 'number' as SchemaTypes, + field: { + weight: 1, + }, + }; + + beforeAll(() => { + wrapper = shallow(); + }); + + it('shows the toggle button as disabled', () => { + expect(wrapper.find(EuiSwitch).prop('checked')).toBe(true); + }); + + it('shows a relevant label', () => { + expect(wrapper.find(EuiSwitch).prop('label')).toBe( + 'Search can only be enabled on text fields' + ); + }); + + it('will not update state when the clicked', () => { + wrapper.find(EuiSwitch).simulate('change'); + expect(actions.toggleSearchField).not.toHaveBeenCalled(); + }); + }); + + describe('when no field prop is passed', () => { + let wrapper: ShallowWrapper; + + const props = { + name: 'foo', + type: 'text' as SchemaTypes, + }; + + beforeAll(() => { + wrapper = shallow(); + }); + + it('shows the toggle button as unchecked', () => { + expect(wrapper.find(EuiSwitch).prop('checked')).toBe(false); + }); + + it('will update toggled state when clicked', () => { + wrapper.find(EuiSwitch).simulate('change'); + expect(actions.toggleSearchField).toHaveBeenCalledWith('foo', false); + }); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.tsx new file mode 100644 index 00000000000000..607ddd9c6b0782 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/text_search_toggle.tsx @@ -0,0 +1,62 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { useActions } from 'kea'; + +import { EuiFormRow, EuiSwitch } from '@elastic/eui'; + +import { i18n } from '@kbn/i18n'; + +import { TEXT } from '../../../../../shared/constants/field_types'; +import { SchemaTypes } from '../../../../../shared/types'; + +import { RelevanceTuningLogic } from '../../relevance_tuning_logic'; +import { SearchField } from '../../types'; + +interface Props { + name: string; + type: SchemaTypes; + field?: SearchField; +} + +export const TextSearchToggle: React.FC = ({ name, type, field }) => { + const { toggleSearchField } = useActions(RelevanceTuningLogic); + + return ( + + type === TEXT && toggleSearchField(name, !!field)} + checked={!!field} + disabled={type !== TEXT} + /> + + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.test.tsx new file mode 100644 index 00000000000000..21a112a4ea9889 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.test.tsx @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { setMockActions } from '../../../../../__mocks__/kea.mock'; + +import React from 'react'; + +import { shallow, ShallowWrapper } from 'enzyme'; + +import { EuiRange } from '@elastic/eui'; + +import { WeightSlider } from './weight_slider'; + +describe('WeightSlider', () => { + let wrapper: ShallowWrapper; + + const actions = { + updateFieldWeight: jest.fn(), + }; + + beforeAll(() => { + setMockActions(actions); + wrapper = shallow( + + ); + }); + + it('renders with an initial value set', () => { + expect(wrapper.find(EuiRange).exists()).toBe(true); + expect(wrapper.find(EuiRange).prop('value')).toBe(2.2); + }); + + it('updates field weight in state when the value changes', () => { + wrapper.find(EuiRange).simulate('change', { + target: { + value: '1.3', + }, + }); + expect(actions.updateFieldWeight).toHaveBeenCalledWith('foo', 1.3); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.tsx new file mode 100644 index 00000000000000..02e83b81b2cb13 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/relevance_tuning_item_content/weight_slider.tsx @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { useActions } from 'kea'; + +import { EuiFormRow, EuiRange } from '@elastic/eui'; + +import { i18n } from '@kbn/i18n'; + +import { RelevanceTuningLogic } from '../../relevance_tuning_logic'; +import { SearchField } from '../../types'; + +interface Props { + name: string; + field: SearchField; +} + +export const WeightSlider: React.FC = ({ name, field }) => { + const { updateFieldWeight } = useActions(RelevanceTuningLogic); + + return ( + + + updateFieldWeight( + name, + parseFloat((e as React.ChangeEvent).target.value) + ) + } + showInput + compressed + fullWidth + /> + + ); +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.scss b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.scss new file mode 100644 index 00000000000000..853edd3fed0a38 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.scss @@ -0,0 +1,23 @@ +.relevanceTuningForm { + .valueBadge { + display: inline-flex; + align-items: center; + height: $euiSizeL; + border: 1px solid $euiColorLightShade; + border-radius: $euiSizeXS; + // To match the background of EuiToken, for which there is no direct variable to + // reference + background: tintOrShade($euiColorVis1, 90%, 70%); + color: $euiColorVis1; + padding: 0 $euiSizeS; + + .euiIcon { + margin-right: $euiSizeXS; + } + } + + .valueBadge--disabled { + background: transparent; + color: $euiColorMediumShade; + } +} diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.tsx new file mode 100644 index 00000000000000..8397087ca69b46 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_form/value_badge.tsx @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import classNames from 'classnames'; + +import './value_badge.scss'; + +export const ValueBadge: React.FC<{ children: React.ReactNode; disabled?: boolean }> = ({ + children, + disabled = false, +}) => { + const className = classNames('valueBadge', { + 'valueBadge--disabled': disabled, + }); + return {children}; +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.test.ts index 194848bcfc86c0..a7ee6f9755fc4a 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.test.ts @@ -9,7 +9,7 @@ import { LogicMounter, mockFlashMessageHelpers, mockHttpValues } from '../../../ import { nextTick } from '@kbn/test/jest'; -import { Boost, BoostType } from './types'; +import { Boost, BoostFunction, BoostOperation, BoostType } from './types'; import { RelevanceTuningLogic } from './'; @@ -24,7 +24,7 @@ describe('RelevanceTuningLogic', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, }, ], @@ -97,6 +97,18 @@ describe('RelevanceTuningLogic', () => { schemaConflicts, }); }); + + it('should default schemaConflicts if it is not passed', () => { + mount({ + dataLoading: true, + }); + RelevanceTuningLogic.actions.onInitializeRelevanceTuning({ + searchSettings, + schema, + }); + + expect(RelevanceTuningLogic.values.schemaConflicts).toEqual({}); + }); }); describe('setSearchSettings', () => { @@ -237,7 +249,7 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 1, - type: 'functional', + type: BoostType.Functional, }, boost, ], @@ -265,7 +277,7 @@ describe('RelevanceTuningLogic', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, value: 5, }, @@ -289,7 +301,7 @@ describe('RelevanceTuningLogic', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, value: ['5'], }, @@ -324,19 +336,25 @@ describe('RelevanceTuningLogic', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, newBoost: true, // This should be deleted before sent to the server }, ], }, + search_fields: { + bar: { + weight: 1, + }, + }, }; const searchSettingsWithoutNewBoostProp = { + ...searchSettingsWithNewBoostProp, boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, }, ], @@ -475,7 +493,7 @@ describe('RelevanceTuningLogic', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, newBoost: true, // This should be deleted before sent to the server }, @@ -487,7 +505,7 @@ describe('RelevanceTuningLogic', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, }, ], @@ -672,7 +690,7 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 2, - type: 'value', + type: BoostType.Value, }, ], }, @@ -680,7 +698,7 @@ describe('RelevanceTuningLogic', () => { }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); - RelevanceTuningLogic.actions.addBoost('foo', 'functional'); + RelevanceTuningLogic.actions.addBoost('foo', BoostType.Functional); expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith({ ...searchSettings, @@ -688,12 +706,12 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 2, - type: 'value', + type: BoostType.Value, }, { factor: 1, newBoost: true, - type: 'functional', + type: BoostType.Functional, }, ], }, @@ -709,7 +727,7 @@ describe('RelevanceTuningLogic', () => { }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); - RelevanceTuningLogic.actions.addBoost('foo', 'functional'); + RelevanceTuningLogic.actions.addBoost('foo', BoostType.Functional); expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith({ ...searchSettings, @@ -718,7 +736,7 @@ describe('RelevanceTuningLogic', () => { { factor: 1, newBoost: true, - type: 'functional', + type: BoostType.Functional, }, ], }, @@ -735,11 +753,11 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 1, - type: 'functional', + type: BoostType.Functional, }, { factor: 2, - type: 'value', + type: BoostType.Value, }, ], }, @@ -756,7 +774,7 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 1, - type: 'functional', + type: BoostType.Functional, }, ], }, @@ -771,7 +789,7 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 1, - type: 'functional', + type: BoostType.Functional, }, ], }, @@ -796,7 +814,7 @@ describe('RelevanceTuningLogic', () => { foo: [ { factor: 1, - type: 'functional', + type: BoostType.Functional, }, ], }, @@ -816,7 +834,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); @@ -826,7 +844,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 5, - type: 'functional', + type: BoostType.Functional, }) ); }); @@ -835,7 +853,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); @@ -845,7 +863,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 5.3, - type: 'functional', + type: BoostType.Functional, }) ); }); @@ -856,7 +874,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', 'b', 'c'], }), }); @@ -867,7 +885,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', 'a', 'c'], }) ); @@ -877,7 +895,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); @@ -887,7 +905,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a'], }) ); @@ -902,7 +920,7 @@ describe('RelevanceTuningLogic', () => { }, searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'proximity', + type: BoostType.Proximity, center: 1, }), }); @@ -913,7 +931,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'proximity', + type: BoostType.Proximity, center: 4, }) ); @@ -925,7 +943,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a'], }), }); @@ -936,7 +954,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', ''], }) ); @@ -946,7 +964,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); @@ -956,7 +974,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['', ''], }) ); @@ -966,7 +984,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', ''], }), }); @@ -977,7 +995,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', ''], }) ); @@ -989,7 +1007,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', 'b', 'c'], }), }); @@ -1000,7 +1018,7 @@ describe('RelevanceTuningLogic', () => { expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, value: ['a', 'c'], }) ); @@ -1010,7 +1028,7 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); @@ -1026,18 +1044,23 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); - RelevanceTuningLogic.actions.updateBoostSelectOption('foo', 1, 'function', 'exponential'); + RelevanceTuningLogic.actions.updateBoostSelectOption( + 'foo', + 1, + 'function', + BoostFunction.Exponential + ); expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', - function: 'exponential', + type: BoostType.Functional, + function: BoostFunction.Exponential, }) ); }); @@ -1046,18 +1069,23 @@ describe('RelevanceTuningLogic', () => { mount({ searchSettings: searchSettingsWithBoost({ factor: 1, - type: 'functional', + type: BoostType.Functional, }), }); jest.spyOn(RelevanceTuningLogic.actions, 'setSearchSettings'); - RelevanceTuningLogic.actions.updateBoostSelectOption('foo', 1, 'operation', 'add'); + RelevanceTuningLogic.actions.updateBoostSelectOption( + 'foo', + 1, + 'operation', + BoostOperation.Add + ); expect(RelevanceTuningLogic.actions.setSearchSettings).toHaveBeenCalledWith( searchSettingsWithBoost({ factor: 1, - type: 'functional', - operation: 'add', + type: BoostType.Functional, + operation: BoostOperation.Add, }) ); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.ts index cd3d8b5686cc05..d567afee9d0627 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/relevance_tuning_logic.ts @@ -21,7 +21,14 @@ import { DELETE_SUCCESS_MESSAGE, DELETE_CONFIRMATION_MESSAGE, } from './constants'; -import { BaseBoost, Boost, BoostType, SearchSettings } from './types'; +import { + BaseBoost, + Boost, + BoostFunction, + BoostOperation, + BoostType, + SearchSettings, +} from './types'; import { filterIfTerm, parseBoostCenter, @@ -32,7 +39,7 @@ import { interface RelevanceTuningProps { searchSettings: SearchSettings; schema: Schema; - schemaConflicts: SchemaConflicts; + schemaConflicts?: SchemaConflicts; } interface RelevanceTuningActions { @@ -82,7 +89,7 @@ interface RelevanceTuningActions { name: string, boostIndex: number, optionType: keyof BaseBoost, - value: string + value: BoostOperation | BoostFunction ): { name: string; boostIndex: number; @@ -176,7 +183,7 @@ export const RelevanceTuningLogic = kea< schemaConflicts: [ {}, { - onInitializeRelevanceTuning: (_, { schemaConflicts }) => schemaConflicts, + onInitializeRelevanceTuning: (_, { schemaConflicts }) => schemaConflicts || {}, }, ], showSchemaConflictCallout: [ @@ -497,7 +504,11 @@ export const RelevanceTuningLogic = kea< const { searchSettings } = values; const { boosts } = searchSettings; const updatedBoosts = cloneDeep(boosts[name]); - updatedBoosts[boostIndex][optionType] = value; + if (optionType === 'operation') { + updatedBoosts[boostIndex][optionType] = value as BoostOperation; + } else { + updatedBoosts[boostIndex][optionType] = value as BoostFunction; + } actions.setSearchSettings({ ...searchSettings, diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/types.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/types.ts index a1ed9797b9f5a5..95bd33aac5b9ff 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/types.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/types.ts @@ -5,11 +5,26 @@ * 2.0. */ -export type BoostType = 'value' | 'functional' | 'proximity'; +export enum BoostType { + Value = 'value', + Functional = 'functional', + Proximity = 'proximity', +} + +export enum BoostFunction { + Gaussian = 'gaussian', + Exponential = 'exponential', + Linear = 'linear', +} + +export enum BoostOperation { + Add = 'add', + Multiple = 'multiply', +} export interface BaseBoost { - operation?: string; - function?: string; + operation?: BoostOperation; + function?: BoostFunction; } // A boost that comes from the server, before we normalize it has a much looser schema @@ -25,13 +40,13 @@ export interface RawBoost extends BaseBoost { export interface Boost extends RawBoost { value?: string[]; } + +export interface SearchField { + weight: number; +} + export interface SearchSettings { boosts: Record; - search_fields: Record< - string, - { - weight: number; - } - >; + search_fields: Record; result_fields?: object; } diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/utils.test.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/utils.test.ts index a6598bf991c13e..1694015ed68615 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/utils.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/relevance_tuning/utils.test.ts @@ -39,7 +39,7 @@ describe('removeBoostStateProps', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, newBoost: true, }, @@ -56,7 +56,7 @@ describe('removeBoostStateProps', () => { boosts: { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 5, }, ], @@ -66,39 +66,46 @@ describe('removeBoostStateProps', () => { }); describe('parseBoostCenter', () => { - it('should parse a boost center', () => { - expect(parseBoostCenter('text', 5)).toEqual(5); - expect(parseBoostCenter('text', '4')).toEqual('4'); + it('should parse the value to a number when the type is number', () => { expect(parseBoostCenter('number', 5)).toEqual(5); expect(parseBoostCenter('number', '5')).toEqual(5); }); + + it('should not try to parse the value when the type is text', () => { + expect(parseBoostCenter('text', 5)).toEqual(5); + expect(parseBoostCenter('text', '4')).toEqual('4'); + }); + + it('should leave text invalid numbers alone', () => { + expect(parseBoostCenter('number', 'foo')).toEqual('foo'); + }); }); describe('normalizeBoostValues', () => { const boosts = { foo: [ { - type: 'value' as BoostType, + type: BoostType.Value, factor: 9.5, value: 1, }, { - type: 'value' as BoostType, + type: BoostType.Value, factor: 9.5, value: '1', }, { - type: 'value' as BoostType, + type: BoostType.Value, factor: 9.5, value: [1], }, { - type: 'value' as BoostType, + type: BoostType.Value, factor: 9.5, value: ['1'], }, { - type: 'value' as BoostType, + type: BoostType.Value, factor: 9.5, value: [ '1', @@ -115,13 +122,13 @@ describe('normalizeBoostValues', () => { ], bar: [ { - type: 'proximity' as BoostType, + type: BoostType.Proximity, factor: 9.5, }, ], sp_def: [ { - type: 'functional' as BoostType, + type: BoostType.Functional, factor: 5, }, ], @@ -129,19 +136,19 @@ describe('normalizeBoostValues', () => { it('converts all value types to string for consistency', () => { expect(normalizeBoostValues(boosts)).toEqual({ - bar: [{ factor: 9.5, type: 'proximity' }], + bar: [{ factor: 9.5, type: BoostType.Proximity }], foo: [ - { factor: 9.5, type: 'value', value: ['1'] }, - { factor: 9.5, type: 'value', value: ['1'] }, - { factor: 9.5, type: 'value', value: ['1'] }, - { factor: 9.5, type: 'value', value: ['1'] }, + { factor: 9.5, type: BoostType.Value, value: ['1'] }, + { factor: 9.5, type: BoostType.Value, value: ['1'] }, + { factor: 9.5, type: BoostType.Value, value: ['1'] }, + { factor: 9.5, type: BoostType.Value, value: ['1'] }, { factor: 9.5, - type: 'value', + type: BoostType.Value, value: ['1', '1', '2', '2', 'true', '[object Object]', '[object Object]'], }, ], - sp_def: [{ type: 'functional', factor: 5 }], + sp_def: [{ type: BoostType.Functional, factor: 5 }], }); }); }); From a558920176abdf5e41208a0b6f728b46c09efe19 Mon Sep 17 00:00:00 2001 From: Chris Roberson Date: Thu, 18 Feb 2021 08:47:03 -0500 Subject: [PATCH 05/15] [Monitoring] Fetch status once and change fetchStatus to support an array of clusters (#91749) * Fetch status once and change fetchStatus to support an array of clusters * Update test --- .../server/lib/alerts/fetch_status.test.ts | 49 +++++++------------ .../server/lib/alerts/fetch_status.ts | 4 +- .../lib/cluster/get_clusters_from_request.js | 27 +++++++--- .../server/routes/api/v1/alerts/status.ts | 2 +- 4 files changed, 41 insertions(+), 41 deletions(-) diff --git a/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.test.ts b/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.test.ts index e30d2ba1044fb3..0d2d9fdbed6358 100644 --- a/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.test.ts +++ b/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.test.ts @@ -74,12 +74,9 @@ describe('fetchStatus', () => { }); it('should fetch from the alerts client', async () => { - const status = await fetchStatus( - alertsClient as any, - licenseService as any, - alertTypes, - defaultClusterState.clusterUuid - ); + const status = await fetchStatus(alertsClient as any, licenseService as any, alertTypes, [ + defaultClusterState.clusterUuid, + ]); expect(status).toEqual({ monitoring_alert_cpu_usage: { rawAlert: { id: 1 }, @@ -99,24 +96,18 @@ describe('fetchStatus', () => { }, ]; - const status = await fetchStatus( - alertsClient as any, - licenseService as any, - alertTypes, - defaultClusterState.clusterUuid - ); + const status = await fetchStatus(alertsClient as any, licenseService as any, alertTypes, [ + defaultClusterState.clusterUuid, + ]); expect(Object.values(status).length).toBe(1); expect(Object.keys(status)).toEqual(alertTypes); expect(status[alertType].states[0].state.ui.isFiring).toBe(true); }); it('should pass in the right filter to the alerts client', async () => { - await fetchStatus( - alertsClient as any, - licenseService as any, - alertTypes, - defaultClusterState.clusterUuid - ); + await fetchStatus(alertsClient as any, licenseService as any, alertTypes, [ + defaultClusterState.clusterUuid, + ]); expect((alertsClient.find as jest.Mock).mock.calls[0][0].options.filter).toBe( `alert.attributes.alertTypeId:${alertType}` ); @@ -127,12 +118,9 @@ describe('fetchStatus', () => { alertTypeState: null, })) as any; - const status = await fetchStatus( - alertsClient as any, - licenseService as any, - alertTypes, - defaultClusterState.clusterUuid - ); + const status = await fetchStatus(alertsClient as any, licenseService as any, alertTypes, [ + defaultClusterState.clusterUuid, + ]); expect(status[alertType].states.length).toEqual(0); }); @@ -142,12 +130,9 @@ describe('fetchStatus', () => { data: [], })) as any; - const status = await fetchStatus( - alertsClient as any, - licenseService as any, - alertTypes, - defaultClusterState.clusterUuid - ); + const status = await fetchStatus(alertsClient as any, licenseService as any, alertTypes, [ + defaultClusterState.clusterUuid, + ]); expect(status).toEqual({}); }); @@ -163,7 +148,7 @@ describe('fetchStatus', () => { alertsClient as any, customLicenseService as any, [ALERT_CLUSTER_HEALTH], - defaultClusterState.clusterUuid + [defaultClusterState.clusterUuid] ); expect(customLicenseService.getWatcherFeature).toHaveBeenCalled(); }); @@ -200,7 +185,7 @@ describe('fetchStatus', () => { customAlertsClient as any, licenseService as any, [ALERT_CPU_USAGE, ALERT_DISK_USAGE, ALERT_MISSING_MONITORING_DATA], - defaultClusterState.clusterUuid + [defaultClusterState.clusterUuid] ); expect(Object.keys(status)).toEqual([ ALERT_CPU_USAGE, diff --git a/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.ts b/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.ts index 399b26a6c5c314..3ccb4d3a9c4d5d 100644 --- a/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.ts +++ b/x-pack/plugins/monitoring/server/lib/alerts/fetch_status.ts @@ -20,7 +20,7 @@ export async function fetchStatus( alertsClient: AlertsClient, licenseService: MonitoringLicenseService, alertTypes: string[] | undefined, - clusterUuid: string, + clusterUuids: string[], filters: CommonAlertFilter[] = [] ): Promise<{ [type: string]: CommonAlertStatus }> { const types: Array<{ type: string; result: CommonAlertStatus }> = []; @@ -57,7 +57,7 @@ export async function fetchStatus( } for (const state of alertInstanceState.alertStates) { const meta = instance.meta; - if (clusterUuid && state.cluster.clusterUuid !== clusterUuid) { + if (clusterUuids && !clusterUuids.includes(state.cluster.clusterUuid)) { return accum; } diff --git a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.js b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.js index 47e3cef0674110..0bed25a70d0480 100644 --- a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.js +++ b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.js @@ -120,6 +120,13 @@ export async function getClustersFromRequest( // add alerts data if (isInCodePath(codePaths, [CODE_PATH_ALERTS])) { const alertsClient = req.getAlertsClient(); + const alertStatus = await fetchStatus( + alertsClient, + req.server.plugins.monitoring.info, + undefined, + clusters.map((cluster) => cluster.cluster_uuid) + ); + for (const cluster of clusters) { const verification = verifyMonitoringLicense(req.server); if (!verification.enabled) { @@ -154,12 +161,20 @@ export async function getClustersFromRequest( if (prodLicenseInfo.clusterAlerts.enabled) { try { cluster.alerts = { - list: await fetchStatus( - alertsClient, - req.server.plugins.monitoring.info, - undefined, - cluster.cluster_uuid - ), + list: Object.keys(alertStatus).reduce((accum, alertName) => { + const value = alertStatus[alertName]; + if (value.states && value.states.length) { + accum[alertName] = { + ...value, + states: value.states.filter( + (state) => state.state.cluster.clusterUuid === cluster.cluster_uuid + ), + }; + } else { + accum[alertName] = value; + } + return accum; + }, {}), alertsMeta: { enabled: true, }, diff --git a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts index d0a4de7b5b3783..95e2cb63bec86d 100644 --- a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts +++ b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts @@ -43,7 +43,7 @@ export function alertStatusRoute(server: any, npRoute: RouteDependencies) { alertsClient, npRoute.licenseService, alertTypeIds, - clusterUuid, + [clusterUuid], filters as CommonAlertFilter[] ); return response.ok({ body: status }); From 7a7f071236fb1884dab9cfa861cbfecd2894fecc Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 18 Feb 2021 14:51:14 +0100 Subject: [PATCH 06/15] [ILM] Update Delete phase default days (#91811) * update delete phase default * added test for delete phase serialization --- .../edit_policy/edit_policy.test.ts | 23 +++++++++++++++++++ .../sections/edit_policy/form/schema.ts | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/index_lifecycle_management/__jest__/client_integration/edit_policy/edit_policy.test.ts b/x-pack/plugins/index_lifecycle_management/__jest__/client_integration/edit_policy/edit_policy.test.ts index f1a15d805faf8a..859b4adce50285 100644 --- a/x-pack/plugins/index_lifecycle_management/__jest__/client_integration/edit_policy/edit_policy.test.ts +++ b/x-pack/plugins/index_lifecycle_management/__jest__/client_integration/edit_policy/edit_policy.test.ts @@ -479,6 +479,29 @@ describe('', () => { component.update(); }); + test('serialization', async () => { + httpRequestsMockHelpers.setLoadPolicies([DEFAULT_POLICY]); + await act(async () => { + testBed = await setup(); + }); + const { component, actions } = testBed; + component.update(); + await actions.delete.enablePhase(); + await actions.setWaitForSnapshotPolicy('test'); + await actions.savePolicy(); + const latestRequest = server.requests[server.requests.length - 1]; + const entirePolicy = JSON.parse(JSON.parse(latestRequest.requestBody).body); + expect(entirePolicy.phases.delete).toEqual({ + min_age: '365d', + actions: { + delete: {}, + wait_for_snapshot: { + policy: 'test', + }, + }, + }); + }); + test('wait for snapshot policy field should correctly display snapshot policy name', () => { expect(testBed.find('snapshotPolicyCombobox').prop('data-currentvalue')).toEqual([ { diff --git a/x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/form/schema.ts b/x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/form/schema.ts index 600a660657863c..65fc82b7ccc685 100644 --- a/x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/form/schema.ts +++ b/x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/form/schema.ts @@ -354,7 +354,7 @@ export const schema: FormSchema = { }, delete: { min_age: { - defaultValue: '0', + defaultValue: '365', validations: [ { validator: minAgeValidator, From dadf0e65649db6310a85e8911532f3241fb22b4e Mon Sep 17 00:00:00 2001 From: Nathan L Smith Date: Thu, 18 Feb 2021 07:57:19 -0600 Subject: [PATCH 07/15] Pass service node name in query for instance table links (#91796) For a non-Java service, the previous link was like: ``` http://localhost:5601/kbn/app/apm/services/opbeans-python/metrics?rangeFrom=now-15m&rangeTo=now ``` which did not filter by the `service.node.name`. It now is: ``` http://localhost:5601/kbn/app/apm/services/opbeans-python/metrics?kuery=service.node.name:%226a7f116fe344aee7e92fceeb426cbfdf6a534a8e3ba6345c16a47793eba6daf5%22&rangeFrom=now-15m&rangeTo=now ```` Which links to the metrics page with the filter applied. The component is using a `MetricOverviewLink` which was using a `EuiLink` and passing throught the props, including `mergeQuery`, which includes the `kuery` parameter. Replace the `EuiLink` with an `APMLink` which does use the `mergeQuery` prop and does pass the parameters through correctly. Looks like this was changed to an `EuiLink` by a refactor in #86986. Since we'll be making some further changes to how `kuery` is handled in #84526, I'm just making the minimal change to fix this bug at this time. --- .../components/shared/Links/apm/MetricOverviewLink.tsx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/apm/public/components/shared/Links/apm/MetricOverviewLink.tsx b/x-pack/plugins/apm/public/components/shared/Links/apm/MetricOverviewLink.tsx index 3bfdb5df61c2ee..c3d418b63426b5 100644 --- a/x-pack/plugins/apm/public/components/shared/Links/apm/MetricOverviewLink.tsx +++ b/x-pack/plugins/apm/public/components/shared/Links/apm/MetricOverviewLink.tsx @@ -5,10 +5,9 @@ * 2.0. */ -import { EuiLink } from '@elastic/eui'; import React from 'react'; import { APMQueryParams } from '../url_helpers'; -import { APMLinkExtendProps, useAPMHref } from './APMLink'; +import { APMLink, APMLinkExtendProps, useAPMHref } from './APMLink'; const persistedFilters: Array = [ 'host', @@ -29,6 +28,5 @@ interface Props extends APMLinkExtendProps { } export function MetricOverviewLink({ serviceName, ...rest }: Props) { - const href = useMetricOverviewHref(serviceName); - return ; + return ; } From 7503fd256a1726c85bd75b228045707ee5a3bbf2 Mon Sep 17 00:00:00 2001 From: Peter Pisljar Date: Thu, 18 Feb 2021 15:12:41 +0100 Subject: [PATCH 08/15] support serializing nested searchsource (#91525) --- ...gins-data-public.searchsource.getfields.md | 9 +- ...plugin-plugins-data-public.searchsource.md | 2 +- ...-plugins-data-public.searchsourcefields.md | 1 + ...s-data-public.searchsourcefields.parent.md | 11 + .../search_source/search_source.test.ts | 228 ++++++------------ .../search/search_source/search_source.ts | 60 +---- .../data/common/search/search_source/types.ts | 2 + src/plugins/data/public/public.api.md | 4 +- 8 files changed, 101 insertions(+), 216 deletions(-) create mode 100644 docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.parent.md diff --git a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.getfields.md b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.getfields.md index b0ccedb819c95d..856e43588ffb78 100644 --- a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.getfields.md +++ b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.getfields.md @@ -9,15 +9,8 @@ returns all search source fields Signature: ```typescript -getFields(recurse?: boolean): SearchSourceFields; +getFields(): SearchSourceFields; ``` - -## Parameters - -| Parameter | Type | Description | -| --- | --- | --- | -| recurse | boolean | | - Returns: `SearchSourceFields` diff --git a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.md b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.md index 3250561c8b82e9..b2382d35f7d768 100644 --- a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.md +++ b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsource.md @@ -35,7 +35,7 @@ export declare class SearchSource | [fetch(options)](./kibana-plugin-plugins-data-public.searchsource.fetch.md) | | Fetch this source and reject the returned Promise on error | | [fetch$(options)](./kibana-plugin-plugins-data-public.searchsource.fetch_.md) | | Fetch this source from Elasticsearch, returning an observable over the response(s) | | [getField(field, recurse)](./kibana-plugin-plugins-data-public.searchsource.getfield.md) | | Gets a single field from the fields | -| [getFields(recurse)](./kibana-plugin-plugins-data-public.searchsource.getfields.md) | | returns all search source fields | +| [getFields()](./kibana-plugin-plugins-data-public.searchsource.getfields.md) | | returns all search source fields | | [getId()](./kibana-plugin-plugins-data-public.searchsource.getid.md) | | returns search source id | | [getOwnField(field)](./kibana-plugin-plugins-data-public.searchsource.getownfield.md) | | Get the field from our own fields, don't traverse up the chain | | [getParent()](./kibana-plugin-plugins-data-public.searchsource.getparent.md) | | Get the parent of this SearchSource {undefined\|searchSource} | diff --git a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.md b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.md index 683a35fabf5710..1d4547bb21d103 100644 --- a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.md +++ b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.md @@ -24,6 +24,7 @@ export interface SearchSourceFields | [highlight](./kibana-plugin-plugins-data-public.searchsourcefields.highlight.md) | any | | | [highlightAll](./kibana-plugin-plugins-data-public.searchsourcefields.highlightall.md) | boolean | | | [index](./kibana-plugin-plugins-data-public.searchsourcefields.index.md) | IndexPattern | | +| [parent](./kibana-plugin-plugins-data-public.searchsourcefields.parent.md) | SearchSourceFields | | | [query](./kibana-plugin-plugins-data-public.searchsourcefields.query.md) | Query | [Query](./kibana-plugin-plugins-data-public.query.md) | | [searchAfter](./kibana-plugin-plugins-data-public.searchsourcefields.searchafter.md) | EsQuerySearchAfter | | | [size](./kibana-plugin-plugins-data-public.searchsourcefields.size.md) | number | | diff --git a/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.parent.md b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.parent.md new file mode 100644 index 00000000000000..3adb34a50ff9eb --- /dev/null +++ b/docs/development/plugins/data/public/kibana-plugin-plugins-data-public.searchsourcefields.parent.md @@ -0,0 +1,11 @@ + + +[Home](./index.md) > [kibana-plugin-plugins-data-public](./kibana-plugin-plugins-data-public.md) > [SearchSourceFields](./kibana-plugin-plugins-data-public.searchsourcefields.md) > [parent](./kibana-plugin-plugins-data-public.searchsourcefields.parent.md) + +## SearchSourceFields.parent property + +Signature: + +```typescript +parent?: SearchSourceFields; +``` diff --git a/src/plugins/data/common/search/search_source/search_source.test.ts b/src/plugins/data/common/search/search_source/search_source.test.ts index 23ad7af14b093f..030e620bea34b4 100644 --- a/src/plugins/data/common/search/search_source/search_source.test.ts +++ b/src/plugins/data/common/search/search_source/search_source.test.ts @@ -95,164 +95,6 @@ describe('SearchSource', () => { } `); }); - - test('recurses parents to get the entire filters: plain object filter', () => { - const RECURSE = true; - - const parent = new SearchSource({}, searchSourceDependencies); - parent.setField('filter', [ - { - meta: { - index: 'd180cae0-60c3-11eb-8569-bd1f5ed24bc9', - params: {}, - alias: null, - disabled: false, - negate: false, - }, - query: { - range: { - '@date': { - gte: '2016-01-27T18:11:05.010Z', - lte: '2021-01-27T18:11:05.010Z', - format: 'strict_date_optional_time', - }, - }, - }, - }, - ]); - searchSource.setParent(parent); - searchSource.setField('aggs', 5); - expect(searchSource.getFields(RECURSE)).toMatchInlineSnapshot(` - Object { - "aggs": 5, - "filter": Array [ - Object { - "meta": Object { - "alias": null, - "disabled": false, - "index": "d180cae0-60c3-11eb-8569-bd1f5ed24bc9", - "negate": false, - "params": Object {}, - }, - "query": Object { - "range": Object { - "@date": Object { - "format": "strict_date_optional_time", - "gte": "2016-01-27T18:11:05.010Z", - "lte": "2021-01-27T18:11:05.010Z", - }, - }, - }, - }, - ], - } - `); - - // calling twice gives the same result: no searchSources in the hierarchy were modified - expect(searchSource.getFields(RECURSE)).toMatchInlineSnapshot(` - Object { - "aggs": 5, - "filter": Array [ - Object { - "meta": Object { - "alias": null, - "disabled": false, - "index": "d180cae0-60c3-11eb-8569-bd1f5ed24bc9", - "negate": false, - "params": Object {}, - }, - "query": Object { - "range": Object { - "@date": Object { - "format": "strict_date_optional_time", - "gte": "2016-01-27T18:11:05.010Z", - "lte": "2021-01-27T18:11:05.010Z", - }, - }, - }, - }, - ], - } - `); - }); - - test('recurses parents to get the entire filters: function filter', () => { - const RECURSE = true; - - const parent = new SearchSource({}, searchSourceDependencies); - parent.setField('filter', () => ({ - meta: { - index: 'd180cae0-60c3-11eb-8569-bd1f5ed24bc9', - params: {}, - alias: null, - disabled: false, - negate: false, - }, - query: { - range: { - '@date': { - gte: '2016-01-27T18:11:05.010Z', - lte: '2021-01-27T18:11:05.010Z', - format: 'strict_date_optional_time', - }, - }, - }, - })); - searchSource.setParent(parent); - searchSource.setField('aggs', 5); - expect(searchSource.getFields(RECURSE)).toMatchInlineSnapshot(` - Object { - "aggs": 5, - "filter": Array [ - Object { - "meta": Object { - "alias": null, - "disabled": false, - "index": "d180cae0-60c3-11eb-8569-bd1f5ed24bc9", - "negate": false, - "params": Object {}, - }, - "query": Object { - "range": Object { - "@date": Object { - "format": "strict_date_optional_time", - "gte": "2016-01-27T18:11:05.010Z", - "lte": "2021-01-27T18:11:05.010Z", - }, - }, - }, - }, - ], - } - `); - - // calling twice gives the same result: no double-added filters - expect(searchSource.getFields(RECURSE)).toMatchInlineSnapshot(` - Object { - "aggs": 5, - "filter": Array [ - Object { - "meta": Object { - "alias": null, - "disabled": false, - "index": "d180cae0-60c3-11eb-8569-bd1f5ed24bc9", - "negate": false, - "params": Object {}, - }, - "query": Object { - "range": Object { - "@date": Object { - "format": "strict_date_optional_time", - "gte": "2016-01-27T18:11:05.010Z", - "lte": "2021-01-27T18:11:05.010Z", - }, - }, - }, - }, - ], - } - `); - }); }); describe('#removeField()', () => { @@ -975,4 +817,74 @@ describe('SearchSource', () => { expect(request._source).toEqual(['geometry']); }); }); + + describe('getSerializedFields', () => { + const filter = [ + { + query: 'query', + meta: { + alias: 'alias', + disabled: false, + negate: false, + index: '456', + }, + }, + ]; + + test('should return serialized fields', () => { + const indexPattern123 = { id: '123' } as IndexPattern; + searchSource.setField('index', indexPattern123); + searchSource.setField('filter', () => { + return filter; + }); + const serializedFields = searchSource.getSerializedFields(); + expect(serializedFields).toMatchInlineSnapshot( + { index: '123', filter }, + ` + Object { + "filter": Array [ + Object { + "meta": Object { + "alias": "alias", + "disabled": false, + "index": "456", + "negate": false, + }, + "query": "query", + }, + ], + "index": "123", + } + ` + ); + }); + + test('should support nested search sources', () => { + const indexPattern123 = { id: '123' } as IndexPattern; + searchSource.setField('index', indexPattern123); + searchSource.setField('from', 123); + const childSearchSource = searchSource.createChild(); + childSearchSource.setField('timeout', '100'); + const serializedFields = childSearchSource.getSerializedFields(true); + expect(serializedFields).toMatchInlineSnapshot( + { + timeout: '100', + parent: { + index: '123', + from: 123, + }, + }, + ` + Object { + "index": undefined, + "parent": Object { + "from": 123, + "index": "123", + }, + "timeout": "100", + } + ` + ); + }); + }); }); diff --git a/src/plugins/data/common/search/search_source/search_source.ts b/src/plugins/data/common/search/search_source/search_source.ts index 8406c4900bef74..118bb04c1742b4 100644 --- a/src/plugins/data/common/search/search_source/search_source.ts +++ b/src/plugins/data/common/search/search_source/search_source.ts @@ -59,7 +59,7 @@ */ import { setWith } from '@elastic/safer-lodash-set'; -import { uniqueId, keyBy, pick, difference, omit, isFunction, isEqual, uniqWith } from 'lodash'; +import { uniqueId, keyBy, pick, difference, isFunction, isEqual, uniqWith } from 'lodash'; import { map, switchMap, tap } from 'rxjs/operators'; import { defer, from } from 'rxjs'; import { isObject } from 'rxjs/internal-compatibility'; @@ -114,8 +114,13 @@ export class SearchSource { private readonly dependencies: SearchSourceDependencies; constructor(fields: SearchSourceFields = {}, dependencies: SearchSourceDependencies) { - this.fields = fields; + const { parent, ...currentFields } = fields; + this.fields = currentFields; this.dependencies = dependencies; + + if (parent) { + this.setParent(new SearchSource(parent, dependencies)); + } } /** *** @@ -173,49 +178,7 @@ export class SearchSource { /** * returns all search source fields */ - getFields(recurse = false): SearchSourceFields { - let thisFilter = this.fields.filter; // type is single value, array, or function - if (thisFilter) { - if (typeof thisFilter === 'function') { - thisFilter = thisFilter() || []; // type is single value or array - } - - if (Array.isArray(thisFilter)) { - thisFilter = [...thisFilter]; - } else { - thisFilter = [thisFilter]; - } - } else { - thisFilter = []; - } - - if (recurse) { - const parent = this.getParent(); - if (parent) { - const parentFields = parent.getFields(recurse); - - let parentFilter = parentFields.filter; // type is single value, array, or function - if (parentFilter) { - if (typeof parentFilter === 'function') { - parentFilter = parentFilter() || []; // type is single value or array - } - - if (Array.isArray(parentFilter)) { - thisFilter.push(...parentFilter); - } else { - thisFilter.push(parentFilter); - } - } - - // add combined filters to the fields - const thisFields = { - ...this.fields, - filter: thisFilter, - }; - - return { ...parentFields, ...thisFields }; - } - } + getFields(): SearchSourceFields { return { ...this.fields }; } @@ -727,9 +690,7 @@ export class SearchSource { * serializes search source fields (which can later be passed to {@link ISearchStartSearchSource}) */ public getSerializedFields(recurse = false) { - const { filter: originalFilters, ...searchSourceFields } = omit(this.getFields(recurse), [ - 'size', - ]); + const { filter: originalFilters, size: omit, ...searchSourceFields } = this.getFields(); let serializedSearchSourceFields: SearchSourceFields = { ...searchSourceFields, index: (searchSourceFields.index ? searchSourceFields.index.id : undefined) as any, @@ -741,6 +702,9 @@ export class SearchSource { filter: filters, }; } + if (recurse && this.getParent()) { + serializedSearchSourceFields.parent = this.getParent()!.getSerializedFields(recurse); + } return serializedSearchSourceFields; } diff --git a/src/plugins/data/common/search/search_source/types.ts b/src/plugins/data/common/search/search_source/types.ts index 61d7165393b099..d06f521640da04 100644 --- a/src/plugins/data/common/search/search_source/types.ts +++ b/src/plugins/data/common/search/search_source/types.ts @@ -99,6 +99,8 @@ export interface SearchSourceFields { searchAfter?: EsQuerySearchAfter; timeout?: string; terminate_after?: number; + + parent?: SearchSourceFields; } export interface SearchSourceOptions { diff --git a/src/plugins/data/public/public.api.md b/src/plugins/data/public/public.api.md index 745f4a7d29d224..67423295dfe5e3 100644 --- a/src/plugins/data/public/public.api.md +++ b/src/plugins/data/public/public.api.md @@ -2382,7 +2382,7 @@ export class SearchSource { // @deprecated fetch(options?: ISearchOptions): Promise>; getField(field: K, recurse?: boolean): SearchSourceFields[K]; - getFields(recurse?: boolean): SearchSourceFields; + getFields(): SearchSourceFields; getId(): string; getOwnField(field: K): SearchSourceFields[K]; getParent(): SearchSource | undefined; @@ -2428,6 +2428,8 @@ export interface SearchSourceFields { // (undocumented) index?: IndexPattern; // (undocumented) + parent?: SearchSourceFields; + // (undocumented) query?: Query; // Warning: (ae-forgotten-export) The symbol "EsQuerySearchAfter" needs to be exported by the entry point index.d.ts // From 3c0d73af8ba1b779125ff9512458a7e5094af38a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Fern=C3=A1ndez=20Haro?= Date: Thu, 18 Feb 2021 14:35:27 +0000 Subject: [PATCH 09/15] [DOCS] Accept core changes (#91826) --- ...plugin-core-server.savedobjectsfindresult.sort.md | 2 +- ....savedobjectsrepository.openpointintimefortype.md | 12 ++++-------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/docs/development/core/server/kibana-plugin-core-server.savedobjectsfindresult.sort.md b/docs/development/core/server/kibana-plugin-core-server.savedobjectsfindresult.sort.md index 3cc02c404c8d71..17f52687243321 100644 --- a/docs/development/core/server/kibana-plugin-core-server.savedobjectsfindresult.sort.md +++ b/docs/development/core/server/kibana-plugin-core-server.savedobjectsfindresult.sort.md @@ -25,7 +25,7 @@ const page1 = await savedObjectsClient.find({ type: 'visualization', sortField: 'updated_at', sortOrder: 'asc', - pit, + pit: { id }, }); const lastHit = page1.saved_objects[page1.saved_objects.length - 1]; const page2 = await savedObjectsClient.find({ diff --git a/docs/development/core/server/kibana-plugin-core-server.savedobjectsrepository.openpointintimefortype.md b/docs/development/core/server/kibana-plugin-core-server.savedobjectsrepository.openpointintimefortype.md index 63956ebee68f7b..6b668824845202 100644 --- a/docs/development/core/server/kibana-plugin-core-server.savedobjectsrepository.openpointintimefortype.md +++ b/docs/development/core/server/kibana-plugin-core-server.savedobjectsrepository.openpointintimefortype.md @@ -29,19 +29,16 @@ openPointInTimeForType(type: string | string[], { keepAlive, preference }?: Save ```ts -const repository = coreStart.savedObjects.createInternalRepository(); - -const { id } = await repository.openPointInTimeForType( - type: 'index-pattern', - { keepAlive: '2m' }, +const { id } = await savedObjectsClient.openPointInTimeForType( + type: 'visualization', + { keepAlive: '5m' }, ); const page1 = await savedObjectsClient.find({ type: 'visualization', sortField: 'updated_at', sortOrder: 'asc', - pit, + pit: { id, keepAlive: '2m' }, }); - const lastHit = page1.saved_objects[page1.saved_objects.length - 1]; const page2 = await savedObjectsClient.find({ type: 'visualization', @@ -50,7 +47,6 @@ const page2 = await savedObjectsClient.find({ pit: { id: page1.pit_id }, searchAfter: lastHit.sort, }); - await savedObjectsClient.closePointInTime(page2.pit_id); ``` From 1498000213ec53522ce099b044b90fa3db33b07d Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 18 Feb 2021 05:59:46 -0900 Subject: [PATCH 10/15] [Detection Rules] Add 7.12 rules (#91082) ## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) --- ...ion_email_powershell_exchange_mailbox.json | 6 +- ...ll_exch_mailbox_activesync_add_device.json | 6 +- .../collection_winrar_encryption.json | 6 +- ...d_control_certutil_network_connection.json | 5 +- ...cobalt_strike_default_teamserver_cert.json | 4 +- ...ommand_and_control_common_webservices.json | 7 +- ...nd_and_control_dns_tunneling_nslookup.json | 5 +- ...control_encrypted_channel_freesslcert.json | 5 +- ...fer_protocol_activity_to_the_internet.json | 3 +- .../command_and_control_iexplore_via_com.json | 9 +- ...hat_protocol_activity_to_the_internet.json | 3 +- ...d_control_nat_traversal_port_activity.json | 3 +- .../command_and_control_port_26_activity.json | 3 +- ...ol_port_8000_activity_to_the_internet.json | 3 +- ..._to_point_tunneling_protocol_activity.json | 3 +- ...l_proxy_port_activity_to_the_internet.json | 3 +- ...te_desktop_protocol_from_the_internet.json | 3 +- ...ol_remote_file_copy_desktopimgdownldr.json | 5 +- ...and_control_remote_file_copy_mpcmdrun.json | 5 +- ...d_control_remote_file_copy_powershell.json | 5 +- ..._and_control_remote_file_copy_scripts.json | 7 +- ...mand_and_control_smtp_to_the_internet.json | 3 +- ..._server_port_activity_to_the_internet.json | 3 +- ...ol_ssh_secure_shell_from_the_internet.json | 3 +- ...trol_ssh_secure_shell_to_the_internet.json | 3 +- ...d_control_teamviewer_remote_file_copy.json | 5 +- ...mand_and_control_telnet_port_activity.json | 3 +- ..._control_tor_activity_to_the_internet.json | 3 +- ...l_network_computing_from_the_internet.json | 3 +- ...ual_network_computing_to_the_internet.json | 3 +- ...ccess_to_browser_credentials_procargs.json | 55 + .../credential_access_cmdline_dump_tool.json | 5 +- ...ial_access_collection_sensitive_files.json | 78 ++ ...s_cookies_chromium_browsers_debugging.json | 59 + ...ess_copy_ntds_sam_volshadowcp_cmdline.json | 5 +- ...ial_access_credential_dumping_msbuild.json | 5 +- ...dential_access_credentials_keychains.json} | 15 +- ...cess_domain_backup_dpapi_private_keys.json | 5 +- ...credential_access_dump_registry_hives.json | 7 +- ...dential_access_dumping_hashes_bi_cmds.json | 49 + ...tial_access_dumping_keychain_security.json | 55 + ...ntial_access_iis_apppoolsa_pwd_appcmd.json | 5 +- ..._access_iis_connectionstrings_dumping.json | 5 +- ..._access_kerberoasting_unusual_process.json | 7 +- ...s_keychain_pwd_retrieval_security_cmd.json | 61 + ...ial_access_lsass_memdump_file_created.json | 5 +- ...l_access_mimikatz_memssp_default_logs.json | 5 +- ...ential_access_mitm_localhost_webproxy.json | 52 + ..._access_mod_wdigest_security_provider.json | 57 + ...al_access_promt_for_pwd_via_osascript.json | 13 +- ...redential_access_saved_creds_vaultcmd.json | 50 + .../credential_access_ssh_backdoor_log.json | 68 ++ .../credential_access_systemkey_dumping.json | 55 + ...den_file_attribute_with_via_attribexe.json | 5 +- ...vasion_apple_softupdates_modification.json | 58 + ...evasion_attempt_del_quarantine_attrib.json | 9 +- ...evasion_attempt_to_disable_gatekeeper.json | 49 + ...e_evasion_clearing_windows_event_logs.json | 5 +- ...vasion_clearing_windows_security_logs.json | 46 + ...efense_evasion_code_injection_conhost.json | 7 +- ...e_evasion_create_mod_root_certificate.json | 60 + .../defense_evasion_cve_2020_0601.json | 5 +- ...vasion_defender_disabled_via_registry.json | 62 + ...delete_volume_usn_journal_with_fsutil.json | 5 +- ...deleting_backup_catalogs_with_wbadmin.json | 5 +- ...e_evasion_deleting_websvr_access_logs.json | 5 +- ...deletion_of_bash_command_line_history.json | 12 +- ...ble_windows_firewall_rules_with_netsh.json | 5 +- ...vasion_dotnet_compiler_parent_process.json | 5 +- ...evasion_enable_inbound_rdp_with_netsh.json | 5 +- ...coding_or_decoding_files_via_certutil.json | 5 +- ...ense_evasion_execution_lolbas_wuauclt.json | 5 +- ...ecution_msbuild_started_by_office_app.json | 5 +- ...n_execution_msbuild_started_by_script.json | 5 +- ...ion_msbuild_started_by_system_process.json | 5 +- ...ion_execution_msbuild_started_renamed.json | 5 +- ...cution_msbuild_started_unusal_process.json | 5 +- ...execution_suspicious_explorer_winword.json | 5 +- ...ution_via_trusted_developer_utilities.json | 6 +- ..._evasion_file_creation_mult_extension.json | 53 + ...sion_hide_encoded_executable_registry.json | 5 +- ...ense_evasion_iis_httplogging_disabled.json | 5 +- .../defense_evasion_injection_msbuild.json | 5 +- ...ense_evasion_install_root_certificate.json | 58 + .../defense_evasion_installutil_beacon.json | 5 +- ...querading_as_elastic_endpoint_process.json | 5 +- ...e_evasion_masquerading_renamed_autoit.json | 5 +- ...erading_suspicious_werfault_childproc.json | 8 +- ...vasion_masquerading_trusted_directory.json | 7 +- ...defense_evasion_masquerading_werfault.json | 5 +- ...isc_lolbin_connecting_to_the_internet.json | 5 +- ...e_evasion_modification_of_boot_config.json | 5 +- ..._evasion_modify_environment_launchctl.json | 55 + ...on_msbuild_making_network_connections.json | 5 +- .../defense_evasion_mshta_beacon.json | 5 +- .../defense_evasion_msxsl_network.json | 5 +- ...etwork_connection_from_windows_binary.json | 5 +- ...vasion_port_forwarding_added_registry.json | 5 +- ...evasion_potential_processherpaderping.json | 5 +- ...cy_controls_tcc_database_modification.json | 57 + ...tion_privacy_pref_sshd_fulldiskaccess.json | 64 + ...defense_evasion_rundll32_no_arguments.json | 5 +- .../defense_evasion_safari_config_change.json | 55 + ...dboxed_office_app_suspicious_zip_file.json | 33 + ...ion_scheduledjobs_at_protocol_enabled.json | 5 +- ..._evasion_sdelete_like_filename_rename.json | 7 +- .../defense_evasion_sip_provider_mod.json | 56 + ...ackdoor_service_disabled_via_registry.json | 5 +- ...vasion_stop_process_service_threshold.json | 5 +- ...n_suspicious_managedcode_host_process.json | 5 +- ...efense_evasion_suspicious_scrobj_load.json | 7 +- ...defense_evasion_suspicious_wmi_script.json | 8 +- ...evasion_suspicious_zoom_child_process.json | 5 +- ..._critical_proc_abnormal_file_activity.json | 5 +- ...vasion_tcc_bypass_mounted_apfs_access.json | 48 + .../defense_evasion_timestomp_touch.json | 4 +- ..._evasion_unload_endpointsecurity_kext.json | 52 + ...nse_evasion_unusual_ads_file_creation.json | 53 + .../defense_evasion_unusual_dir_ads.json | 6 +- ...usual_network_connection_via_rundll32.json | 5 +- ...on_unusual_process_network_connection.json | 5 +- ...asion_unusual_system_vp_child_program.json | 5 +- .../defense_evasion_via_filter_manager.json | 6 +- ..._volume_shadow_copy_deletion_via_wmic.json | 5 +- .../discovery_adfind_command_activity.json | 5 +- .../discovery_admin_recon.json | 6 +- .../discovery_file_dir_discovery.json | 11 +- .../discovery_net_command_system_account.json | 5 +- .../prepackaged_rules/discovery_net_view.json | 6 +- .../discovery_peripheral_device.json | 6 +- ...rocess_discovery_via_tasklist_command.json | 6 +- .../discovery_query_registry_via_reg.json | 6 +- ...ote_system_discovery_commands_windows.json | 6 +- .../discovery_security_software_grep.json | 46 + .../discovery_security_software_wmic.json | 5 +- ...covery_users_domain_built_in_commands.json | 50 + .../discovery_whoami_command_activity.json | 6 +- ...arwinds_backdoor_child_cmd_powershell.json | 5 +- ...inds_backdoor_unusual_child_processes.json | 5 +- .../execution_com_object_xwizard.json | 57 + ...and_prompt_connecting_to_the_internet.json | 5 +- ...n_command_shell_started_by_powershell.json | 5 +- ...tion_command_shell_started_by_svchost.json | 5 +- ...mand_shell_started_by_unusual_process.json | 5 +- .../execution_command_shell_via_rundll32.json | 5 +- ...vasion_electron_app_childproc_node_js.json | 66 + .../execution_enumeration_via_wmiprvse.json | 46 + .../execution_from_unusual_directory.json | 5 +- .../execution_from_unusual_path_cmdline.json | 7 +- ...le_program_connecting_to_the_internet.json | 5 +- ...l_access_suspicious_browser_childproc.json | 64 + .../execution_ms_office_written_file.json | 5 +- .../execution_pdf_written_file.json | 5 +- ...on_pentest_eggshell_remote_admin_tool.json | 32 + ...ution_psexec_lateral_movement_command.json | 5 +- ...er_program_connecting_to_the_internet.json | 5 +- .../execution_revershell_via_shell_cmd.json | 51 + ...tion_scheduled_task_powershell_source.json | 7 +- ...cution_script_via_automator_workflows.json | 47 + ...xecution_shared_modules_local_sxs_dll.json | 7 +- .../execution_suspicious_cmd_wmi.json | 7 +- ...n_suspicious_image_load_wmi_ms_office.json | 8 +- ...xecution_suspicious_jar_child_process.json | 53 + .../execution_suspicious_pdf_reader.json | 5 +- ...ecution_suspicious_powershell_imgload.json | 7 +- .../execution_suspicious_psexesvc.json | 5 +- ...ecution_suspicious_short_program_name.json | 5 +- .../execution_via_compiled_html_file.json | 6 +- .../execution_via_hidden_shell_conhost.json | 5 +- .../execution_via_net_com_assemblies.json | 5 +- ...ia_xp_cmdshell_mssql_stored_procedure.json | 5 +- .../impact_hosts_file_modified.json | 5 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 5 +- .../rules/prepackaged_rules/index.ts | 1084 ++++++++++------- ...ure_active_directory_high_risk_signin.json | 53 + .../initial_access_login_failures.json | 61 + .../initial_access_login_location.json | 61 + .../initial_access_login_sessions.json | 61 + .../initial_access_login_time.json | 61 + ...mote_desktop_protocol_to_the_internet.json | 3 +- ...mote_procedure_call_from_the_internet.json | 3 +- ...remote_procedure_call_to_the_internet.json | 3 +- ...al_access_script_executing_powershell.json | 5 +- ...ccess_scripts_process_started_via_wmi.json | 7 +- ...file_sharing_activity_to_the_internet.json | 3 +- ...uspicious_mac_ms_office_child_process.json | 54 + ...ss_suspicious_ms_office_child_process.json | 5 +- ...s_suspicious_ms_outlook_child_process.json | 5 +- ...l_access_unusual_dns_service_children.json | 6 +- ...ccess_unusual_dns_service_file_writes.json | 6 +- ...explorer_suspicious_child_parent_args.json | 7 +- .../lateral_movement_cmd_service.json | 7 +- ...ential_access_kerberos_bifrostconsole.json | 71 ++ .../lateral_movement_dcom_hta.json | 5 +- .../lateral_movement_dcom_mmc20.json | 5 +- ...t_dcom_shellwindow_shellbrowserwindow.json | 5 +- ...vement_direct_outbound_smb_connection.json | 5 +- ...movement_executable_tool_transfer_smb.json | 5 +- ..._movement_execution_from_tsclient_mup.json | 5 +- ...nt_execution_via_file_shares_sequence.json | 5 +- ...vement_incoming_winrm_shell_execution.json | 5 +- .../lateral_movement_incoming_wmi.json | 5 +- ...teral_movement_local_service_commands.json | 5 +- ...ment_mount_hidden_or_webdav_share_net.json | 5 +- .../lateral_movement_mounting_smb_share.json | 56 + ...l_movement_powershell_remoting_target.json | 7 +- ...lateral_movement_rdp_enabled_registry.json | 7 +- .../lateral_movement_rdp_sharprdp_target.json | 5 +- .../lateral_movement_rdp_tunnel_plink.json | 7 +- ...ovement_remote_file_copy_hidden_share.json | 5 +- .../lateral_movement_remote_services.json | 5 +- ...ral_movement_remote_ssh_login_enabled.json | 7 +- ...ateral_movement_scheduled_task_target.json | 5 +- ...ement_suspicious_rdp_client_imageload.json | 7 +- ...l_movement_via_startup_folder_rdp_smb.json | 5 +- ...teral_movement_vpn_connection_attempt.json | 50 + ...stence_account_creation_hide_at_logon.json | 55 + .../persistence_adobe_hijack_persistence.json | 5 +- .../persistence_app_compat_shim.json | 7 +- .../persistence_appcertdlls_registry.json | 6 +- .../persistence_appinitdlls_registry.json | 6 +- ..._creation_hidden_login_item_osascript.json | 75 ++ ..._access_authorization_plugin_creation.json | 57 + ...l_access_modify_auth_module_or_config.json | 71 ++ ...credential_access_modify_ssh_binaries.json | 67 + ...stence_cron_jobs_creation_and_runtime.json | 60 + ...launch_agent_deamon_logonitem_process.json | 80 ++ ...rectory_services_plugins_modification.json | 48 + ...e_docker_shortcuts_plist_modification.json | 48 + ...persistence_emond_rules_file_creation.json | 55 + ...istence_emond_rules_process_execution.json | 55 + .../persistence_enable_root_account.json | 55 + ...n_hidden_launch_agent_deamon_creation.json | 78 ++ ...evasion_hidden_local_account_creation.json | 51 + ...tence_evasion_registry_ifeo_injection.json | 6 +- ...sistence_finder_sync_plugin_pluginkit.json | 50 + ...sistence_gpo_schtask_service_creation.json | 5 +- ...ersistence_kde_autostart_modification.json | 50 + ...istence_local_scheduled_task_commands.json | 5 +- ...stence_local_scheduled_task_scripting.json | 9 +- ...stence_loginwindow_plist_modification.json | 56 + ...fication_sublime_app_plugin_or_script.json | 48 + .../persistence_ms_office_addins_file.json | 9 +- .../persistence_ms_outlook_vba_template.json | 9 +- ...ersistence_periodic_tasks_file_mdofiy.json | 57 + ...escalation_via_accessibility_features.json | 6 +- .../persistence_registry_uncommon.json | 6 +- ...persistence_run_key_and_startup_broad.json | 6 +- ...ce_runtime_run_key_startup_susp_procs.json | 6 +- .../persistence_services_registry.json | 6 +- ...ersistence_shell_profile_modification.json | 60 + ...ence_ssh_authorized_keys_modification.json | 53 + ...er_file_written_by_suspicious_process.json | 6 +- ...lder_file_written_by_unsigned_process.json | 3 +- .../persistence_startup_folder_scripts.json | 6 +- ...ence_suspicious_calendar_modification.json | 53 + ...stence_suspicious_com_hijack_registry.json | 6 +- ...s_image_load_scheduled_task_ms_office.json | 8 +- ...nce_suspicious_scheduled_task_runtime.json | 7 +- ...e_suspicious_service_created_registry.json | 6 +- ...ersistence_system_shells_via_services.json | 5 +- .../persistence_time_provider_mod.json | 56 + ..._account_added_to_privileged_group_ad.json | 57 + .../persistence_user_account_creation.json | 5 +- .../persistence_via_application_shimming.json | 6 +- ...tence_via_atom_init_file_modification.json | 32 + ...sistence_via_hidden_run_key_valuename.json | 5 +- ...sa_security_support_provider_registry.json | 6 +- ...emetrycontroller_scheduledtask_hijack.json | 5 +- ...ia_update_orchestrator_service_hijack.json | 11 +- ...nt_instrumentation_event_subscription.json | 6 +- ...calation_applescript_with_admin_privs.json | 64 + ...ilege_escalation_disable_uac_registry.json | 80 ++ ...lege_escalation_echo_nopasswd_sudoers.json | 53 + ...alation_explicit_creds_via_scripting.json} | 13 +- ...alation_exploit_adobe_acrobat_updater.json | 51 + ...lation_ld_preload_shared_object_modif.json | 56 + ..._escalation_local_user_added_to_admin.json | 55 + ...privilege_escalation_lsa_auth_package.json | 75 ++ ...e_escalation_named_pipe_impersonation.json | 6 +- ...ge_escalation_persistence_phantom_dll.json | 84 ++ ...ion_port_monitor_print_pocessor_abuse.json | 78 ++ ...ation_printspooler_registry_copyfiles.json | 7 +- ..._printspooler_service_suspicious_file.json | 7 +- ...tion_printspooler_suspicious_spl_file.json | 7 +- ...calation_rogue_windir_environment_var.json | 8 +- ...ilege_escalation_root_crontab_filemod.json | 56 + ...e_escalation_setgid_bit_set_via_chmod.json | 62 - ...tion_setuid_setgid_bit_set_via_chmod.json} | 9 +- ...ilege_escalation_sudo_buffer_overflow.json | 58 + ...privilege_escalation_sudoers_file_mod.json | 9 +- ...lege_escalation_uac_bypass_com_clipup.json | 9 +- ...ge_escalation_uac_bypass_com_ieinstal.json | 7 +- ...n_uac_bypass_com_interface_icmluautil.json | 5 +- ...alation_uac_bypass_diskcleanup_hijack.json | 5 +- ...escalation_uac_bypass_dll_sideloading.json | 5 +- ...ge_escalation_uac_bypass_event_viewer.json | 5 +- ...ege_escalation_uac_bypass_mock_windir.json | 7 +- ...scalation_uac_bypass_winfw_mmc_hijack.json | 5 +- ...tion_unusual_parentchild_relationship.json | 5 +- ...n_unusual_svchost_childproc_childless.json | 5 +- 301 files changed, 6039 insertions(+), 1003 deletions(-) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json rename x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/{credential_access_compress_credentials_keychains.json => credential_access_credentials_keychains.json} (69%) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json rename x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/{privilege_escalation_explicit_creds_via_apple_scripting.json => privilege_escalation_explicit_creds_via_scripting.json} (65%) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setgid_bit_set_via_chmod.json rename x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/{privilege_escalation_setuid_bit_set_via_chmod.json => privilege_escalation_setuid_setgid_bit_set_via_chmod.json} (63%) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json index 5bd96c3442736b..e8b7fc59af6501 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json @@ -6,9 +6,11 @@ "false_positives": [ "Legitimate exchange system administration activity." ], + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json index 501e30a38704c5..3080a2c8c934e1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json @@ -6,9 +6,11 @@ "false_positives": [ "Legitimate exchange system administration activity." ], + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json index f7ff34fed2eeb2..9bc8912c1a3137 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json index 8f81d675a43250..aff488c9a5410c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json index b3cc7bce51d725..6f3f7ca3803f35 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json @@ -19,7 +19,7 @@ "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html" ], - "risk_score": 100, + "risk_score": 99, "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", "severity": "critical", "tags": [ @@ -55,5 +55,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json index ebead5ab5e5194..b74da3bbd4d38d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Connection to Commonly Abused Web Services", - "query": "network where network.protocol == \"dns\" and\n /* Add new WebSvc domains here */\n wildcard(dns.question.name, \"*.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.name in (\"MicrosoftEdgeCP.exe\",\n \"MicrosoftEdge.exe\",\n \"iexplore.exe\",\n \"chrome.exe\",\n \"msedge.exe\",\n \"opera.exe\",\n \"firefox.exe\",\n \"Dropbox.exe\",\n \"slack.exe\",\n \"svchost.exe\",\n \"thunderbird.exe\",\n \"outlook.exe\",\n \"OneDrive.exe\")\n", + "query": "network where network.protocol == \"dns\" and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"*.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.name :\n (\n \"MicrosoftEdgeCP.exe\",\n \"MicrosoftEdge.exe\",\n \"iexplore.exe\",\n \"chrome.exe\",\n \"msedge.exe\",\n \"opera.exe\",\n \"firefox.exe\",\n \"Dropbox.exe\",\n \"slack.exe\",\n \"svchost.exe\",\n \"thunderbird.exe\",\n \"outlook.exe\",\n \"OneDrive.exe\"\n )\n", "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json index 8e9822cc610a7b..d4321263059d7f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -47,5 +48,5 @@ "value": 15 }, "type": "threshold", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json index 40f5e928b9c5fe..809242615d9941 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json index 4aabfe552f0fd4..a7c657eae5aa86 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json index b0718fc2418be8..de1b3da964a8c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Potential Command and Control via Internet Explorer", - "query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type:\"start\" and process.parent.name:\"iexplore.exe\" and process.parent.args:\"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol : \"dns\" and process.name:\"iexplore.exe\" and\n not wildcard(dns.question.name, \"*.microsoft.com\", \n \"*.digicert.com\", \n \"*.msocsp.com\", \n \"*.windowsupdate.com\", \n \"*.bing.com\",\n \"*.identrust.com\")\n ]\n", - "risk_score": 43, + "query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\"\n )\n ]\n", + "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", "tags": [ @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 2ad30a3d376a12..80a02e38877200 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json index 7553dfefca68fb..777829a0076970 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json @@ -6,6 +6,7 @@ "false_positives": [ "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -38,5 +39,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json index 6dae38320e19a9..2f33f7d3f43a8b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json @@ -6,6 +6,7 @@ "false_positives": [ "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -57,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json index fcdd23f84c8896..b90fb4a0d389c3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -38,5 +39,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json index 572be2fad80fe7..15d042b7fe00c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json @@ -6,6 +6,7 @@ "false_positives": [ "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -38,5 +39,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json index 51fc3c17f7e5e9..533edfb6f74412 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -38,5 +39,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json index 9443a7d264562f..f8918c0420963e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -68,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json index 1e6dc210127c06..e4e1c4dee0b16f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json index 23842591116161..dd3003e346ab4e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -46,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json index 5e0a6f8e3e25e1..c5f5b8cca1eede 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -62,5 +63,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json index 37f1364c5f61fe..a1cbec37c591ba 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Remote File Download via Script Interpreter", "query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", - "risk_score": 43, + "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": [ @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json index 95b07dab428271..5d6efd0802351b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json index 4bd7559e3878f6..e7a5e4c386fce0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -38,5 +39,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json index f081fba9c1babe..ff97c392ccbe64 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -68,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json index b92bf9065693aa..fdf4dfe0e8a7e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -38,5 +39,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json index e83fbcc58f4cda..0bf7ac92fdaf69 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json index 747e3b87d4e49c..5c570a2471eaea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json @@ -6,6 +6,7 @@ "false_positives": [ "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -68,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json index 38666db032c579..7d302ba4062a51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json index 53572c125f4e77..81789b415378cc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -59,5 +60,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json index 06b55dc499d052..9ceae3f436a7f6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json new file mode 100644 index 00000000000000..4473933bf8521b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Access of Stored Browser Credentials", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n \"/Users/*/Library/Cookies*\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n \"Login Data\",\n \"Cookies.binarycookies\", \n \"key4.db\", \n \"key3.db\", \n \"logins.json\", \n \"cookies.sqlite\"\n )\n", + "references": [ + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "risk_score": 73, + "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json index dbb9c1af14d846..a411ccecc1fc9b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json new file mode 100644 index 00000000000000..d7dbb660b7d612 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Sensitive Files Compression", + "query": "event.category:process and event.type:start and process.name:(zip or tar or gzip or hdiutil or 7z) and process.args: ( /root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or /root/.ssh/id_ed25519 or /root/.ssh/id_ed25519.pub or /root/.ssh/authorized_keys or /root/.ssh/authorized_keys2 or /root/.ssh/known_hosts or /root/.bash_history or /etc/hosts or /home/*/.ssh/id_rsa or /home/*/.ssh/id_rsa.pub or /home/*/.ssh/id_ed25519 or /home/*/.ssh/id_ed25519.pub or /home/*/.ssh/authorized_keys or /home/*/.ssh/authorized_keys2 or /home/*/.ssh/known_hosts or /home/*/.bash_history or /root/.aws/credentials or /root/.aws/config or /home/*/.aws/credentials or /home/*/.aws/config or /root/.docker/config.json or /home/*/.docker/config.json or /etc/group or /etc/passwd or /etc/shadow or /etc/gshadow )", + "references": [ + "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + ], + "risk_score": 47, + "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Collection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json new file mode 100644 index 00000000000000..eb798dcc2cb285 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json @@ -0,0 +1,59 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", + "false_positives": [ + "Developers performing browsers plugin or extension debugging." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "max_signals": 33, + "name": "Potential Cookies Theft via Browser Debugging", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\", \n \"--remote-debugging-targets=*\", \n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", + "references": [ + "https://github.com/defaultnamehere/cookie_crimes", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", + "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" + ], + "risk_score": 47, + "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json index 1750bd180b6af3..8df6a9c7199571 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json index b3f83e24655eb3..289b959ece15ef 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_compress_credentials_keychains.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json similarity index 69% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_compress_credentials_keychains.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json index 51e008c848b495..a70ff26c3c0c70 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_compress_credentials_keychains.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json @@ -2,18 +2,19 @@ "author": [ "Elastic" ], - "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.", + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", - "name": "Compression of Keychain Credentials Directories", - "query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")", + "name": "Access to Keychain Credentials Directories", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n )\n", "references": [ - "https://objective-see.com/blog/blog_0x25.html" + "https://objective-see.com/blog/blog_0x25.html", + "https://securelist.com/calisto-trojan-for-macos/86543/" ], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", @@ -50,6 +51,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json index f3c6b1c785fe57..6188dbe9fc0c02 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json index 474f4f0f7c617c..5cb84bb2a2ef22 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Credential Acquisition via Registry Hive Dumping", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\") and\n not process.parent.executable : \"C:\\\\Program Files*\\\\Rapid7\\\\Insight Agent\\\\components\\\\insight_agent\\\\*\\\\ir_agent.exe\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8" ], @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json new file mode 100644 index 00000000000000..f27e8c4272c09a --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json @@ -0,0 +1,49 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Dumping Account Hashes via Built-In Commands", + "query": "event.category:process and event.type:start and process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")", + "references": [ + "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", + "https://www.unix.com/man-page/osx/8/mkpassdb/" + ], + "risk_score": 73, + "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json new file mode 100644 index 00000000000000..f8524c589ea0f4 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Dumping of Keychain Content via Security Command", + "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", + "references": [ + "https://ss64.com/osx/security.html" + ], + "risk_score": 73, + "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json index 428272d6447cbd..830721ef464542 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json index f810ba740738db..2dab1711f9009c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -46,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json index d6a6aa14cba260..d4251313f75dea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json @@ -9,13 +9,14 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Kerberos Traffic from Unusual Process", "query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n", - "risk_score": 43, + "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "severity": "medium", "tags": [ @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json new file mode 100644 index 00000000000000..74cfa19caf1ea3 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json @@ -0,0 +1,61 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "false_positives": [ + "Trusted parent processes accessing their respective application passwords." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Keychain Password Retrieval via Command Line", + "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:(\"find-generic-password\" or \"find-internet-password\")", + "references": [ + "https://www.netmeister.org/blog/keychain-passwords.html", + "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", + "https://ss64.com/osx/security.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "risk_score": 73, + "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json index ef1d14add5b218..c1e0f9f7e7a638 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json index 3a037985b61485..8f1090f99414e7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json new file mode 100644 index 00000000000000..311723651cb3e1 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json @@ -0,0 +1,52 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", + "false_positives": [ + "Legitimate WebProxy Settings Modification" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "WebProxy Settings Modification", + "query": "event.category:process and event.type:start and process.name:networksetup and process.args:(\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\")", + "references": [ + "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "risk_score": 47, + "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json new file mode 100644 index 00000000000000..84f1315472d7a1 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Modification of WDigest Security Provider", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n registry.data.strings:\"1\"\n", + "references": [ + "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", + "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019" + ], + "risk_score": 73, + "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json index f8bb27bf1d822c..e369c6e87d3e02 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License", "name": "Prompt for Credentials with OSASCRIPT", - "query": "process where event.type in (\"start\", \"process_started\") and process.name:\"osascript\" and process.args:\"-e\" and process.args:\"password\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html" @@ -38,12 +38,19 @@ { "id": "T1056", "name": "Input Capture", - "reference": "https://attack.mitre.org/techniques/T1056/" + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.002", + "name": "GUI Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/002/" + } + ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json new file mode 100644 index 00000000000000..f9efa7f47b9961 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Searching for Saved Credentials via VaultCmd", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://rastamouse.me/blog/rdp-jump-boxes/" + ], + "risk_score": 47, + "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json new file mode 100644 index 00000000000000..873763ce3048c6 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json @@ -0,0 +1,68 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential OpenSSH Backdoor Logging Activity", + "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n file.name : (\".*\", \"~*\") or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path : \n (\n \"/private/etc/*--\", \n \"/usr/share/*\", \n \"/usr/include/*\", \n \"/usr/local/include/*\", \n \"/private/tmp/*\", \n \"/private/var/tmp/*\",\n \"/usr/tmp/*\", \n \"/usr/share/man/*\", \n \"/usr/local/share/*\", \n \"/usr/lib/*.so.*\", \n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\", \n \"/private/var/opt/power\", \n \"/private/etc/ssh/ssh_known_hosts\", \n \"/private/var/html/lol\", \n \"/private/var/log/utmp\", \n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "risk_score": 73, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json new file mode 100644 index 00000000000000..e6ca43ead126ce --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "SystemKey Access via Command Line", + "query": "event.category:process and event.type:(start or process_started) and process.args:\"/private/var/db/SystemKey\"", + "references": [ + "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" + ], + "risk_score": 73, + "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json index 878f2532cf1c51..ea97da66d52cf0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -57,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json new file mode 100644 index 00000000000000..5c577a494b1794 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json @@ -0,0 +1,58 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", + "false_positives": [ + "Authorized SoftwareUpdate Settings Changes" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "SoftwareUpdate Preferences Modification", + "query": "event.category:process and event.type:(start or process_started) and process.name:defaults and process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))", + "references": [ + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" + ], + "risk_score": 47, + "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json index bfa8c19d8ea779..4ecb25a2d6de1c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json @@ -11,11 +11,12 @@ "language": "eql", "license": "Elastic License", "name": "Attempt to Remove File Quarantine Attribute", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"xattr\" and process.args == \"com.apple.quarantine\" and process.args == \"-d\"\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\" and process.command_line :\n (\n \"/bin/bash -c xattr -c *\",\n \"/bin/zsh -c xattr -c *\",\n \"/bin/sh -c xattr -c *\"\n )\n )\n )\n", "references": [ - "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://ss64.com/osx/xattr.html" ], - "risk_score": 43, + "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "severity": "medium", "tags": [ @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json new file mode 100644 index 00000000000000..e351a48e2b1eb6 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json @@ -0,0 +1,49 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Attempt to Disable Gatekeeper", + "query": "event.category:process and event.type:(start or process_started) and process.args:(spctl and \"--master-disable\")", + "references": [ + "https://support.apple.com/en-us/HT202491", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" + ], + "risk_score": 47, + "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json index d99f2f90e130a1..cc5b948fbf20f2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json new file mode 100644 index 00000000000000..0a19ea075926bb --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json @@ -0,0 +1,46 @@ +{ + "author": [ + "Elastic", + "Anabella Cristaldi" + ], + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Windows Event Logs Cleared", + "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")", + "risk_score": 21, + "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json index 00c7a5fce40528..c5a9c7e315920b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", "name": "Suspicious Process from Conhost", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe and not process.executable:(\"C:\\Windows\\splwow64.exe\" or \"C:\\Windows\\System32\\WerFault.exe\" or \"C:\\\\Windows\\System32\\conhost.exe\")", "references": [ "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx" @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json new file mode 100644 index 00000000000000..9ec4e7a9a0ab8a --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json @@ -0,0 +1,60 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Creation or Modification of Root Certificate", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n )\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json index f97901404fdc76..ddd3e20ac1c7cd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json @@ -4,7 +4,8 @@ ], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": [ - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -46,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json new file mode 100644 index 00000000000000..30f4b9883624b0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json @@ -0,0 +1,62 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Windows Defender Disabled via Registry Modification", + "note": "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized", + "query": "registry where event.type in (\"creation\", \"change\") and\n ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings:\"1\") or\n (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\")))\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + }, + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json index cee43c94d97fd2..5630e20e0e65f3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json index 9d61ae658f182e..39c2dc65e6ef7e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json index 86820f7203bfa6..d00a4df394e5c6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json @@ -7,7 +7,8 @@ "index": [ "auditbeat-*", "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json index d4b84879bcf7d6..efd7d43c90c858 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json @@ -2,16 +2,16 @@ "author": [ "Elastic" ], - "description": "Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations.", + "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "lucene", + "language": "eql", "license": "Elastic License", - "name": "Deletion of Bash Command Line History", - "query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/", + "name": "Tampering of Bash Command-Line History", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "severity": "medium", @@ -47,6 +47,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 5 + "type": "eql", + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json index 965b1592f32887..62e785b091915b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json index ed2ee27a2f9e70..49c69d0a83862f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json index 14b92c0eb8f602..fdbb0f0e35a09d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json index cdae07b5e93bb9..fefa5963866a86 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json index 21568e4531ec86..b8b0201cb5db7b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json index b0c98c13f5331a..14436f937b4187 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -56,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json index 9df293e6cbf3f6..d6976f0c287da9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json index 61f17c8d593df1..f02a8543689b14 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json index 763c17e2792aed..ab2b1ee09c0c14 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json index 6bd60eb4520930..98af8429f28271 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -54,5 +55,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json index c1679e4ce1c63f..07c13af09d8d38 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json index 10424863f0290b..d7ea84de18ec87 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json @@ -6,9 +6,11 @@ "false_positives": [ "These programs may be used by Windows developers but use by non-engineers is unusual." ], + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -52,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json new file mode 100644 index 00000000000000..55ebb2e428e1e9 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Executable File Creation with Multiple Extensions", + "query": "file where event.type == \"creation\" and file.extension:\"exe\" and\n file.name:\n (\n \"*.vbs.exe\",\n \"*.vbe.exe\",\n \"*.bat.exe\",\n \"*.js.exe\",\n \"*.cmd.exe\",\n \"*.wsh.exe\",\n \"*.ps1.exe\",\n \"*.pdf.exe\",\n \"*.docx.exe\",\n \"*.doc.exe\",\n \"*.xlsx.exe\",\n \"*.xls.exe\",\n \"*.pptx.exe\",\n \"*.ppt.exe\",\n \"*.txt.exe\",\n \"*.rtf.exe\",\n \"*.gif.exe\",\n \"*.jpg.exe\",\n \"*.png.exe\",\n \"*.bmp.exe\",\n \"*.hta.exe\",\n \"*.txt.exe\",\n \"*.img.exe\",\n \"*.iso.exe\"\n )\n", + "risk_score": 47, + "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json index e294c84db2d080..3b03c150476135 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json index c2e82ca10a99c4..7e64762ea7cad4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -42,5 +43,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json index 6c416b0a4e0c5f..c85e457823b066 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json @@ -7,7 +7,8 @@ "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." ], "index": [ - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -57,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json new file mode 100644 index 00000000000000..1548566df04943 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json @@ -0,0 +1,58 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Attempt to Install Root Certificate", + "query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:\"add-trusted-cert\"", + "references": [ + "https://ss64.com/osx/security-cert.html" + ], + "risk_score": 47, + "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json index 0dd2e51995c9be..b71e627fba8130 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json index 95042ffeebd0fc..eb9798a8c5c5f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json index f9b6c3082ef9cc..eb267f2a91b46c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json index 559d81f963abb0..5d344cfaeab606 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -17,7 +18,8 @@ "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)", "references": [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx" + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "https://blog.menasec.net/2021/01/" ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", @@ -48,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json index 4bea1f2f2e6681..c575d2755251be 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Program Files Directory Masquerading", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* capture both fake program files directory in process executable as well as if passed in process args as a dll*/\n process.args : (\"C:\\\\*Program*Files*\\\\*\", \"C:\\\\*Program*Files*\\\\*\") and\n not process.args : (\"C:\\\\Program Files\\\\*\", \"C:\\\\Program Files (x86)\\\\*\")\n", - "risk_score": 43, + "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "severity": "medium", "tags": [ @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json index 39cf9860dadcdf..0fb020c2bf3742 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json index 686e9a1d4fa492..47b7c3d26f040a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -49,5 +50,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json index 78a22ce98675aa..28b11dc5168b5b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json new file mode 100644 index 00000000000000..a1ed10fc7dbe91 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Modification of Environment Variable via Launchctl", + "query": "event.category:process and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" + ], + "risk_score": 47, + "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json index b157c7f16f9ac2..361796104a9a7d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json index f3da8be382f469..9947b261c6ef3e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json index b20766548cb3e6..bed35a87235922 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json index 88fd8a2054ee84..75cf701de1e461 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_port_forwarding_added_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_port_forwarding_added_registry.json index 29e24822e36964..547630e0fa84b2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_port_forwarding_added_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_port_forwarding_added_registry.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json index 5f8975c41cf183..6ff8025ac0cd52 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +44,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json new file mode 100644 index 00000000000000..5f003354393197 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential Privacy Control Bypass via TCCDB Modification", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n", + "references": [ + "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", + "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh", + "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" + ], + "risk_score": 47, + "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json new file mode 100644 index 00000000000000..fad033bd417573 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json @@ -0,0 +1,64 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", + "references": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/" + ], + "risk_score": 73, + "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json index 8dbc0e5ef76fef..54938bc2d1d6f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json new file mode 100644 index 00000000000000..5a08f3bd90855b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Modification of Safari Settings via Defaults Command", + "query": "event.category:process and event.type:start and process.name:defaults and process.args: (com.apple.Safari and write and not ( UniversalSearchEnabled or SuppressSearchSuggestions or WebKitTabToLinksPreferenceKey or ShowFullURLInSmartSearchField or com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks ) )", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "risk_score": 47, + "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json new file mode 100644 index 00000000000000..9542eed5a6060b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json @@ -0,0 +1,33 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Microsoft Office Sandbox Evasion", + "query": "event.category:file and not event.type:deletion and file.name:~$*.zip", + "references": [ + "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", + "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", + "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" + ], + "risk_score": 73, + "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json index 0176016d89f4de..e6cb50ab79f4b7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json index eb01d608e54b75..a67e09916b783c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Potential Secure File Deletion via SDelete Utility", "note": "Verify process details such as command line and hash to confirm this activity legitimacy.", - "query": "file where event.type == \"change\" and wildcard(file.name,\"*AAA.AAA\")\n", + "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", @@ -49,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json new file mode 100644 index 00000000000000..4eea43aada3a8c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "SIP Provider Modification", + "query": "registry where event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://github.com/mattifestation/PoCSubjectInterfacePackage" + ], + "risk_score": 47, + "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.003", + "name": "SIP and Trust Provider Hijacking", + "reference": "https://attack.mitre.org/techniques/T1553/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json index 0b5ca834c9c8f9..f9a94e85f5a470 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -73,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_stop_process_service_threshold.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_stop_process_service_threshold.json index 4ee3172fea7ebc..d5df975cfbd871 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_stop_process_service_threshold.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_stop_process_service_threshold.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -51,5 +52,5 @@ "value": 10 }, "type": "threshold", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json index f6722e13eaf056..fbd006936253ef 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json index 2f0f762031faa5..4f464327706609 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Windows Suspicious Script Object Execution", - "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan=2m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n not (process.name : \"cscript.exe\" or\n process.name : \"iexplore.exe\" or\n process.name : \"MicrosoftEdge.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"smartscreen.exe\" or\n process.name : \"taskhostw.exe\" or\n process.name : \"w3wp.exe\" or\n process.name : \"wscript.exe\")]\n [library where event.type == \"start\" and file.name : \"scrobj.dll\"]\n", + "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan = 2m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n /* process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted : true and */\n not process.name : (\n \"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", "risk_score": 21, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", @@ -34,5 +35,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json index e9224162643595..7c6998f929e090 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json @@ -5,12 +5,14 @@ "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.", "from": "now-9m", "index": [ - "logs-endpoint.events.*" + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious WMIC XSL Script Execution", - "query": "sequence by process.entity_id with maxspan=2m\n[process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n wildcard(process.args, \"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not wildcard(process.command_line, \"* /format:table *\")]\n[library where event.type == \"start\" and file.name in (\"jscript.dll\", \"vbscript.dll\")]\n", + "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n", "risk_score": 21, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", @@ -39,5 +41,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json index 6abe5b5ee4c400..571f42cf0e942a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -46,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json index 265f648c7959dc..811dae6b7ce534 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json new file mode 100644 index 00000000000000..d79c90e703ef73 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json @@ -0,0 +1,48 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "TCC Bypass via Mounted APFS Snapshot Access", + "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and process.args : (/System/Volumes/Data and noowners)", + "references": [ + "https://theevilbit.github.io/posts/cve_2020_9771/" + ], + "risk_score": 73, + "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json index fe8268d11cc2d7..e6275668be487c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json @@ -12,7 +12,7 @@ "license": "Elastic License", "max_signals": 33, "name": "Timestomping using Touch Command", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"touch\" and wildcard(process.args, \"-r\", \"-t\", \"-a*\",\"-m*\")\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"touch\" and process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\")\n", "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "severity": "medium", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json new file mode 100644 index 00000000000000..9725619d5b3996 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json @@ -0,0 +1,52 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "query": "event.category:process and event.type:(start or process_started) and process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")", + "risk_score": 73, + "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json new file mode 100644 index 00000000000000..4afbf0472f0258 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Unusual File Creation - Alternate Data Stream", + "query": "file where event.type == \"creation\" and\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json index 3327afd89f541e..ed10ddf4a4fb7e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json index 8c885aa52be593..19665527ccabb6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json index bd8ac27521a439..77b932b97c88f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json index 819c85a1ade628..f20998dea964ba 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json index fc7a66be016ef4..797a2bad31c4c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -40,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json index b41ad15ca3e17d..11623d61fa6972 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json index 6bdc8a65154e31..64483156611776 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -74,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json index 57c9ba77385c11..355b5df097a13f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -45,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json index c6ed7328701953..a4e76120504cc7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json @@ -3,14 +3,19 @@ "Elastic" ], "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.", + "false_positives": [ + "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule." + ], + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "File and Directory Discovery", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and\n process.args : (\"dir\", \"tree\")\n", + "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n", "risk_score": 21, "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f", "severity": "low", @@ -40,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json index 5572178361a09d..25cdc2bd1c44ef 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json index 0f4be41389cbca..1cb6364a323f57 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -45,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json index 005a7d34ba7183..467ce488252a1e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json index af28fe75f525f6..32a434c1a9a062 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json @@ -6,9 +6,11 @@ "false_positives": [ "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." ], + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -43,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json index a04e97e2fa9f6f..1933ec66c866f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json index 24e3bd87c526dd..8f8ccf5943061f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json new file mode 100644 index 00000000000000..d211fad332da67 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json @@ -0,0 +1,46 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Security Software Discovery via Grep", + "query": "event.category : process and event.type : (start or process_started) and process.name : grep and process.args : (\"Little Snitch\" or Avast* or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or VShieldScanner or WebProtection or webinspectord or McAfee* or isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand or symcfgd or scmdaemon or symantec or elastic-endpoint )", + "risk_score": 47, + "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json index 51d4425f7d5382..89c6390856e926 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json new file mode 100644 index 00000000000000..928585fb59968d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Enumeration of Users or Groups via Built-in Commands", + "query": "process where event.type in (\"start\", \"process_started\") and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\") and \n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and \n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n", + "risk_score": 21, + "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json index bb6810f5437d32..2ed21b39f8246e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json @@ -6,9 +6,11 @@ "false_positives": [ "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." ], + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -43,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json index 8786510ee5cb79..a60122ef6c1a29 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -70,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json index fc12a48e3f5a16..04f204a4596b35 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -70,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json new file mode 100644 index 00000000000000..182704d149e48e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic" + ], + "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Execution of COM object via Xwizard", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" + ], + "risk_score": 47, + "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json index 12d2a94afc823a..e038ed56ec1759 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -58,5 +59,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json index aa0632c5614f6e..16b964b6e95888 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json index d5042ee5d64fd3..cde62236effe03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json index 90b3759d93de9f..981fdb5a4f7f20 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json index 45ee672c1d635c..641abc92b1204f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json new file mode 100644 index 00000000000000..eb80782fe2495b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json @@ -0,0 +1,66 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Execution via Electron Child Process Node.js Module", + "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)", + "references": [ + "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", + "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", + "https://nodejs.org/api/child_process.html" + ], + "risk_score": 47, + "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json new file mode 100644 index 00000000000000..0fe7321ebe4b36 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json @@ -0,0 +1,46 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Enumeration Command Spawned via WMIPrvSE", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", + "risk_score": 21, + "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json index 43166722e6fc06..a6bc33e4b2e735 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -24,5 +25,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json index 2663b97bd91514..63adf0a602e2c4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Execution from Unusual Directory - Command Line", "note": "This is related to the Process Execution from an Unusual Directory rule", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\")\n", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\")\n", "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "severity": "medium", @@ -25,5 +26,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json index b85e74c8546368..9cf6ee67a06ccc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -56,5 +57,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json new file mode 100644 index 00000000000000..61e770b25290d0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json @@ -0,0 +1,64 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Suspicious Browser Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n process.command_line != null and \n not process.args : \n ( \n \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n \"hw.model\", \n \"IOPlatformExpertDevice\", \n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\", \n \"Chrome.app\", \n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n \"$DISPLAY\", \n \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n )\n", + "references": [ + "https://objective-see.com/blog/blog_0x43.html", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" + ], + "risk_score": 73, + "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Initial Access", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json index cf1fbc4ba0ba2a..dee13e29dfebcb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -61,5 +62,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json index f0d32cf8882bba..a49e225777ca77 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -61,5 +62,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json new file mode 100644 index 00000000000000..b86a5c1d25bdd2 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json @@ -0,0 +1,32 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "EggShell Backdoor Execution", + "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*", + "references": [ + "https://github.com/neoneggplant/EggShell" + ], + "risk_score": 73, + "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json index 00a63dded94c6a..ef219d1aa6c75a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -59,5 +60,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json index 4a5defb4f42a41..21672969ccf8fb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -59,5 +60,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json new file mode 100644 index 00000000000000..12a8a27bb65d5f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json @@ -0,0 +1,51 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential Reverse Shell Activity via Terminal", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/WangYihang/Reverse-Shell-Manager", + "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" + ], + "risk_score": 73, + "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json index 3c7e0d00be9078..9ace0fe4e2f8e5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json @@ -9,12 +9,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Outbound Scheduled Task Activity via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where file.name: \"taskschd.dll\" and process.name: (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" ], @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json new file mode 100644 index 00000000000000..8796a3edcc3459 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json @@ -0,0 +1,47 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Suspicious Automator Workflows Execution", + "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "risk_score": 47, + "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json index 98a11faa076d4f..d3d8715d29be09 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -16,7 +17,7 @@ "references": [ "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" ], - "risk_score": 43, + "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "severity": "medium", "tags": [ @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json index 7c4480b5e9c574..8f6e2d6eca71b8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious Cmd Execution via WMI", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"WmiPrvSE.exe\" and process.name == \"cmd.exe\" and\n wildcard(process.args, \"\\\\\\\\127.0.0.1\\\\*\") and process.args in (\"2>&1\", \"1>\")\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "severity": "medium", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json index aabeb4fb75ab59..79ecde48e5bda1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json @@ -3,14 +3,16 @@ "Elastic" ], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious WMI Image Load from MS Office", - "query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action == \"load\" and\n event.category == \"library\" and\n file.name == \"wmiutils.dll\"\n", + "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"wmiutils.dll\"\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" ], @@ -43,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json new file mode 100644 index 00000000000000..b32c66bbc1dbf0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Suspicious JAR Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n process.args : \"-jar\" and process.args : \"*.jar\" and\n /* Add any FP's here */\n not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n", + "risk_score": 47, + "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript/JScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json index 01096ce781eb1f..5a6d440d7e081c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json index bd25919944e1f8..c21848f01080a0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious PowerShell Engine ImageLoad", - "query": "library where file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n not process.name : (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json index 25ac9815ebbb89..1889310e10df8d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json index 58236ba2023415..00ca1613f1c9bd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -24,5 +25,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json index 28fedc8e7bc3a1..98ffa167166d4e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json @@ -6,9 +6,11 @@ "false_positives": [ "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." ], + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -59,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json index 289513bdaf562b..edf29080bf08e8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json index 5209c30dc33e69..98b6d40d233726 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_net_com_assemblies.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -57,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json index e64ee320373ada..5e7ac017e1c912 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json index 475c4f4937a54b..6d3a7bf9592fa8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json @@ -7,7 +7,8 @@ "index": [ "auditbeat-*", "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -55,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json index 3f772a80e680b4..ec69bd9ceab25d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_vssadmin.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts index c59b2942a8d636..87e5378aaf315f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -10,467 +10,548 @@ // - detection-rules repo using CLI command build-release // Do not hand edit. Run script/command to regenerate package information instead -import rule1 from './apm_403_response_to_a_post.json'; -import rule2 from './apm_405_response_method_not_allowed.json'; -import rule3 from './apm_null_user_agent.json'; -import rule4 from './apm_sqlmap_user_agent.json'; -import rule5 from './command_and_control_dns_directly_to_the_internet.json'; -import rule6 from './command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule7 from './command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule8 from './command_and_control_nat_traversal_port_activity.json'; -import rule9 from './command_and_control_port_26_activity.json'; -import rule10 from './command_and_control_port_8000_activity_to_the_internet.json'; -import rule11 from './command_and_control_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule12 from './command_and_control_proxy_port_activity_to_the_internet.json'; -import rule13 from './command_and_control_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule14 from './command_and_control_smtp_to_the_internet.json'; -import rule15 from './command_and_control_sql_server_port_activity_to_the_internet.json'; -import rule16 from './command_and_control_ssh_secure_shell_from_the_internet.json'; -import rule17 from './command_and_control_ssh_secure_shell_to_the_internet.json'; -import rule18 from './command_and_control_telnet_port_activity.json'; -import rule19 from './command_and_control_tor_activity_to_the_internet.json'; -import rule20 from './command_and_control_vnc_virtual_network_computing_from_the_internet.json'; -import rule21 from './command_and_control_vnc_virtual_network_computing_to_the_internet.json'; -import rule22 from './credential_access_tcpdump_activity.json'; -import rule23 from './defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule24 from './defense_evasion_clearing_windows_event_logs.json'; -import rule25 from './defense_evasion_delete_volume_usn_journal_with_fsutil.json'; -import rule26 from './defense_evasion_deleting_backup_catalogs_with_wbadmin.json'; -import rule27 from './defense_evasion_disable_windows_firewall_rules_with_netsh.json'; -import rule28 from './defense_evasion_encoding_or_decoding_files_via_certutil.json'; -import rule29 from './defense_evasion_execution_via_trusted_developer_utilities.json'; -import rule30 from './defense_evasion_misc_lolbin_connecting_to_the_internet.json'; -import rule31 from './defense_evasion_msbuild_making_network_connections.json'; -import rule32 from './defense_evasion_unusual_network_connection_via_rundll32.json'; -import rule33 from './defense_evasion_unusual_process_network_connection.json'; -import rule34 from './defense_evasion_via_filter_manager.json'; -import rule35 from './defense_evasion_volume_shadow_copy_deletion_via_wmic.json'; -import rule36 from './discovery_process_discovery_via_tasklist_command.json'; -import rule37 from './discovery_whoami_command_activity.json'; -import rule38 from './discovery_whoami_commmand.json'; -import rule39 from './endpoint_adversary_behavior_detected.json'; -import rule40 from './endpoint_cred_dumping_detected.json'; -import rule41 from './endpoint_cred_dumping_prevented.json'; -import rule42 from './endpoint_cred_manipulation_detected.json'; -import rule43 from './endpoint_cred_manipulation_prevented.json'; -import rule44 from './endpoint_exploit_detected.json'; -import rule45 from './endpoint_exploit_prevented.json'; -import rule46 from './endpoint_malware_detected.json'; -import rule47 from './endpoint_malware_prevented.json'; -import rule48 from './endpoint_permission_theft_detected.json'; -import rule49 from './endpoint_permission_theft_prevented.json'; -import rule50 from './endpoint_process_injection_detected.json'; -import rule51 from './endpoint_process_injection_prevented.json'; -import rule52 from './endpoint_ransomware_detected.json'; -import rule53 from './endpoint_ransomware_prevented.json'; -import rule54 from './execution_command_prompt_connecting_to_the_internet.json'; -import rule55 from './execution_command_shell_started_by_powershell.json'; -import rule56 from './execution_command_shell_started_by_svchost.json'; -import rule57 from './execution_html_help_executable_program_connecting_to_the_internet.json'; -import rule58 from './execution_psexec_lateral_movement_command.json'; -import rule59 from './execution_register_server_program_connecting_to_the_internet.json'; -import rule60 from './execution_via_compiled_html_file.json'; -import rule61 from './impact_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule62 from './initial_access_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule63 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; -import rule64 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; -import rule65 from './initial_access_script_executing_powershell.json'; -import rule66 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule67 from './initial_access_suspicious_ms_office_child_process.json'; -import rule68 from './initial_access_suspicious_ms_outlook_child_process.json'; -import rule69 from './lateral_movement_direct_outbound_smb_connection.json'; -import rule70 from './lateral_movement_local_service_commands.json'; -import rule71 from './linux_hping_activity.json'; -import rule72 from './linux_iodine_activity.json'; -import rule73 from './linux_mknod_activity.json'; -import rule74 from './linux_netcat_network_connection.json'; -import rule75 from './linux_nmap_activity.json'; -import rule76 from './linux_nping_activity.json'; -import rule77 from './linux_process_started_in_temp_directory.json'; -import rule78 from './linux_socat_activity.json'; -import rule79 from './linux_strace_activity.json'; -import rule80 from './persistence_adobe_hijack_persistence.json'; -import rule81 from './persistence_kernel_module_activity.json'; -import rule82 from './persistence_local_scheduled_task_commands.json'; -import rule83 from './persistence_priv_escalation_via_accessibility_features.json'; -import rule84 from './persistence_shell_activity_by_web_server.json'; -import rule85 from './persistence_system_shells_via_services.json'; -import rule86 from './persistence_user_account_creation.json'; -import rule87 from './persistence_via_application_shimming.json'; -import rule88 from './privilege_escalation_unusual_parentchild_relationship.json'; -import rule89 from './defense_evasion_modification_of_boot_config.json'; -import rule90 from './privilege_escalation_uac_bypass_event_viewer.json'; -import rule91 from './defense_evasion_msxsl_network.json'; -import rule92 from './discovery_net_command_system_account.json'; -import rule93 from './command_and_control_certutil_network_connection.json'; -import rule94 from './defense_evasion_cve_2020_0601.json'; -import rule95 from './credential_access_credential_dumping_msbuild.json'; -import rule96 from './defense_evasion_execution_msbuild_started_by_office_app.json'; -import rule97 from './defense_evasion_execution_msbuild_started_by_script.json'; -import rule98 from './defense_evasion_execution_msbuild_started_by_system_process.json'; -import rule99 from './defense_evasion_execution_msbuild_started_renamed.json'; -import rule100 from './defense_evasion_execution_msbuild_started_unusal_process.json'; -import rule101 from './defense_evasion_injection_msbuild.json'; -import rule102 from './execution_via_net_com_assemblies.json'; -import rule103 from './ml_linux_anomalous_network_activity.json'; -import rule104 from './ml_linux_anomalous_network_port_activity.json'; -import rule105 from './ml_linux_anomalous_network_service.json'; -import rule106 from './ml_linux_anomalous_network_url_activity.json'; -import rule107 from './ml_linux_anomalous_process_all_hosts.json'; -import rule108 from './ml_linux_anomalous_user_name.json'; -import rule109 from './ml_packetbeat_dns_tunneling.json'; -import rule110 from './ml_packetbeat_rare_dns_question.json'; -import rule111 from './ml_packetbeat_rare_server_domain.json'; -import rule112 from './ml_packetbeat_rare_urls.json'; -import rule113 from './ml_packetbeat_rare_user_agent.json'; -import rule114 from './ml_rare_process_by_host_linux.json'; -import rule115 from './ml_rare_process_by_host_windows.json'; -import rule116 from './ml_suspicious_login_activity.json'; -import rule117 from './ml_windows_anomalous_network_activity.json'; -import rule118 from './ml_windows_anomalous_path_activity.json'; -import rule119 from './ml_windows_anomalous_process_all_hosts.json'; -import rule120 from './ml_windows_anomalous_process_creation.json'; -import rule121 from './ml_windows_anomalous_script.json'; -import rule122 from './ml_windows_anomalous_service.json'; -import rule123 from './ml_windows_anomalous_user_name.json'; -import rule124 from './ml_windows_rare_user_runas_event.json'; -import rule125 from './ml_windows_rare_user_type10_remote_login.json'; -import rule126 from './execution_suspicious_pdf_reader.json'; -import rule127 from './privilege_escalation_sudoers_file_mod.json'; -import rule128 from './defense_evasion_iis_httplogging_disabled.json'; -import rule129 from './execution_python_tty_shell.json'; -import rule130 from './execution_perl_tty_shell.json'; -import rule131 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; -import rule132 from './defense_evasion_base64_encoding_or_decoding_activity.json'; -import rule133 from './defense_evasion_hex_encoding_or_decoding_activity.json'; -import rule134 from './defense_evasion_file_mod_writable_dir.json'; -import rule135 from './defense_evasion_disable_selinux_attempt.json'; -import rule136 from './discovery_kernel_module_enumeration.json'; -import rule137 from './lateral_movement_telnet_network_activity_external.json'; -import rule138 from './lateral_movement_telnet_network_activity_internal.json'; -import rule139 from './privilege_escalation_setgid_bit_set_via_chmod.json'; -import rule140 from './privilege_escalation_setuid_bit_set_via_chmod.json'; -import rule141 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; -import rule142 from './defense_evasion_kernel_module_removal.json'; -import rule143 from './defense_evasion_attempt_to_disable_syslog_service.json'; -import rule144 from './defense_evasion_file_deletion_via_shred.json'; -import rule145 from './discovery_virtual_machine_fingerprinting.json'; -import rule146 from './defense_evasion_hidden_file_dir_tmp.json'; -import rule147 from './defense_evasion_deletion_of_bash_command_line_history.json'; -import rule148 from './impact_cloudwatch_log_group_deletion.json'; -import rule149 from './impact_cloudwatch_log_stream_deletion.json'; -import rule150 from './impact_rds_instance_cluster_stoppage.json'; -import rule151 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; -import rule152 from './persistence_rds_cluster_creation.json'; -import rule153 from './credential_access_attempted_bypass_of_okta_mfa.json'; -import rule154 from './defense_evasion_waf_acl_deletion.json'; -import rule155 from './impact_attempt_to_revoke_okta_api_token.json'; -import rule156 from './impact_iam_group_deletion.json'; -import rule157 from './impact_possible_okta_dos_attack.json'; -import rule158 from './impact_rds_cluster_deletion.json'; -import rule159 from './initial_access_suspicious_activity_reported_by_okta_user.json'; -import rule160 from './okta_attempt_to_deactivate_okta_policy.json'; -import rule161 from './okta_attempt_to_deactivate_okta_policy_rule.json'; -import rule162 from './okta_attempt_to_modify_okta_network_zone.json'; -import rule163 from './okta_attempt_to_modify_okta_policy.json'; -import rule164 from './okta_attempt_to_modify_okta_policy_rule.json'; -import rule165 from './okta_threat_detected_by_okta_threatinsight.json'; -import rule166 from './persistence_administrator_privileges_assigned_to_okta_group.json'; -import rule167 from './persistence_attempt_to_create_okta_api_token.json'; -import rule168 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; -import rule169 from './defense_evasion_cloudtrail_logging_deleted.json'; -import rule170 from './defense_evasion_ec2_network_acl_deletion.json'; -import rule171 from './impact_iam_deactivate_mfa_device.json'; -import rule172 from './defense_evasion_s3_bucket_configuration_deletion.json'; -import rule173 from './defense_evasion_guardduty_detector_deletion.json'; -import rule174 from './okta_attempt_to_delete_okta_policy.json'; -import rule175 from './credential_access_iam_user_addition_to_group.json'; -import rule176 from './persistence_ec2_network_acl_creation.json'; -import rule177 from './impact_ec2_disable_ebs_encryption.json'; -import rule178 from './persistence_iam_group_creation.json'; -import rule179 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; -import rule180 from './collection_cloudtrail_logging_created.json'; -import rule181 from './defense_evasion_cloudtrail_logging_suspended.json'; -import rule182 from './impact_cloudtrail_logging_updated.json'; -import rule183 from './initial_access_console_login_root.json'; -import rule184 from './defense_evasion_cloudwatch_alarm_deletion.json'; -import rule185 from './defense_evasion_ec2_flow_log_deletion.json'; -import rule186 from './defense_evasion_configuration_recorder_stopped.json'; -import rule187 from './exfiltration_ec2_snapshot_change_activity.json'; -import rule188 from './defense_evasion_config_service_rule_deletion.json'; -import rule189 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; -import rule190 from './command_and_control_download_rar_powershell_from_internet.json'; -import rule191 from './initial_access_password_recovery.json'; -import rule192 from './command_and_control_cobalt_strike_beacon.json'; -import rule193 from './command_and_control_fin7_c2_behavior.json'; -import rule194 from './command_and_control_halfbaked_beacon.json'; -import rule195 from './credential_access_secretsmanager_getsecretvalue.json'; -import rule196 from './initial_access_via_system_manager.json'; -import rule197 from './privilege_escalation_root_login_without_mfa.json'; -import rule198 from './privilege_escalation_updateassumerolepolicy.json'; -import rule199 from './impact_hosts_file_modified.json'; -import rule200 from './elastic_endpoint.json'; -import rule201 from './external_alerts.json'; -import rule202 from './ml_cloudtrail_error_message_spike.json'; -import rule203 from './ml_cloudtrail_rare_error_code.json'; -import rule204 from './ml_cloudtrail_rare_method_by_city.json'; -import rule205 from './ml_cloudtrail_rare_method_by_country.json'; -import rule206 from './ml_cloudtrail_rare_method_by_user.json'; -import rule207 from './credential_access_aws_iam_assume_role_brute_force.json'; -import rule208 from './credential_access_okta_brute_force_or_password_spraying.json'; -import rule209 from './initial_access_unusual_dns_service_children.json'; -import rule210 from './initial_access_unusual_dns_service_file_writes.json'; -import rule211 from './lateral_movement_dns_server_overflow.json'; -import rule212 from './credential_access_root_console_failure_brute_force.json'; -import rule213 from './initial_access_unsecure_elasticsearch_node.json'; -import rule214 from './credential_access_domain_backup_dpapi_private_keys.json'; -import rule215 from './persistence_gpo_schtask_service_creation.json'; -import rule216 from './credential_access_compress_credentials_keychains.json'; -import rule217 from './credential_access_kerberosdump_kcc.json'; -import rule218 from './defense_evasion_attempt_del_quarantine_attrib.json'; -import rule219 from './execution_suspicious_psexesvc.json'; -import rule220 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; -import rule221 from './privilege_escalation_printspooler_service_suspicious_file.json'; -import rule222 from './privilege_escalation_printspooler_suspicious_spl_file.json'; -import rule223 from './defense_evasion_azure_diagnostic_settings_deletion.json'; -import rule224 from './execution_command_virtual_machine.json'; -import rule225 from './execution_via_hidden_shell_conhost.json'; -import rule226 from './impact_resource_group_deletion.json'; -import rule227 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; -import rule228 from './persistence_via_update_orchestrator_service_hijack.json'; -import rule229 from './collection_update_event_hub_auth_rule.json'; -import rule230 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; -import rule231 from './credential_access_iis_connectionstrings_dumping.json'; -import rule232 from './defense_evasion_event_hub_deletion.json'; -import rule233 from './defense_evasion_firewall_policy_deletion.json'; -import rule234 from './defense_evasion_sdelete_like_filename_rename.json'; -import rule235 from './lateral_movement_remote_ssh_login_enabled.json'; -import rule236 from './persistence_azure_automation_account_created.json'; -import rule237 from './persistence_azure_automation_runbook_created_or_modified.json'; -import rule238 from './persistence_azure_automation_webhook_created.json'; -import rule239 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; -import rule240 from './credential_access_attempts_to_brute_force_okta_user_account.json'; -import rule241 from './credential_access_storage_account_key_regenerated.json'; -import rule242 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; -import rule243 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; -import rule244 from './defense_evasion_unusual_system_vp_child_program.json'; -import rule245 from './discovery_blob_container_access_mod.json'; -import rule246 from './persistence_mfa_disabled_for_azure_user.json'; -import rule247 from './persistence_user_added_as_owner_for_azure_application.json'; -import rule248 from './persistence_user_added_as_owner_for_azure_service_principal.json'; -import rule249 from './defense_evasion_dotnet_compiler_parent_process.json'; -import rule250 from './defense_evasion_suspicious_managedcode_host_process.json'; -import rule251 from './execution_command_shell_started_by_unusual_process.json'; -import rule252 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; -import rule253 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; -import rule254 from './defense_evasion_masquerading_werfault.json'; -import rule255 from './credential_access_key_vault_modified.json'; -import rule256 from './credential_access_mimikatz_memssp_default_logs.json'; -import rule257 from './defense_evasion_code_injection_conhost.json'; -import rule258 from './defense_evasion_network_watcher_deletion.json'; -import rule259 from './initial_access_external_guest_user_invite.json'; -import rule260 from './defense_evasion_masquerading_renamed_autoit.json'; -import rule261 from './impact_azure_automation_runbook_deleted.json'; -import rule262 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; -import rule263 from './persistence_azure_conditional_access_policy_modified.json'; -import rule264 from './persistence_azure_privileged_identity_management_role_modified.json'; -import rule265 from './command_and_control_teamviewer_remote_file_copy.json'; -import rule266 from './defense_evasion_installutil_beacon.json'; -import rule267 from './defense_evasion_mshta_beacon.json'; -import rule268 from './defense_evasion_network_connection_from_windows_binary.json'; -import rule269 from './defense_evasion_rundll32_no_arguments.json'; -import rule270 from './defense_evasion_suspicious_scrobj_load.json'; -import rule271 from './defense_evasion_suspicious_wmi_script.json'; -import rule272 from './execution_ms_office_written_file.json'; -import rule273 from './execution_pdf_written_file.json'; -import rule274 from './lateral_movement_cmd_service.json'; -import rule275 from './persistence_app_compat_shim.json'; -import rule276 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; -import rule277 from './command_and_control_remote_file_copy_mpcmdrun.json'; -import rule278 from './defense_evasion_execution_suspicious_explorer_winword.json'; -import rule279 from './defense_evasion_suspicious_zoom_child_process.json'; -import rule280 from './ml_linux_anomalous_compiler_activity.json'; -import rule281 from './ml_linux_anomalous_kernel_module_arguments.json'; -import rule282 from './ml_linux_anomalous_sudo_activity.json'; -import rule283 from './ml_linux_system_information_discovery.json'; -import rule284 from './ml_linux_system_network_configuration_discovery.json'; -import rule285 from './ml_linux_system_network_connection_discovery.json'; -import rule286 from './ml_linux_system_process_discovery.json'; -import rule287 from './ml_linux_system_user_discovery.json'; -import rule288 from './discovery_post_exploitation_public_ip_reconnaissance.json'; -import rule289 from './initial_access_zoom_meeting_with_no_passcode.json'; -import rule290 from './defense_evasion_gcp_logging_sink_deletion.json'; -import rule291 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; -import rule292 from './defense_evasion_gcp_firewall_rule_created.json'; -import rule293 from './defense_evasion_gcp_firewall_rule_deleted.json'; -import rule294 from './defense_evasion_gcp_firewall_rule_modified.json'; -import rule295 from './defense_evasion_gcp_logging_bucket_deletion.json'; -import rule296 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; -import rule297 from './impact_gcp_storage_bucket_deleted.json'; -import rule298 from './initial_access_gcp_iam_custom_role_creation.json'; -import rule299 from './persistence_gcp_iam_service_account_key_deletion.json'; -import rule300 from './persistence_gcp_key_created_for_service_account.json'; -import rule301 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; -import rule302 from './exfiltration_gcp_logging_sink_modification.json'; -import rule303 from './impact_gcp_iam_role_deletion.json'; -import rule304 from './impact_gcp_service_account_deleted.json'; -import rule305 from './impact_gcp_service_account_disabled.json'; -import rule306 from './impact_gcp_virtual_private_cloud_network_deleted.json'; -import rule307 from './impact_gcp_virtual_private_cloud_route_created.json'; -import rule308 from './impact_gcp_virtual_private_cloud_route_deleted.json'; -import rule309 from './ml_linux_anomalous_metadata_process.json'; -import rule310 from './ml_linux_anomalous_metadata_user.json'; -import rule311 from './ml_windows_anomalous_metadata_process.json'; -import rule312 from './ml_windows_anomalous_metadata_user.json'; -import rule313 from './persistence_gcp_service_account_created.json'; -import rule314 from './collection_gcp_pub_sub_subscription_creation.json'; -import rule315 from './collection_gcp_pub_sub_topic_creation.json'; -import rule316 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; -import rule317 from './persistence_azure_pim_user_added_global_admin.json'; -import rule318 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; -import rule319 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; -import rule320 from './defense_evasion_execution_lolbas_wuauclt.json'; -import rule321 from './privilege_escalation_unusual_svchost_childproc_childless.json'; -import rule322 from './lateral_movement_rdp_tunnel_plink.json'; -import rule323 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; -import rule324 from './persistence_ms_office_addins_file.json'; -import rule325 from './discovery_adfind_command_activity.json'; -import rule326 from './discovery_security_software_wmic.json'; -import rule327 from './execution_command_shell_via_rundll32.json'; -import rule328 from './execution_suspicious_cmd_wmi.json'; -import rule329 from './lateral_movement_via_startup_folder_rdp_smb.json'; -import rule330 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; -import rule331 from './privilege_escalation_uac_bypass_mock_windir.json'; -import rule332 from './defense_evasion_potential_processherpaderping.json'; -import rule333 from './privilege_escalation_uac_bypass_dll_sideloading.json'; -import rule334 from './execution_shared_modules_local_sxs_dll.json'; -import rule335 from './privilege_escalation_uac_bypass_com_clipup.json'; -import rule336 from './initial_access_via_explorer_suspicious_child_parent_args.json'; -import rule337 from './execution_from_unusual_directory.json'; -import rule338 from './execution_from_unusual_path_cmdline.json'; -import rule339 from './credential_access_kerberoasting_unusual_process.json'; -import rule340 from './discovery_peripheral_device.json'; -import rule341 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; -import rule342 from './defense_evasion_deleting_websvr_access_logs.json'; -import rule343 from './defense_evasion_log_files_deleted.json'; -import rule344 from './defense_evasion_timestomp_touch.json'; -import rule345 from './lateral_movement_dcom_hta.json'; -import rule346 from './lateral_movement_execution_via_file_shares_sequence.json'; -import rule347 from './privilege_escalation_uac_bypass_com_ieinstal.json'; -import rule348 from './command_and_control_common_webservices.json'; -import rule349 from './command_and_control_encrypted_channel_freesslcert.json'; -import rule350 from './defense_evasion_process_termination_followed_by_deletion.json'; -import rule351 from './lateral_movement_remote_file_copy_hidden_share.json'; -import rule352 from './attempt_to_deactivate_okta_network_zone.json'; -import rule353 from './attempt_to_delete_okta_network_zone.json'; -import rule354 from './lateral_movement_dcom_mmc20.json'; -import rule355 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; -import rule356 from './okta_attempt_to_deactivate_okta_application.json'; -import rule357 from './okta_attempt_to_delete_okta_application.json'; -import rule358 from './okta_attempt_to_delete_okta_policy_rule.json'; -import rule359 from './okta_attempt_to_modify_okta_application.json'; -import rule360 from './persistence_administrator_role_assigned_to_okta_user.json'; -import rule361 from './lateral_movement_executable_tool_transfer_smb.json'; -import rule362 from './command_and_control_dns_tunneling_nslookup.json'; -import rule363 from './lateral_movement_execution_from_tsclient_mup.json'; -import rule364 from './lateral_movement_rdp_sharprdp_target.json'; -import rule365 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; -import rule366 from './execution_suspicious_short_program_name.json'; -import rule367 from './lateral_movement_incoming_wmi.json'; -import rule368 from './persistence_via_hidden_run_key_valuename.json'; -import rule369 from './credential_access_potential_ssh_bruteforce.json'; -import rule370 from './credential_access_promt_for_pwd_via_osascript.json'; -import rule371 from './lateral_movement_remote_services.json'; -import rule372 from './application_added_to_google_workspace_domain.json'; -import rule373 from './domain_added_to_google_workspace_trusted_domains.json'; -import rule374 from './execution_suspicious_image_load_wmi_ms_office.json'; -import rule375 from './execution_suspicious_powershell_imgload.json'; -import rule376 from './google_workspace_admin_role_deletion.json'; -import rule377 from './google_workspace_mfa_enforcement_disabled.json'; -import rule378 from './google_workspace_policy_modified.json'; -import rule379 from './mfa_disabled_for_google_workspace_organization.json'; -import rule380 from './persistence_evasion_registry_ifeo_injection.json'; -import rule381 from './persistence_google_workspace_admin_role_assigned_to_user.json'; -import rule382 from './persistence_google_workspace_custom_admin_role_created.json'; -import rule383 from './persistence_google_workspace_role_modified.json'; -import rule384 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; -import rule385 from './defense_evasion_masquerading_trusted_directory.json'; -import rule386 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; -import rule387 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; -import rule388 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; -import rule389 from './persistence_appcertdlls_registry.json'; -import rule390 from './persistence_appinitdlls_registry.json'; -import rule391 from './persistence_registry_uncommon.json'; -import rule392 from './persistence_run_key_and_startup_broad.json'; -import rule393 from './persistence_services_registry.json'; -import rule394 from './persistence_startup_folder_file_written_by_suspicious_process.json'; -import rule395 from './persistence_startup_folder_scripts.json'; -import rule396 from './persistence_suspicious_com_hijack_registry.json'; -import rule397 from './persistence_via_lsa_security_support_provider_registry.json'; -import rule398 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; -import rule399 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; -import rule400 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; -import rule401 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; -import rule402 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; -import rule403 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; -import rule404 from './lateral_movement_suspicious_rdp_client_imageload.json'; -import rule405 from './persistence_runtime_run_key_startup_susp_procs.json'; -import rule406 from './persistence_suspicious_scheduled_task_runtime.json'; -import rule407 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; -import rule408 from './lateral_movement_scheduled_task_target.json'; -import rule409 from './persistence_microsoft_365_exchange_management_role_assignment.json'; -import rule410 from './persistence_microsoft_365_teams_guest_access_enabled.json'; -import rule411 from './credential_access_dump_registry_hives.json'; -import rule412 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; -import rule413 from './persistence_ms_outlook_vba_template.json'; -import rule414 from './persistence_suspicious_service_created_registry.json'; -import rule415 from './privilege_escalation_named_pipe_impersonation.json'; -import rule416 from './credential_access_cmdline_dump_tool.json'; -import rule417 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; -import rule418 from './credential_access_lsass_memdump_file_created.json'; -import rule419 from './lateral_movement_incoming_winrm_shell_execution.json'; -import rule420 from './lateral_movement_powershell_remoting_target.json'; -import rule421 from './defense_evasion_hide_encoded_executable_registry.json'; -import rule422 from './defense_evasion_port_forwarding_added_registry.json'; -import rule423 from './lateral_movement_rdp_enabled_registry.json'; -import rule424 from './privilege_escalation_printspooler_registry_copyfiles.json'; -import rule425 from './privilege_escalation_rogue_windir_environment_var.json'; -import rule426 from './initial_access_scripts_process_started_via_wmi.json'; -import rule427 from './command_and_control_iexplore_via_com.json'; -import rule428 from './command_and_control_remote_file_copy_scripts.json'; -import rule429 from './persistence_local_scheduled_task_scripting.json'; -import rule430 from './persistence_startup_folder_file_written_by_unsigned_process.json'; -import rule431 from './command_and_control_remote_file_copy_powershell.json'; -import rule432 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; -import rule433 from './microsoft_365_teams_custom_app_interaction_allowed.json'; -import rule434 from './persistence_microsoft_365_teams_external_access_enabled.json'; -import rule435 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; -import rule436 from './defense_evasion_stop_process_service_threshold.json'; -import rule437 from './collection_winrar_encryption.json'; -import rule438 from './defense_evasion_unusual_dir_ads.json'; -import rule439 from './discovery_admin_recon.json'; -import rule440 from './discovery_file_dir_discovery.json'; -import rule441 from './discovery_net_view.json'; -import rule442 from './discovery_query_registry_via_reg.json'; -import rule443 from './discovery_remote_system_discovery_commands_windows.json'; -import rule444 from './persistence_via_windows_management_instrumentation_event_subscription.json'; -import rule445 from './execution_scripting_osascript_exec_followed_by_netcon.json'; -import rule446 from './execution_shell_execution_via_apple_scripting.json'; -import rule447 from './persistence_creation_change_launch_agents_file.json'; -import rule448 from './persistence_creation_modif_launch_deamon_sequence.json'; -import rule449 from './persistence_folder_action_scripts_runtime.json'; -import rule450 from './persistence_login_logout_hooks_defaults.json'; -import rule451 from './privilege_escalation_explicit_creds_via_apple_scripting.json'; -import rule452 from './command_and_control_sunburst_c2_activity_detected.json'; -import rule453 from './defense_evasion_azure_application_credential_modification.json'; -import rule454 from './defense_evasion_azure_service_principal_addition.json'; -import rule455 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; -import rule456 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; -import rule457 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; -import rule458 from './initial_access_azure_active_directory_powershell_signin.json'; -import rule459 from './collection_email_powershell_exchange_mailbox.json'; -import rule460 from './collection_persistence_powershell_exch_mailbox_activesync_add_device.json'; -import rule461 from './execution_scheduled_task_powershell_source.json'; +import rule1 from './credential_access_access_to_browser_credentials_procargs.json'; +import rule2 from './defense_evasion_tcc_bypass_mounted_apfs_access.json'; +import rule3 from './persistence_enable_root_account.json'; +import rule4 from './defense_evasion_unload_endpointsecurity_kext.json'; +import rule5 from './persistence_account_creation_hide_at_logon.json'; +import rule6 from './persistence_creation_hidden_login_item_osascript.json'; +import rule7 from './persistence_evasion_hidden_launch_agent_deamon_creation.json'; +import rule8 from './privilege_escalation_local_user_added_to_admin.json'; +import rule9 from './credential_access_keychain_pwd_retrieval_security_cmd.json'; +import rule10 from './credential_access_systemkey_dumping.json'; +import rule11 from './execution_defense_evasion_electron_app_childproc_node_js.json'; +import rule12 from './execution_revershell_via_shell_cmd.json'; +import rule13 from './persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json'; +import rule14 from './privilege_escalation_persistence_phantom_dll.json'; +import rule15 from './defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json'; +import rule16 from './lateral_movement_credential_access_kerberos_bifrostconsole.json'; +import rule17 from './lateral_movement_vpn_connection_attempt.json'; +import rule18 from './apm_403_response_to_a_post.json'; +import rule19 from './apm_405_response_method_not_allowed.json'; +import rule20 from './apm_null_user_agent.json'; +import rule21 from './apm_sqlmap_user_agent.json'; +import rule22 from './command_and_control_dns_directly_to_the_internet.json'; +import rule23 from './command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule24 from './command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule25 from './command_and_control_nat_traversal_port_activity.json'; +import rule26 from './command_and_control_port_26_activity.json'; +import rule27 from './command_and_control_port_8000_activity_to_the_internet.json'; +import rule28 from './command_and_control_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule29 from './command_and_control_proxy_port_activity_to_the_internet.json'; +import rule30 from './command_and_control_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule31 from './command_and_control_smtp_to_the_internet.json'; +import rule32 from './command_and_control_sql_server_port_activity_to_the_internet.json'; +import rule33 from './command_and_control_ssh_secure_shell_from_the_internet.json'; +import rule34 from './command_and_control_ssh_secure_shell_to_the_internet.json'; +import rule35 from './command_and_control_telnet_port_activity.json'; +import rule36 from './command_and_control_tor_activity_to_the_internet.json'; +import rule37 from './command_and_control_vnc_virtual_network_computing_from_the_internet.json'; +import rule38 from './command_and_control_vnc_virtual_network_computing_to_the_internet.json'; +import rule39 from './credential_access_tcpdump_activity.json'; +import rule40 from './defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule41 from './defense_evasion_clearing_windows_event_logs.json'; +import rule42 from './defense_evasion_delete_volume_usn_journal_with_fsutil.json'; +import rule43 from './defense_evasion_deleting_backup_catalogs_with_wbadmin.json'; +import rule44 from './defense_evasion_disable_windows_firewall_rules_with_netsh.json'; +import rule45 from './defense_evasion_encoding_or_decoding_files_via_certutil.json'; +import rule46 from './defense_evasion_execution_via_trusted_developer_utilities.json'; +import rule47 from './defense_evasion_misc_lolbin_connecting_to_the_internet.json'; +import rule48 from './defense_evasion_msbuild_making_network_connections.json'; +import rule49 from './defense_evasion_unusual_network_connection_via_rundll32.json'; +import rule50 from './defense_evasion_unusual_process_network_connection.json'; +import rule51 from './defense_evasion_via_filter_manager.json'; +import rule52 from './defense_evasion_volume_shadow_copy_deletion_via_wmic.json'; +import rule53 from './discovery_process_discovery_via_tasklist_command.json'; +import rule54 from './discovery_whoami_command_activity.json'; +import rule55 from './discovery_whoami_commmand.json'; +import rule56 from './endpoint_adversary_behavior_detected.json'; +import rule57 from './endpoint_cred_dumping_detected.json'; +import rule58 from './endpoint_cred_dumping_prevented.json'; +import rule59 from './endpoint_cred_manipulation_detected.json'; +import rule60 from './endpoint_cred_manipulation_prevented.json'; +import rule61 from './endpoint_exploit_detected.json'; +import rule62 from './endpoint_exploit_prevented.json'; +import rule63 from './endpoint_malware_detected.json'; +import rule64 from './endpoint_malware_prevented.json'; +import rule65 from './endpoint_permission_theft_detected.json'; +import rule66 from './endpoint_permission_theft_prevented.json'; +import rule67 from './endpoint_process_injection_detected.json'; +import rule68 from './endpoint_process_injection_prevented.json'; +import rule69 from './endpoint_ransomware_detected.json'; +import rule70 from './endpoint_ransomware_prevented.json'; +import rule71 from './execution_command_prompt_connecting_to_the_internet.json'; +import rule72 from './execution_command_shell_started_by_powershell.json'; +import rule73 from './execution_command_shell_started_by_svchost.json'; +import rule74 from './execution_html_help_executable_program_connecting_to_the_internet.json'; +import rule75 from './execution_psexec_lateral_movement_command.json'; +import rule76 from './execution_register_server_program_connecting_to_the_internet.json'; +import rule77 from './execution_via_compiled_html_file.json'; +import rule78 from './impact_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule79 from './initial_access_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule80 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; +import rule81 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; +import rule82 from './initial_access_script_executing_powershell.json'; +import rule83 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule84 from './initial_access_suspicious_ms_office_child_process.json'; +import rule85 from './initial_access_suspicious_ms_outlook_child_process.json'; +import rule86 from './lateral_movement_direct_outbound_smb_connection.json'; +import rule87 from './lateral_movement_local_service_commands.json'; +import rule88 from './linux_hping_activity.json'; +import rule89 from './linux_iodine_activity.json'; +import rule90 from './linux_mknod_activity.json'; +import rule91 from './linux_netcat_network_connection.json'; +import rule92 from './linux_nmap_activity.json'; +import rule93 from './linux_nping_activity.json'; +import rule94 from './linux_process_started_in_temp_directory.json'; +import rule95 from './linux_socat_activity.json'; +import rule96 from './linux_strace_activity.json'; +import rule97 from './persistence_adobe_hijack_persistence.json'; +import rule98 from './persistence_kernel_module_activity.json'; +import rule99 from './persistence_local_scheduled_task_commands.json'; +import rule100 from './persistence_priv_escalation_via_accessibility_features.json'; +import rule101 from './persistence_shell_activity_by_web_server.json'; +import rule102 from './persistence_system_shells_via_services.json'; +import rule103 from './persistence_user_account_creation.json'; +import rule104 from './persistence_via_application_shimming.json'; +import rule105 from './privilege_escalation_unusual_parentchild_relationship.json'; +import rule106 from './defense_evasion_modification_of_boot_config.json'; +import rule107 from './privilege_escalation_uac_bypass_event_viewer.json'; +import rule108 from './defense_evasion_msxsl_network.json'; +import rule109 from './discovery_net_command_system_account.json'; +import rule110 from './command_and_control_certutil_network_connection.json'; +import rule111 from './defense_evasion_cve_2020_0601.json'; +import rule112 from './credential_access_credential_dumping_msbuild.json'; +import rule113 from './defense_evasion_execution_msbuild_started_by_office_app.json'; +import rule114 from './defense_evasion_execution_msbuild_started_by_script.json'; +import rule115 from './defense_evasion_execution_msbuild_started_by_system_process.json'; +import rule116 from './defense_evasion_execution_msbuild_started_renamed.json'; +import rule117 from './defense_evasion_execution_msbuild_started_unusal_process.json'; +import rule118 from './defense_evasion_injection_msbuild.json'; +import rule119 from './execution_via_net_com_assemblies.json'; +import rule120 from './ml_linux_anomalous_network_activity.json'; +import rule121 from './ml_linux_anomalous_network_port_activity.json'; +import rule122 from './ml_linux_anomalous_network_service.json'; +import rule123 from './ml_linux_anomalous_network_url_activity.json'; +import rule124 from './ml_linux_anomalous_process_all_hosts.json'; +import rule125 from './ml_linux_anomalous_user_name.json'; +import rule126 from './ml_packetbeat_dns_tunneling.json'; +import rule127 from './ml_packetbeat_rare_dns_question.json'; +import rule128 from './ml_packetbeat_rare_server_domain.json'; +import rule129 from './ml_packetbeat_rare_urls.json'; +import rule130 from './ml_packetbeat_rare_user_agent.json'; +import rule131 from './ml_rare_process_by_host_linux.json'; +import rule132 from './ml_rare_process_by_host_windows.json'; +import rule133 from './ml_suspicious_login_activity.json'; +import rule134 from './ml_windows_anomalous_network_activity.json'; +import rule135 from './ml_windows_anomalous_path_activity.json'; +import rule136 from './ml_windows_anomalous_process_all_hosts.json'; +import rule137 from './ml_windows_anomalous_process_creation.json'; +import rule138 from './ml_windows_anomalous_script.json'; +import rule139 from './ml_windows_anomalous_service.json'; +import rule140 from './ml_windows_anomalous_user_name.json'; +import rule141 from './ml_windows_rare_user_runas_event.json'; +import rule142 from './ml_windows_rare_user_type10_remote_login.json'; +import rule143 from './execution_suspicious_pdf_reader.json'; +import rule144 from './privilege_escalation_sudoers_file_mod.json'; +import rule145 from './defense_evasion_iis_httplogging_disabled.json'; +import rule146 from './execution_python_tty_shell.json'; +import rule147 from './execution_perl_tty_shell.json'; +import rule148 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; +import rule149 from './defense_evasion_base64_encoding_or_decoding_activity.json'; +import rule150 from './defense_evasion_hex_encoding_or_decoding_activity.json'; +import rule151 from './defense_evasion_file_mod_writable_dir.json'; +import rule152 from './defense_evasion_disable_selinux_attempt.json'; +import rule153 from './discovery_kernel_module_enumeration.json'; +import rule154 from './lateral_movement_telnet_network_activity_external.json'; +import rule155 from './lateral_movement_telnet_network_activity_internal.json'; +import rule156 from './privilege_escalation_setuid_setgid_bit_set_via_chmod.json'; +import rule157 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; +import rule158 from './defense_evasion_kernel_module_removal.json'; +import rule159 from './defense_evasion_attempt_to_disable_syslog_service.json'; +import rule160 from './defense_evasion_file_deletion_via_shred.json'; +import rule161 from './discovery_virtual_machine_fingerprinting.json'; +import rule162 from './defense_evasion_hidden_file_dir_tmp.json'; +import rule163 from './defense_evasion_deletion_of_bash_command_line_history.json'; +import rule164 from './impact_cloudwatch_log_group_deletion.json'; +import rule165 from './impact_cloudwatch_log_stream_deletion.json'; +import rule166 from './impact_rds_instance_cluster_stoppage.json'; +import rule167 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; +import rule168 from './persistence_rds_cluster_creation.json'; +import rule169 from './credential_access_attempted_bypass_of_okta_mfa.json'; +import rule170 from './defense_evasion_waf_acl_deletion.json'; +import rule171 from './impact_attempt_to_revoke_okta_api_token.json'; +import rule172 from './impact_iam_group_deletion.json'; +import rule173 from './impact_possible_okta_dos_attack.json'; +import rule174 from './impact_rds_cluster_deletion.json'; +import rule175 from './initial_access_suspicious_activity_reported_by_okta_user.json'; +import rule176 from './okta_attempt_to_deactivate_okta_policy.json'; +import rule177 from './okta_attempt_to_deactivate_okta_policy_rule.json'; +import rule178 from './okta_attempt_to_modify_okta_network_zone.json'; +import rule179 from './okta_attempt_to_modify_okta_policy.json'; +import rule180 from './okta_attempt_to_modify_okta_policy_rule.json'; +import rule181 from './okta_threat_detected_by_okta_threatinsight.json'; +import rule182 from './persistence_administrator_privileges_assigned_to_okta_group.json'; +import rule183 from './persistence_attempt_to_create_okta_api_token.json'; +import rule184 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; +import rule185 from './defense_evasion_cloudtrail_logging_deleted.json'; +import rule186 from './defense_evasion_ec2_network_acl_deletion.json'; +import rule187 from './impact_iam_deactivate_mfa_device.json'; +import rule188 from './defense_evasion_s3_bucket_configuration_deletion.json'; +import rule189 from './defense_evasion_guardduty_detector_deletion.json'; +import rule190 from './okta_attempt_to_delete_okta_policy.json'; +import rule191 from './credential_access_iam_user_addition_to_group.json'; +import rule192 from './persistence_ec2_network_acl_creation.json'; +import rule193 from './impact_ec2_disable_ebs_encryption.json'; +import rule194 from './persistence_iam_group_creation.json'; +import rule195 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; +import rule196 from './collection_cloudtrail_logging_created.json'; +import rule197 from './defense_evasion_cloudtrail_logging_suspended.json'; +import rule198 from './impact_cloudtrail_logging_updated.json'; +import rule199 from './initial_access_console_login_root.json'; +import rule200 from './defense_evasion_cloudwatch_alarm_deletion.json'; +import rule201 from './defense_evasion_ec2_flow_log_deletion.json'; +import rule202 from './defense_evasion_configuration_recorder_stopped.json'; +import rule203 from './exfiltration_ec2_snapshot_change_activity.json'; +import rule204 from './defense_evasion_config_service_rule_deletion.json'; +import rule205 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; +import rule206 from './command_and_control_download_rar_powershell_from_internet.json'; +import rule207 from './initial_access_password_recovery.json'; +import rule208 from './command_and_control_cobalt_strike_beacon.json'; +import rule209 from './command_and_control_fin7_c2_behavior.json'; +import rule210 from './command_and_control_halfbaked_beacon.json'; +import rule211 from './credential_access_secretsmanager_getsecretvalue.json'; +import rule212 from './initial_access_via_system_manager.json'; +import rule213 from './privilege_escalation_root_login_without_mfa.json'; +import rule214 from './privilege_escalation_updateassumerolepolicy.json'; +import rule215 from './impact_hosts_file_modified.json'; +import rule216 from './elastic_endpoint.json'; +import rule217 from './external_alerts.json'; +import rule218 from './initial_access_login_failures.json'; +import rule219 from './initial_access_login_location.json'; +import rule220 from './initial_access_login_sessions.json'; +import rule221 from './initial_access_login_time.json'; +import rule222 from './ml_cloudtrail_error_message_spike.json'; +import rule223 from './ml_cloudtrail_rare_error_code.json'; +import rule224 from './ml_cloudtrail_rare_method_by_city.json'; +import rule225 from './ml_cloudtrail_rare_method_by_country.json'; +import rule226 from './ml_cloudtrail_rare_method_by_user.json'; +import rule227 from './credential_access_aws_iam_assume_role_brute_force.json'; +import rule228 from './credential_access_okta_brute_force_or_password_spraying.json'; +import rule229 from './initial_access_unusual_dns_service_children.json'; +import rule230 from './initial_access_unusual_dns_service_file_writes.json'; +import rule231 from './lateral_movement_dns_server_overflow.json'; +import rule232 from './credential_access_root_console_failure_brute_force.json'; +import rule233 from './initial_access_unsecure_elasticsearch_node.json'; +import rule234 from './credential_access_domain_backup_dpapi_private_keys.json'; +import rule235 from './persistence_gpo_schtask_service_creation.json'; +import rule236 from './credential_access_credentials_keychains.json'; +import rule237 from './credential_access_kerberosdump_kcc.json'; +import rule238 from './defense_evasion_attempt_del_quarantine_attrib.json'; +import rule239 from './execution_suspicious_psexesvc.json'; +import rule240 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; +import rule241 from './privilege_escalation_printspooler_service_suspicious_file.json'; +import rule242 from './privilege_escalation_printspooler_suspicious_spl_file.json'; +import rule243 from './defense_evasion_azure_diagnostic_settings_deletion.json'; +import rule244 from './execution_command_virtual_machine.json'; +import rule245 from './execution_via_hidden_shell_conhost.json'; +import rule246 from './impact_resource_group_deletion.json'; +import rule247 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; +import rule248 from './persistence_via_update_orchestrator_service_hijack.json'; +import rule249 from './collection_update_event_hub_auth_rule.json'; +import rule250 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; +import rule251 from './credential_access_iis_connectionstrings_dumping.json'; +import rule252 from './defense_evasion_event_hub_deletion.json'; +import rule253 from './defense_evasion_firewall_policy_deletion.json'; +import rule254 from './defense_evasion_sdelete_like_filename_rename.json'; +import rule255 from './lateral_movement_remote_ssh_login_enabled.json'; +import rule256 from './persistence_azure_automation_account_created.json'; +import rule257 from './persistence_azure_automation_runbook_created_or_modified.json'; +import rule258 from './persistence_azure_automation_webhook_created.json'; +import rule259 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; +import rule260 from './credential_access_attempts_to_brute_force_okta_user_account.json'; +import rule261 from './credential_access_storage_account_key_regenerated.json'; +import rule262 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; +import rule263 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; +import rule264 from './defense_evasion_unusual_system_vp_child_program.json'; +import rule265 from './discovery_blob_container_access_mod.json'; +import rule266 from './persistence_mfa_disabled_for_azure_user.json'; +import rule267 from './persistence_user_added_as_owner_for_azure_application.json'; +import rule268 from './persistence_user_added_as_owner_for_azure_service_principal.json'; +import rule269 from './defense_evasion_dotnet_compiler_parent_process.json'; +import rule270 from './defense_evasion_suspicious_managedcode_host_process.json'; +import rule271 from './execution_command_shell_started_by_unusual_process.json'; +import rule272 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; +import rule273 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; +import rule274 from './defense_evasion_masquerading_werfault.json'; +import rule275 from './credential_access_key_vault_modified.json'; +import rule276 from './credential_access_mimikatz_memssp_default_logs.json'; +import rule277 from './defense_evasion_code_injection_conhost.json'; +import rule278 from './defense_evasion_network_watcher_deletion.json'; +import rule279 from './initial_access_external_guest_user_invite.json'; +import rule280 from './defense_evasion_masquerading_renamed_autoit.json'; +import rule281 from './impact_azure_automation_runbook_deleted.json'; +import rule282 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; +import rule283 from './persistence_azure_conditional_access_policy_modified.json'; +import rule284 from './persistence_azure_privileged_identity_management_role_modified.json'; +import rule285 from './command_and_control_teamviewer_remote_file_copy.json'; +import rule286 from './defense_evasion_installutil_beacon.json'; +import rule287 from './defense_evasion_mshta_beacon.json'; +import rule288 from './defense_evasion_network_connection_from_windows_binary.json'; +import rule289 from './defense_evasion_rundll32_no_arguments.json'; +import rule290 from './defense_evasion_suspicious_scrobj_load.json'; +import rule291 from './defense_evasion_suspicious_wmi_script.json'; +import rule292 from './execution_ms_office_written_file.json'; +import rule293 from './execution_pdf_written_file.json'; +import rule294 from './lateral_movement_cmd_service.json'; +import rule295 from './persistence_app_compat_shim.json'; +import rule296 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; +import rule297 from './command_and_control_remote_file_copy_mpcmdrun.json'; +import rule298 from './defense_evasion_execution_suspicious_explorer_winword.json'; +import rule299 from './defense_evasion_suspicious_zoom_child_process.json'; +import rule300 from './ml_linux_anomalous_compiler_activity.json'; +import rule301 from './ml_linux_anomalous_kernel_module_arguments.json'; +import rule302 from './ml_linux_anomalous_sudo_activity.json'; +import rule303 from './ml_linux_system_information_discovery.json'; +import rule304 from './ml_linux_system_network_configuration_discovery.json'; +import rule305 from './ml_linux_system_network_connection_discovery.json'; +import rule306 from './ml_linux_system_process_discovery.json'; +import rule307 from './ml_linux_system_user_discovery.json'; +import rule308 from './discovery_post_exploitation_public_ip_reconnaissance.json'; +import rule309 from './initial_access_zoom_meeting_with_no_passcode.json'; +import rule310 from './defense_evasion_gcp_logging_sink_deletion.json'; +import rule311 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; +import rule312 from './defense_evasion_gcp_firewall_rule_created.json'; +import rule313 from './defense_evasion_gcp_firewall_rule_deleted.json'; +import rule314 from './defense_evasion_gcp_firewall_rule_modified.json'; +import rule315 from './defense_evasion_gcp_logging_bucket_deletion.json'; +import rule316 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; +import rule317 from './impact_gcp_storage_bucket_deleted.json'; +import rule318 from './initial_access_gcp_iam_custom_role_creation.json'; +import rule319 from './persistence_gcp_iam_service_account_key_deletion.json'; +import rule320 from './persistence_gcp_key_created_for_service_account.json'; +import rule321 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; +import rule322 from './exfiltration_gcp_logging_sink_modification.json'; +import rule323 from './impact_gcp_iam_role_deletion.json'; +import rule324 from './impact_gcp_service_account_deleted.json'; +import rule325 from './impact_gcp_service_account_disabled.json'; +import rule326 from './impact_gcp_virtual_private_cloud_network_deleted.json'; +import rule327 from './impact_gcp_virtual_private_cloud_route_created.json'; +import rule328 from './impact_gcp_virtual_private_cloud_route_deleted.json'; +import rule329 from './ml_linux_anomalous_metadata_process.json'; +import rule330 from './ml_linux_anomalous_metadata_user.json'; +import rule331 from './ml_windows_anomalous_metadata_process.json'; +import rule332 from './ml_windows_anomalous_metadata_user.json'; +import rule333 from './persistence_gcp_service_account_created.json'; +import rule334 from './collection_gcp_pub_sub_subscription_creation.json'; +import rule335 from './collection_gcp_pub_sub_topic_creation.json'; +import rule336 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; +import rule337 from './persistence_azure_pim_user_added_global_admin.json'; +import rule338 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; +import rule339 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; +import rule340 from './defense_evasion_execution_lolbas_wuauclt.json'; +import rule341 from './privilege_escalation_unusual_svchost_childproc_childless.json'; +import rule342 from './lateral_movement_rdp_tunnel_plink.json'; +import rule343 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; +import rule344 from './persistence_ms_office_addins_file.json'; +import rule345 from './discovery_adfind_command_activity.json'; +import rule346 from './discovery_security_software_wmic.json'; +import rule347 from './execution_command_shell_via_rundll32.json'; +import rule348 from './execution_suspicious_cmd_wmi.json'; +import rule349 from './lateral_movement_via_startup_folder_rdp_smb.json'; +import rule350 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; +import rule351 from './privilege_escalation_uac_bypass_mock_windir.json'; +import rule352 from './defense_evasion_potential_processherpaderping.json'; +import rule353 from './privilege_escalation_uac_bypass_dll_sideloading.json'; +import rule354 from './execution_shared_modules_local_sxs_dll.json'; +import rule355 from './privilege_escalation_uac_bypass_com_clipup.json'; +import rule356 from './initial_access_via_explorer_suspicious_child_parent_args.json'; +import rule357 from './execution_from_unusual_directory.json'; +import rule358 from './execution_from_unusual_path_cmdline.json'; +import rule359 from './credential_access_kerberoasting_unusual_process.json'; +import rule360 from './discovery_peripheral_device.json'; +import rule361 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; +import rule362 from './defense_evasion_deleting_websvr_access_logs.json'; +import rule363 from './defense_evasion_log_files_deleted.json'; +import rule364 from './defense_evasion_timestomp_touch.json'; +import rule365 from './lateral_movement_dcom_hta.json'; +import rule366 from './lateral_movement_execution_via_file_shares_sequence.json'; +import rule367 from './privilege_escalation_uac_bypass_com_ieinstal.json'; +import rule368 from './command_and_control_common_webservices.json'; +import rule369 from './command_and_control_encrypted_channel_freesslcert.json'; +import rule370 from './defense_evasion_process_termination_followed_by_deletion.json'; +import rule371 from './lateral_movement_remote_file_copy_hidden_share.json'; +import rule372 from './attempt_to_deactivate_okta_network_zone.json'; +import rule373 from './attempt_to_delete_okta_network_zone.json'; +import rule374 from './lateral_movement_dcom_mmc20.json'; +import rule375 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; +import rule376 from './okta_attempt_to_deactivate_okta_application.json'; +import rule377 from './okta_attempt_to_delete_okta_application.json'; +import rule378 from './okta_attempt_to_delete_okta_policy_rule.json'; +import rule379 from './okta_attempt_to_modify_okta_application.json'; +import rule380 from './persistence_administrator_role_assigned_to_okta_user.json'; +import rule381 from './lateral_movement_executable_tool_transfer_smb.json'; +import rule382 from './command_and_control_dns_tunneling_nslookup.json'; +import rule383 from './lateral_movement_execution_from_tsclient_mup.json'; +import rule384 from './lateral_movement_rdp_sharprdp_target.json'; +import rule385 from './defense_evasion_clearing_windows_security_logs.json'; +import rule386 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; +import rule387 from './execution_suspicious_short_program_name.json'; +import rule388 from './lateral_movement_incoming_wmi.json'; +import rule389 from './persistence_via_hidden_run_key_valuename.json'; +import rule390 from './credential_access_potential_ssh_bruteforce.json'; +import rule391 from './credential_access_promt_for_pwd_via_osascript.json'; +import rule392 from './lateral_movement_remote_services.json'; +import rule393 from './application_added_to_google_workspace_domain.json'; +import rule394 from './domain_added_to_google_workspace_trusted_domains.json'; +import rule395 from './execution_suspicious_image_load_wmi_ms_office.json'; +import rule396 from './execution_suspicious_powershell_imgload.json'; +import rule397 from './google_workspace_admin_role_deletion.json'; +import rule398 from './google_workspace_mfa_enforcement_disabled.json'; +import rule399 from './google_workspace_policy_modified.json'; +import rule400 from './mfa_disabled_for_google_workspace_organization.json'; +import rule401 from './persistence_evasion_registry_ifeo_injection.json'; +import rule402 from './persistence_google_workspace_admin_role_assigned_to_user.json'; +import rule403 from './persistence_google_workspace_custom_admin_role_created.json'; +import rule404 from './persistence_google_workspace_role_modified.json'; +import rule405 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; +import rule406 from './defense_evasion_masquerading_trusted_directory.json'; +import rule407 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; +import rule408 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; +import rule409 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; +import rule410 from './persistence_appcertdlls_registry.json'; +import rule411 from './persistence_appinitdlls_registry.json'; +import rule412 from './persistence_registry_uncommon.json'; +import rule413 from './persistence_run_key_and_startup_broad.json'; +import rule414 from './persistence_services_registry.json'; +import rule415 from './persistence_startup_folder_file_written_by_suspicious_process.json'; +import rule416 from './persistence_startup_folder_scripts.json'; +import rule417 from './persistence_suspicious_com_hijack_registry.json'; +import rule418 from './persistence_via_lsa_security_support_provider_registry.json'; +import rule419 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; +import rule420 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; +import rule421 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; +import rule422 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; +import rule423 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; +import rule424 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; +import rule425 from './lateral_movement_suspicious_rdp_client_imageload.json'; +import rule426 from './persistence_runtime_run_key_startup_susp_procs.json'; +import rule427 from './persistence_suspicious_scheduled_task_runtime.json'; +import rule428 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; +import rule429 from './lateral_movement_scheduled_task_target.json'; +import rule430 from './persistence_microsoft_365_exchange_management_role_assignment.json'; +import rule431 from './persistence_microsoft_365_teams_guest_access_enabled.json'; +import rule432 from './credential_access_dump_registry_hives.json'; +import rule433 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; +import rule434 from './persistence_ms_outlook_vba_template.json'; +import rule435 from './persistence_suspicious_service_created_registry.json'; +import rule436 from './privilege_escalation_named_pipe_impersonation.json'; +import rule437 from './credential_access_cmdline_dump_tool.json'; +import rule438 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; +import rule439 from './credential_access_lsass_memdump_file_created.json'; +import rule440 from './lateral_movement_incoming_winrm_shell_execution.json'; +import rule441 from './lateral_movement_powershell_remoting_target.json'; +import rule442 from './defense_evasion_hide_encoded_executable_registry.json'; +import rule443 from './defense_evasion_port_forwarding_added_registry.json'; +import rule444 from './lateral_movement_rdp_enabled_registry.json'; +import rule445 from './privilege_escalation_printspooler_registry_copyfiles.json'; +import rule446 from './privilege_escalation_rogue_windir_environment_var.json'; +import rule447 from './initial_access_scripts_process_started_via_wmi.json'; +import rule448 from './command_and_control_iexplore_via_com.json'; +import rule449 from './command_and_control_remote_file_copy_scripts.json'; +import rule450 from './persistence_local_scheduled_task_scripting.json'; +import rule451 from './persistence_startup_folder_file_written_by_unsigned_process.json'; +import rule452 from './command_and_control_remote_file_copy_powershell.json'; +import rule453 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; +import rule454 from './microsoft_365_teams_custom_app_interaction_allowed.json'; +import rule455 from './persistence_microsoft_365_teams_external_access_enabled.json'; +import rule456 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; +import rule457 from './defense_evasion_stop_process_service_threshold.json'; +import rule458 from './collection_winrar_encryption.json'; +import rule459 from './defense_evasion_unusual_dir_ads.json'; +import rule460 from './discovery_admin_recon.json'; +import rule461 from './discovery_file_dir_discovery.json'; +import rule462 from './discovery_net_view.json'; +import rule463 from './discovery_query_registry_via_reg.json'; +import rule464 from './discovery_remote_system_discovery_commands_windows.json'; +import rule465 from './persistence_via_windows_management_instrumentation_event_subscription.json'; +import rule466 from './execution_scripting_osascript_exec_followed_by_netcon.json'; +import rule467 from './execution_shell_execution_via_apple_scripting.json'; +import rule468 from './persistence_creation_change_launch_agents_file.json'; +import rule469 from './persistence_creation_modif_launch_deamon_sequence.json'; +import rule470 from './persistence_folder_action_scripts_runtime.json'; +import rule471 from './persistence_login_logout_hooks_defaults.json'; +import rule472 from './privilege_escalation_explicit_creds_via_scripting.json'; +import rule473 from './command_and_control_sunburst_c2_activity_detected.json'; +import rule474 from './defense_evasion_azure_application_credential_modification.json'; +import rule475 from './defense_evasion_azure_service_principal_addition.json'; +import rule476 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; +import rule477 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; +import rule478 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; +import rule479 from './initial_access_azure_active_directory_powershell_signin.json'; +import rule480 from './collection_email_powershell_exchange_mailbox.json'; +import rule481 from './collection_persistence_powershell_exch_mailbox_activesync_add_device.json'; +import rule482 from './execution_scheduled_task_powershell_source.json'; +import rule483 from './persistence_docker_shortcuts_plist_modification.json'; +import rule484 from './persistence_evasion_hidden_local_account_creation.json'; +import rule485 from './persistence_finder_sync_plugin_pluginkit.json'; +import rule486 from './discovery_security_software_grep.json'; +import rule487 from './credential_access_cookies_chromium_browsers_debugging.json'; +import rule488 from './credential_access_ssh_backdoor_log.json'; +import rule489 from './persistence_credential_access_modify_auth_module_or_config.json'; +import rule490 from './persistence_credential_access_modify_ssh_binaries.json'; +import rule491 from './credential_access_collection_sensitive_files.json'; +import rule492 from './persistence_ssh_authorized_keys_modification.json'; +import rule493 from './defense_evasion_defender_disabled_via_registry.json'; +import rule494 from './defense_evasion_privacy_controls_tcc_database_modification.json'; +import rule495 from './execution_initial_access_suspicious_browser_childproc.json'; +import rule496 from './execution_script_via_automator_workflows.json'; +import rule497 from './persistence_modification_sublime_app_plugin_or_script.json'; +import rule498 from './privilege_escalation_applescript_with_admin_privs.json'; +import rule499 from './credential_access_dumping_keychain_security.json'; +import rule500 from './initial_access_azure_active_directory_high_risk_signin.json'; +import rule501 from './initial_access_suspicious_mac_ms_office_child_process.json'; +import rule502 from './credential_access_mitm_localhost_webproxy.json'; +import rule503 from './persistence_kde_autostart_modification.json'; +import rule504 from './persistence_user_account_added_to_privileged_group_ad.json'; +import rule505 from './defense_evasion_attempt_to_disable_gatekeeper.json'; +import rule506 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; +import rule507 from './persistence_emond_rules_file_creation.json'; +import rule508 from './persistence_emond_rules_process_execution.json'; +import rule509 from './discovery_users_domain_built_in_commands.json'; +import rule510 from './execution_pentest_eggshell_remote_admin_tool.json'; +import rule511 from './defense_evasion_install_root_certificate.json'; +import rule512 from './persistence_credential_access_authorization_plugin_creation.json'; +import rule513 from './persistence_directory_services_plugins_modification.json'; +import rule514 from './defense_evasion_modify_environment_launchctl.json'; +import rule515 from './defense_evasion_safari_config_change.json'; +import rule516 from './defense_evasion_apple_softupdates_modification.json'; +import rule517 from './persistence_cron_jobs_creation_and_runtime.json'; +import rule518 from './credential_access_mod_wdigest_security_provider.json'; +import rule519 from './credential_access_saved_creds_vaultcmd.json'; +import rule520 from './defense_evasion_file_creation_mult_extension.json'; +import rule521 from './execution_enumeration_via_wmiprvse.json'; +import rule522 from './execution_suspicious_jar_child_process.json'; +import rule523 from './persistence_shell_profile_modification.json'; +import rule524 from './persistence_suspicious_calendar_modification.json'; +import rule525 from './persistence_time_provider_mod.json'; +import rule526 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; +import rule527 from './defense_evasion_sip_provider_mod.json'; +import rule528 from './execution_com_object_xwizard.json'; +import rule529 from './privilege_escalation_disable_uac_registry.json'; +import rule530 from './defense_evasion_unusual_ads_file_creation.json'; +import rule531 from './persistence_loginwindow_plist_modification.json'; +import rule532 from './persistence_periodic_tasks_file_mdofiy.json'; +import rule533 from './persistence_via_atom_init_file_modification.json'; +import rule534 from './privilege_escalation_lsa_auth_package.json'; +import rule535 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; +import rule536 from './credential_access_dumping_hashes_bi_cmds.json'; +import rule537 from './lateral_movement_mounting_smb_share.json'; +import rule538 from './privilege_escalation_echo_nopasswd_sudoers.json'; +import rule539 from './privilege_escalation_ld_preload_shared_object_modif.json'; +import rule540 from './privilege_escalation_root_crontab_filemod.json'; +import rule541 from './defense_evasion_create_mod_root_certificate.json'; +import rule542 from './privilege_escalation_sudo_buffer_overflow.json'; export const rawRules = [ rule1, @@ -934,4 +1015,85 @@ export const rawRules = [ rule459, rule460, rule461, + rule462, + rule463, + rule464, + rule465, + rule466, + rule467, + rule468, + rule469, + rule470, + rule471, + rule472, + rule473, + rule474, + rule475, + rule476, + rule477, + rule478, + rule479, + rule480, + rule481, + rule482, + rule483, + rule484, + rule485, + rule486, + rule487, + rule488, + rule489, + rule490, + rule491, + rule492, + rule493, + rule494, + rule495, + rule496, + rule497, + rule498, + rule499, + rule500, + rule501, + rule502, + rule503, + rule504, + rule505, + rule506, + rule507, + rule508, + rule509, + rule510, + rule511, + rule512, + rule513, + rule514, + rule515, + rule516, + rule517, + rule518, + rule519, + rule520, + rule521, + rule522, + rule523, + rule524, + rule525, + rule526, + rule527, + rule528, + rule529, + rule530, + rule531, + rule532, + rule533, + rule534, + rule535, + rule536, + rule537, + rule538, + rule539, + rule540, + rule541, + rule542, ]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json new file mode 100644 index 00000000000000..230c5e33b75610 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic", + "Willem D'Haese" + ], + "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Azure Active Directory High Risk Sign-in", + "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.risk_level_during_signin:high and event.outcome:(success or Success)", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" + ], + "risk_score": 73, + "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json new file mode 100644 index 00000000000000..e825c1b14e30cc --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json @@ -0,0 +1,61 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies that the maximum number of failed login attempts has been reached for a user.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Auditd Max Failed Login Attempts", + "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574" + ], + "risk_score": 47, + "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json new file mode 100644 index 00000000000000..81599a9c524a09 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json @@ -0,0 +1,61 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies that a login attempt has happened from a forbidden location.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Auditd Login from Forbidden Location", + "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412" + ], + "risk_score": 73, + "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json new file mode 100644 index 00000000000000..2c885590925159 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json @@ -0,0 +1,61 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies that the maximum number login sessions has been reached for a user.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Auditd Max Login Sessions", + "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007" + ], + "risk_score": 47, + "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json new file mode 100644 index 00000000000000..ca343e7ef9cc09 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json @@ -0,0 +1,61 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies that a login attempt occurred at a forbidden time.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Auditd Login Attempt at Forbidden Time", + "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"", + "references": [ + "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666" + ], + "risk_score": 47, + "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json index 05ab69a05f7dcd..024541d71b6d36 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rdp_remote_desktop_protocol_to_the_internet.json @@ -6,6 +6,7 @@ "false_positives": [ "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." ], + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -59,5 +60,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json index 36db52a656d289..7119e5a587c69a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json @@ -3,6 +3,7 @@ "Elastic" ], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json index 8ba074438cf50a..6da4f9f55071f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json @@ -3,6 +3,7 @@ "Elastic" ], "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json index 543aa2bcf6da13..7caa99711275b7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json index 8376bb7e62bd8b..1e7160eefdaba8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Windows Script Interpreter Executing Process via WMI", - "query": "sequence by host.id with maxspan=5s\n [library where file.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "query": "sequence by host.id with maxspan = 5s\n [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json index aefcfa4e692715..4b480cf9b054f4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json @@ -3,6 +3,7 @@ "Elastic" ], "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", + "from": "now-9m", "index": [ "filebeat-*", "packetbeat-*", @@ -56,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json new file mode 100644 index 00000000000000..638db6727a7265 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json @@ -0,0 +1,54 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Suspicious macOS MS Office Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\", \n \"dash\", \n \"sh\", \n \"tcsh\", \n \"csh\", \n \"zsh\", \n \"ksh\", \n \"fish\", \n \"python*\", \n \"perl*\", \n \"php*\", \n \"osascript\",\n \"pwsh\", \n \"curl\", \n \"wget\", \n \"cp\", \n \"mv\", \n \"base64\", \n \"launchctl\"\n )\n", + "references": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" + ], + "risk_score": 47, + "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json index 91dcfd13664093..1749be1142255f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json index 533996d75dcd4c..03c145779f3d51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json index 6e5f0cb13417c2..4dad8ac892806c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json @@ -6,9 +6,11 @@ "false_positives": [ "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." ], + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -49,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json index 7f73196493e48f..f8b58c5affe9e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -45,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json index 8ef22da2319c9d..d88b8b06d09aab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious Explorer Child Process", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n", - "risk_score": 43, + "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "severity": "medium", "tags": [ @@ -53,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json index db35602753ab02..7e6aece1c359f2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Service Command Lateral Movement", - "query": "sequence by process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n /* case insensitive */\n wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n (process.args : \"create\" or\n process.args : \"config\" or\n process.args : \"failure\" or\n process.args : \"start\")]\n [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "query": "sequence by process.entity_id with maxspan = 1m\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", @@ -84,5 +85,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json new file mode 100644 index 00000000000000..467ebb045190bb --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Kerberos Attack via Bifrost", + "query": "event.category:process and event.type:start and process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))", + "references": [ + "https://github.com/its-a-feature/bifrost" + ], + "risk_score": 73, + "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json index 590f82e31b36b1..16069d546ba6ad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +44,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json index 5dee8493d57ad8..7aa04a808ca998 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +44,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json index 4e04dc1d458cb3..d8c4dfb5d2a73f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +44,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json index bb461cc8321e11..6e68d545d6672f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json index bc3f48904c43f5..6d82b129a3a707 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +41,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json index f3ce3a677bd295..b3eee1df24f772 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json index be4ad485fdbe48..81a9fc221a4a77 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -50,5 +51,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json index 0c9453940b3bc9..56f465b8b3b31e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +44,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json index e08c758f6f693e..9c7f4948a0cd11 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -49,5 +50,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json index 3a04f62733a30b..21569be362998e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_local_service_commands.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json index 0eade2646dcd8b..13d51e51636ede 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json new file mode 100644 index 00000000000000..702d87b105f659 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Attempt to Mount SMB Share via Command Line", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n )\n", + "references": [ + "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", + "https://ss64.com/osx/mount.html" + ], + "risk_score": 21, + "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json index aae62e66ad2557..b384ed97c146dd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -18,7 +19,7 @@ "references": [ "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" ], - "risk_score": 43, + "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": [ @@ -46,5 +47,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json index 8c51622b0ab52c..f823fdb9908126 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json @@ -6,13 +6,14 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "RDP Enabled via Registry", "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", - "risk_score": 43, + "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "severity": "medium", "tags": [ @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json index 9a9a9d0e7a202d..3927c20bd54180 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -44,5 +45,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_tunnel_plink.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_tunnel_plink.json index 9f1ca61b4c62fe..b103b9962aec3a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_tunnel_plink.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_tunnel_plink.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Potential Remote Desktop Tunneling Detected", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and \n/* RDP port and usual SSH tunneling related switches in commandline */\nwildcard(process.args, \"*:3389\") and wildcard(process.args,\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": [ "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" ], @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json index 44d36351afbc96..d9427ca3415984 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json index 9d202cf61243d3..f6d612b73dc385 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -41,5 +42,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json index 109ed483653f55..42472277b20c55 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json @@ -11,10 +11,11 @@ "language": "kuery", "license": "Elastic License", "name": "Remote SSH Login Enabled via systemsetup Command", - "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)", + "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-setremotelogin\" and on)", "references": [ "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", - "https://ss64.com/osx/systemsetup.html" + "https://ss64.com/osx/systemsetup.html", + "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" ], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json index ca29829849a0e5..245a6b4baf8d80 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -56,5 +57,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json index 522b57a1b7966e..9da368ca4e9140 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious RDP ActiveX Client Loaded", - "query": "library where file.name == \"mstscax.dll\" and\n /* depending on noise in your env add here extra paths */\n wildcard(process.executable, \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\") and\n /* add here FPs */\n not process.executable in (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", + "query": "library where dll.name : \"mstscax.dll\" and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" ], @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json index c309f6dbdde29a..1f01a2c88fb09f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -66,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json new file mode 100644 index 00000000000000..e3cd83fc44c04e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Virtual Private Network Connection Attempt", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", + "https://www.unix.com/man-page/osx/8/networksetup/", + "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" + ], + "risk_score": 21, + "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json new file mode 100644 index 00000000000000..3d1f1cf63d5b82 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Hidden Local User Account Creation", + "query": "event.category:process and event.type:(start or process_started) and process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))", + "references": [ + "https://support.apple.com/en-us/HT203998" + ], + "risk_score": 47, + "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json index 5f569781c2d499..87e2a956888f22 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json index 3e7bfb9f46ce5a..b0704dd78a51de 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Installation of Custom Shim Databases", - "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where event.type in (\"creation\", \"change\") and\n wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n", + "query": "sequence by process.entity_id with maxspan = 5m\n [process where event.type in (\"start\", \"process_started\") and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", "risk_score": 21, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", @@ -47,5 +48,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json index 1e8f5b339ba608..393e593bed4825 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json index b5be845a50e66e..21310499ecbd7e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json new file mode 100644 index 00000000000000..e105b91362adb1 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json @@ -0,0 +1,75 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Creation of Hidden Login Item via Apple Script", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", + "risk_score": 47, + "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.011", + "name": "Plist Modification", + "reference": "https://attack.mitre.org/techniques/T1547/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json new file mode 100644 index 00000000000000..1445d9c489dba0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic" + ], + "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Authorization Plugin Modification", + "query": "event.category:file and not event.type:deletion and file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)", + "references": [ + "https://developer.apple.com/documentation/security/authorization_plug-ins", + "https://www.xorrior.com/persistent-credential-theft/" + ], + "risk_score": 47, + "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json new file mode 100644 index 00000000000000..2d250ede2832b8 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Modification of Standard Authentication Module or Configuration", + "query": "event.category:file and event.type:change and (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: (* and not ( /bin/yum or \"/usr/sbin/pam-auth-update\" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "risk_score": 47, + "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json new file mode 100644 index 00000000000000..8b9df12761d20c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json @@ -0,0 +1,67 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", + "false_positives": [ + "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Modification of OpenSSH Binaries", + "query": "event.category:file and event.type:change and process.name:* and (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and not process.executable:/usr/bin/dpkg", + "references": [ + "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" + ], + "risk_score": 47, + "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json new file mode 100644 index 00000000000000..7969feb7e204c9 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_cron_jobs_creation_and_runtime.json @@ -0,0 +1,60 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or execution of a cron job. Adversaries may abuse cron jobs to perform task scheduling for initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate software or scripts using cron jobs for recurring tasks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Persistence via Cron Job", + "query": "event.category:process and event.type:(start or process_started or info) and not user.name:root and ((process.name:crontab and not process.args:(\"-l\" or \"-r\" or \"-e\" or \"-help\" or \"-h\")) or (process.parent.name:cron and not process.name:\"running job\" and not process.executable:(/Applications/Docker.app/Contents/Resources/bin/docker or /usr/bin/killall or /usr/sbin/sendmail or /usr/bin/env or /usr/bin/timeshift or /bin/rm)))", + "references": [ + "https://archive.f-secure.com/weblog/archives/00002576.html", + "https://ss64.com/osx/crontab.html" + ], + "risk_score": 21, + "rule_id": "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json new file mode 100644 index 00000000000000..1c2628871b8d08 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json @@ -0,0 +1,80 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Suspicious Hidden Child Process of Launchd", + "query": "event.category:process and event.type:(start or process_started) and process.name:.* and process.parent.executable:/sbin/launchd", + "references": [ + "https://objective-see.com/blog/blog_0x61.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "risk_score": 47, + "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json new file mode 100644 index 00000000000000..8fe0648e8e5a98 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json @@ -0,0 +1,48 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Persistence via DirectoryService Plugin Modification", + "query": "event.category:file and not event.type:deletion and file.path:/Library/DirectoryServices/PlugIns/*.dsplug", + "references": [ + "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" + ], + "risk_score": 47, + "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json new file mode 100644 index 00000000000000..096ebc04ddeb5c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json @@ -0,0 +1,48 @@ +{ + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Persistence via Docker Shortcut Modification", + "query": "event.category : file and event.action : modification and file.path : /Users/*/Library/Preferences/com.apple.dock.plist and not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "risk_score": 47, + "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json new file mode 100644 index 00000000000000..71375e835cf414 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Emond Rules Creation or Modification", + "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "risk_score": 47, + "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json new file mode 100644 index 00000000000000..62e93786786b48 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Suspicious Emond Child Process", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "risk_score": 47, + "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json new file mode 100644 index 00000000000000..e7c27e8d33caf3 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Attempt to Enable the Root Account", + "query": "event.category:process and event.type:(start or process_started) and process.name:dsenableroot and not process.args:\"-d\"", + "references": [ + "https://ss64.com/osx/dsenableroot.html" + ], + "risk_score": 47, + "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json new file mode 100644 index 00000000000000..4129a18994f112 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Creation of Hidden Launch Agent or Daemon", + "query": "file where event.type != \"deletion\" and\n file.path : \n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "risk_score": 47, + "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json new file mode 100644 index 00000000000000..bfe3c1f20cb812 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json @@ -0,0 +1,51 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Creation of a Hidden Local User Account", + "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" + ], + "risk_score": 73, + "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json index 03cb315a9982ff..9e83f609ac830a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -50,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json new file mode 100644 index 00000000000000..0fa1058918a194 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Elastic" + ], + "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", + "false_positives": [ + "Trusted Finder Sync Plugins" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Finder Sync Plugin Registered and Enabled", + "query": "sequence by host.id, user.id with maxspan = 5s\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n )\n ]\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "risk_score": 47, + "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json index 17d2505f4aaca3..c3eb9584b7dfb2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json new file mode 100644 index 00000000000000..2ecb3624e4fcaf --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json @@ -0,0 +1,50 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "query": "file where event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n )\n", + "references": [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "risk_score": 47, + "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json index 3f1216c2fcc33d..da5967d6d45965 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_commands.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json index ad28885de07404..69e2eee696cb39 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json @@ -9,14 +9,15 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Scheduled Task Created by a Windows Script", "note": "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", - "query": "sequence by host.id with maxspan = 30s\n [library where file.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", - "risk_score": 43, + "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": [ @@ -44,5 +45,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json new file mode 100644 index 00000000000000..22d82b567f362e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Persistence via Login Hook", + "note": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", + "query": "event.category:\"file\" and not event.type:\"deletion\" and file.name:\"com.apple.loginwindow.plist\" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" + ], + "risk_score": 47, + "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.011", + "name": "Plist Modification", + "reference": "https://attack.mitre.org/techniques/T1547/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json new file mode 100644 index 00000000000000..64d2b7834c95a9 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json @@ -0,0 +1,48 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Sublime Plugin or Application Script Modification", + "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path : \n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable : \n (\n \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n \"/usr/local/Cellar/git/*/bin/git\", \n \"/usr/libexec/xpcproxy\", \n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n )\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "risk_score": 21, + "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json index 573ff7f7b43310..7da9b515b64579 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json @@ -6,16 +6,17 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Persistence via Microsoft Office AddIns", - "query": "file where event.type != \"deletion\" and\n wildcard(file.extension,\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n wildcard(file.path, \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\")\n", + "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": [ "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" ], - "risk_score": 71, + "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "severity": "high", "tags": [ @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json index 9192ea9ab3961d..1c1eddeb91a9ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json @@ -9,17 +9,18 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Persistence via Microsoft Outlook VBA", - "query": "file where event.type != \"deletion\" and\n wildcard(file.path, \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\")\n", + "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" ], - "risk_score": 43, + "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "severity": "medium", "tags": [ @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json new file mode 100644 index 00000000000000..e54b368a24cc26 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Persistence via Periodic Tasks", + "query": "event.category:\"file\" and not event.type:\"deletion\" and file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)", + "references": [ + "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", + "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", + "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" + ], + "risk_score": 21, + "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json index 1cd66ea45dea36..69d84e6082f7ea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -72,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json index 93e67ccab04b2d..52ca728d933f59 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -52,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json index 62ca418bbfdecd..2e06beaa4e32b3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json index 52d0720839f5cd..c4c1c1f23b6a58 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -46,5 +48,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json index 8d90717ec69fc0..f95d6e883adf2d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json new file mode 100644 index 00000000000000..78fa1e65d1e0c3 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json @@ -0,0 +1,60 @@ +{ + "author": [ + "Elastic" + ], + "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", + "false_positives": [ + "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Bash Shell Profile Modification", + "query": "event.category:file and event.type:change and process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or launchctl or java)) and not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or /home/*/.profile1 or /home/*/.bash_profile or /home/*/.bash_profile1 or /home/*/.bashrc or /Users/*/.bash_profile or /Users/*/.zshenv)", + "references": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "risk_score": 47, + "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Execution", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": ".bash_profile and .bashrc", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json new file mode 100644 index 00000000000000..aa24a832e594ca --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "SSH Authorized Keys File Modification", + "query": "event.category:file and event.type:(change or creation) and file.name:(\"authorized_keys\" or \"authorized_keys2\") and not process.executable: (/Library/Developer/CommandLineTools/usr/bin/git or /usr/local/Cellar/maven/*/libexec/bin/mvn or /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or /usr/bin/vim or /usr/local/Cellar/coreutils/*/bin/gcat or /usr/bin/bsdtar or /usr/bin/nautilus or /usr/bin/scp or /usr/bin/touch or /var/lib/docker/*)", + "risk_score": 47, + "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json index 5defde988ac3b4..c202a416c3202e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json index 67c9c3db6ba2aa..bf58c0f084baa4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json @@ -3,6 +3,7 @@ "Elastic" ], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", "index": [ "logs-endpoint.events.*" ], @@ -45,5 +46,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json index f689796a3673ed..6ea42440c3f91c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json new file mode 100644 index 00000000000000..e454dac4dba99c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", + "false_positives": [ + "Trusted applications for managing calendars and reminders." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Suspicious Calendar File Modification", + "query": "event.category:file and event.action:modification and file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and process.executable: (* and not ( /System/Library/* or /System/Applications/Calendar.app/Contents/MacOS/* or /usr/libexec/xpcproxy or /sbin/launchd or /Applications/* ) )", + "references": [ + "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", + "https://github.com/FSecureLABS/CalendarPersist", + "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" + ], + "risk_score": 47, + "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json index 41e8bd04b87ef3..7a7f0906b65b9b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -50,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json index 77e63a546a896c..856ed7127aa9d4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json @@ -3,14 +3,16 @@ "Elastic" ], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious Image Load (taskschd.dll) from MS Office", - "query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action == \"load\" and\n event.category == \"library\" and\n file.name == \"taskschd.dll\"\n", + "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"taskschd.dll\"\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" @@ -44,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json index 51d19bdaef6dbd..0ccec7f29805b6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json @@ -9,13 +9,14 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "Suspicious Execution via Scheduled Task", "query": "process where event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\", \n \"C:\\\\Windows\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\Tasks\\\\*\", \n \"C:\\\\PerfLogs\\\\*\", \n \"C:\\\\Intel\\\\*\", \n \"C:\\\\Windows\\\\Debug\\\\*\", \n \"C:\\\\HP\\\\*\")\n", - "risk_score": 43, + "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "severity": "medium", "tags": [ @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json index 487327f6344bad..a9cba3e9be599b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json index 33198e716af0de..80a0e067aa26f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json new file mode 100644 index 00000000000000..72310046bf35c3 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential Persistence via Time Provider Modification", + "query": "registry where event.type:\"change\" and\n registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json new file mode 100644 index 00000000000000..7891df2ca55882 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json @@ -0,0 +1,57 @@ +{ + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "User Added to Privileged Group in Active Directory", + "query": "event.category:iam and event.action:\"added-member-to-group\" and group.name:(Administrators or \"Local Administrators\" or \"Domain Admins\" or \"Enterprise Admins\" or \"Backup Admins\" or \"Schema Admins\" or \"DnsAdmins\")", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "risk_score": 21, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json index cbc8ea15bb800f..cb9c70a842b2df 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -41,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json index a9ca3e2c8da488..f910ae13d92cdd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -69,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json new file mode 100644 index 00000000000000..c2ae7b2ff335d8 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json @@ -0,0 +1,32 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Persistence via Atom Init Script Modification", + "query": "event.category:\"file\" and not event.type:\"deletion\" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", + "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" + ], + "risk_score": 21, + "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json index 23b316fad1db5d..3fe0137ec8efb0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -52,5 +53,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json index ea861b2634d837..983c33ca288ac4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -47,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json index 71114206fb47df..4543def3253ad8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -44,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json index 1ed0077a66529f..bcfd0e6b94ac6e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Persistence via Update Orchestrator Service Hijack", - "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)", + "query": "process where event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\n \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n )\n", "references": [ "https://github.com/irsl/CVE-2020-1313" ], @@ -50,6 +51,6 @@ } ], "timestamp_override": "event.ingested", - "type": "query", - "version": 3 + "type": "eql", + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json index 17453925b3b3bf..d7bc2c41f95047 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", + "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -40,5 +42,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json new file mode 100644 index 00000000000000..36faa1a5ed87c5 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json @@ -0,0 +1,64 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Apple Scripting Execution with Administrator Privileges", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", + "references": [ + "https://discussions.apple.com/thread/2266150" + ], + "risk_score": 47, + "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json new file mode 100644 index 00000000000000..b600fe5dc99508 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json @@ -0,0 +1,80 @@ +{ + "author": [ + "Elastic" + ], + "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Disabling User Account Control via Registry Modification", + "query": "registry where event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : \"0\"\n", + "references": [ + "https://www.greyhathacker.net/?p=796", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" + ], + "risk_score": 47, + "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Access Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json new file mode 100644 index 00000000000000..b5cd27e6ff02b9 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json @@ -0,0 +1,53 @@ +{ + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Privilege Escalation via Sudoers File Modification", + "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)", + "risk_score": 73, + "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_apple_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json similarity index 65% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_apple_scripting.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json index 1b741cd1a8c97c..ff735cbb40e42e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_apple_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json @@ -2,16 +2,16 @@ "author": [ "Elastic" ], - "description": "Identifies execution of the security_authtrampoline process via the Apple script interpreter (osascript). This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", + "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "eql", + "language": "kuery", "license": "Elastic License", - "name": "Execution with Explicit Credentials via Apple Scripting", - "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"security_authtrampoline\"] by process.ppid\n", + "name": "Execution with Explicit Credentials via Scripting", + "query": "event.category:process and event.type:(start or process_started) and process.name:\"security_authtrampoline\" and process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)", "references": [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/" @@ -59,6 +59,7 @@ ] } ], - "type": "eql", - "version": 1 + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json new file mode 100644 index 00000000000000..f80e877bcb43c1 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json @@ -0,0 +1,51 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", + "false_positives": [ + "Trusted system or Adobe Acrobat Related processes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "query": "event.category:process and event.type:(start or process_started) and process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and user.name:root and not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or /usr/bin/codesign or /private/var/folders/zz/*/T/download/ARMDCHammer or /usr/sbin/pkgutil or /usr/bin/shasum or /usr/bin/perl* or /usr/sbin/spctl or /usr/sbin/installer)", + "references": [ + "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" + ], + "risk_score": 73, + "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json new file mode 100644 index 00000000000000..813265d95cb745 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Modification of Dynamic Linker Preload Shared Object", + "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload", + "references": [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "risk_score": 47, + "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Privilege Escalation", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "LD_PRELOAD", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json new file mode 100644 index 00000000000000..f303dbc81e6b24 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json @@ -0,0 +1,55 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Potential Admin Group Account Addition", + "query": "event.category:process and event.type:(start or process_started) and process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))", + "references": [ + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" + ], + "risk_score": 47, + "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json new file mode 100644 index 00000000000000..10a5e3ba744c9e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json @@ -0,0 +1,75 @@ +{ + "author": [ + "Elastic" + ], + "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential LSA Authentication Package Abuse", + "query": "registry where event.type == \"change\" and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "risk_score": 47, + "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json index d78c5ba7a3814d..16a8cdf64ad0c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -43,5 +45,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json new file mode 100644 index 00000000000000..81248b7e0be1e0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json @@ -0,0 +1,84 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "query": "library where dll.name :\n (\n \"wlbsctrl.dll\",\n \"wbemcomn.dll\",\n \"WptsExtensions.dll\",\n \"Tsmsisrv.dll\",\n \"TSVIPSrv.dll\",\n \"Msfte.dll\",\n \"wow64log.dll\",\n \"WindowsCoreDeviceInfo.dll\",\n \"Ualapi.dll\",\n \"wlanhlp.dll\",\n \"phoneinfo.dll\",\n \"EdgeGdi.dll\",\n \"cdpsgshims.dll\",\n \"windowsperformancerecordercontrol.dll\",\n \"diagtrack_win.dll\"\n ) and \nnot (dll.code_signature.subject_name : \"Microsoft Windows\" and dll.code_signature.status : \"trusted\")\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json new file mode 100644 index 00000000000000..6d72fa84b5f246 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License", + "name": "Potential Port Monitor or Print Processor Registration Abuse", + "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + ], + "risk_score": 47, + "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json index 76b17b0d892294..7346e5f1e06db4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -17,7 +18,7 @@ "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" ], - "risk_score": 74, + "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": [ @@ -45,5 +46,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json index 5a14984464bcb2..fae71bc2f98bbe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -16,7 +17,7 @@ "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" ], - "risk_score": 74, + "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "severity": "high", "tags": [ @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json index 3fcaea3c039e40..c6b7bb9838045b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -16,7 +17,7 @@ "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" ], - "risk_score": 74, + "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "severity": "high", "tags": [ @@ -45,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json index 3885aa3d847ca4..a160466cdc4d61 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json @@ -3,9 +3,11 @@ "Elastic" ], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", + "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -14,7 +16,7 @@ "references": [ "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" ], - "risk_score": 71, + "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": [ @@ -50,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json new file mode 100644 index 00000000000000..4ca3c62012aded --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json @@ -0,0 +1,56 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Privilege Escalation via Root Crontab File Modification", + "query": "event.category:file and not event.type:deletion and file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab", + "references": [ + "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", + "https://www.exploit-db.com/exploits/42146" + ], + "risk_score": 73, + "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setgid_bit_set_via_chmod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setgid_bit_set_via_chmod.json deleted file mode 100644 index 0bed7960781927..00000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setgid_bit_set_via_chmod.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "lucene", - "license": "Elastic License", - "max_signals": 33, - "name": "Setgid Bit Set via chmod", - "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root", - "risk_score": 21, - "rule_id": "3a86e085-094c-412d-97ff-2439731e59cb", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.001", - "name": "Setuid and Setgid", - "reference": "https://attack.mitre.org/techniques/T1548/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_bit_set_via_chmod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json similarity index 63% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_bit_set_via_chmod.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json index a55f02a0af61aa..0501604f5c8405 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_bit_set_via_chmod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_setuid_setgid_bit_set_via_chmod.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", + "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", "from": "now-9m", "index": [ "auditbeat-*", @@ -11,8 +11,8 @@ "language": "lucene", "license": "Elastic License", "max_signals": 33, - "name": "Setuid Bit Set via chmod", - "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root", + "name": "Setuid / Setgid Bit Set via chmod", + "query": "event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)", "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", @@ -20,6 +20,7 @@ "Elastic", "Host", "Linux", + "macOS", "Threat Detection", "Privilege Escalation" ], @@ -58,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json new file mode 100644 index 00000000000000..f014318c04eaba --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json @@ -0,0 +1,58 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", + "false_positives": [ + "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Sudo Heap-Based Buffer Overflow Attempt", + "query": "event.category:process and event.type:start and process.name:(sudo or sudoedit) and process.args:(*\\\\ and (\"-i\" or \"-s\"))", + "references": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", + "https://www.sudo.ws/alerts/unescape_overflow.html" + ], + "risk_score": 73, + "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "threshold": { + "field": "host.hostname", + "value": 100 + }, + "type": "threshold", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json index a49d2d89527ac9..2ac74bff3a69f8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json @@ -11,14 +11,15 @@ "language": "kuery", "license": "Elastic License", "name": "Sudoers File Modification", - "query": "event.category:file and event.type:change and file.path:/etc/sudoers", - "risk_score": 21, + "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)", + "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", - "severity": "low", + "severity": "medium", "tags": [ "Elastic", "Host", "Linux", + "macOS", "Threat Detection", "Privilege Escalation" ], @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json index 6bef3776153dbb..e028665bbdc907 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json @@ -6,16 +6,17 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"Clipup.exe\" and \nprocess.executable != \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name == \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n wildcard(process.parent.args,\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\")\n", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": [ "https://github.com/hfiref0x/UACME" ], - "risk_score": 71, + "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "severity": "high", "tags": [ @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json index bcf916733d66b2..218322f4fdfa05 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json @@ -6,12 +6,13 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n wildcard(process.executable, \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\") and\n process.parent.name == \"ieinstal.exe\" and process.parent.args == \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": [ "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" ], @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json index 81a796baa8824b..e9ba470cb2f35e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json index a81ff4214f5076..3dd864083b732b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json index 5b10fa84ea8695..bffbaad5136b42 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json index a73e6f4ccaa694..59f583e31dfd49 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "kuery", "license": "Elastic License", @@ -48,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json index 76de6ef20f319e..3867fd918fae78 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -15,7 +16,7 @@ "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" ], - "risk_score": 71, + "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "severity": "high", "tags": [ @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json index 983886377cf371..040c921f198a3b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json index 2cd74014708e9f..0854fe45cdf9d2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json @@ -6,7 +6,8 @@ "from": "now-9m", "index": [ "winlogbeat-*", - "logs-endpoint.events.*" + "logs-endpoint.events.*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -52,5 +53,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json index deaa05dc5f8d46..58e2f1ca3d81f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json @@ -9,7 +9,8 @@ "from": "now-9m", "index": [ "logs-endpoint.events.*", - "winlogbeat-*" + "winlogbeat-*", + "logs-windows.*" ], "language": "eql", "license": "Elastic License", @@ -66,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } From 70d1d9cdbb713804a472bc760cc89bb42bd5d80b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Fern=C3=A1ndez=20Haro?= Date: Thu, 18 Feb 2021 15:18:12 +0000 Subject: [PATCH 11/15] [Usage Collection] Small performance improvements (#91467) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../server/telemetry_collection/get_kibana.ts | 2 +- .../server/collector/collector_set.ts | 69 ++++++++++--------- 2 files changed, 36 insertions(+), 35 deletions(-) diff --git a/src/plugins/telemetry/server/telemetry_collection/get_kibana.ts b/src/plugins/telemetry/server/telemetry_collection/get_kibana.ts index 35592d83cf822a..566c9428901502 100644 --- a/src/plugins/telemetry/server/telemetry_collection/get_kibana.ts +++ b/src/plugins/telemetry/server/telemetry_collection/get_kibana.ts @@ -77,5 +77,5 @@ export async function getKibana( kibanaRequest: KibanaRequest | undefined // intentionally `| undefined` to enforce providing the parameter ): Promise { const usage = await usageCollection.bulkFetch(asInternalUser, soClient, kibanaRequest); - return usageCollection.toObject(usage); + return usageCollection.toObject(usage); } diff --git a/src/plugins/usage_collection/server/collector/collector_set.ts b/src/plugins/usage_collection/server/collector/collector_set.ts index 9338af611758ea..32a58a6657eec2 100644 --- a/src/plugins/usage_collection/server/collector/collector_set.ts +++ b/src/plugins/usage_collection/server/collector/collector_set.ts @@ -211,46 +211,47 @@ export class CollectorSet { ); }; - // convert an array of fetched stats results into key/object - public toObject = (statsData: Array<{ type: string; result: T }> = []) => { - return statsData.reduce((accumulatedStats, { type, result }) => { - return { - ...accumulatedStats, - [type]: result, - }; - }, {} as Result); - }; - - // rename fields to use api conventions - public toApiFieldNames = (apiData: any): any => { - const getValueOrRecurse = (value: any) => { - if (value == null || typeof value !== 'object') { - return value; - } else { - return this.toApiFieldNames(value); // recurse - } - }; + /** + * Convert an array of fetched stats results into key/object + * @param statsData Array of fetched stats results + */ + public toObject, T = unknown>( + statsData: Array<{ type: string; result: T }> = [] + ): Result { + return Object.fromEntries(statsData.map(({ type, result }) => [type, result])) as Result; + } + /** + * Rename fields to use API conventions + * @param apiData Data to be normalized + */ + public toApiFieldNames( + apiData: Record | unknown[] + ): Record | unknown[] { // handle array and return early, or return a reduced object - if (Array.isArray(apiData)) { - return apiData.map(getValueOrRecurse); + return apiData.map((value) => this.getValueOrRecurse(value)); } - return Object.keys(apiData).reduce((accum, field) => { - const value = apiData[field]; - let newName = field; - newName = snakeCase(newName); - newName = newName.replace(/^(1|5|15)_m/, '$1m'); // os.load.15m, os.load.5m, os.load.1m - newName = newName.replace('_in_bytes', '_bytes'); - newName = newName.replace('_in_millis', '_ms'); + return Object.fromEntries( + Object.entries(apiData).map(([field, value]) => { + let newName = field; + newName = snakeCase(newName); + newName = newName.replace(/^(1|5|15)_m/, '$1m'); // os.load.15m, os.load.5m, os.load.1m + newName = newName.replace('_in_bytes', '_bytes'); + newName = newName.replace('_in_millis', '_ms'); - return { - ...accum, - [newName]: getValueOrRecurse(value), - }; - }, {}); - }; + return [newName, this.getValueOrRecurse(value)]; + }) + ); + } + + private getValueOrRecurse(value: unknown) { + if (Array.isArray(value) || (typeof value === 'object' && value !== null)) { + return this.toApiFieldNames(value as Record | unknown[]); // recurse + } + return value; + } private makeCollectorSetFromArray = (collectors: AnyCollector[]) => { return new CollectorSet({ From 543bf1bf1d86d81d13fd55c44e33f1d22268a0d9 Mon Sep 17 00:00:00 2001 From: Joe Reuter Date: Thu, 18 Feb 2021 16:39:17 +0100 Subject: [PATCH 12/15] Discover: Add handling for source column (#91815) --- .../public/application/angular/context.js | 1 + .../application/angular/context_state.test.ts | 6 +++ .../application/angular/context_state.ts | 30 +++++++++---- .../public/application/angular/discover.js | 3 +- .../angular/discover_state.test.ts | 10 +++++ .../application/angular/discover_state.ts | 21 +++++++--- .../application/angular/helpers/index.ts | 1 + .../angular/helpers/state_helpers.ts | 42 +++++++++++++++++++ .../discover_grid/discover_grid.tsx | 3 +- .../functional/apps/discover/_shared_links.ts | 2 +- 10 files changed, 104 insertions(+), 15 deletions(-) create mode 100644 src/plugins/discover/public/application/angular/helpers/state_helpers.ts diff --git a/src/plugins/discover/public/application/angular/context.js b/src/plugins/discover/public/application/angular/context.js index e4128b3e262473..01a28a5c174b6b 100644 --- a/src/plugins/discover/public/application/angular/context.js +++ b/src/plugins/discover/public/application/angular/context.js @@ -65,6 +65,7 @@ function ContextAppRouteController($routeParams, $scope, $route) { storeInSessionStorage: getServices().uiSettings.get('state:storeInSessionStorage'), history: getServices().history(), toasts: getServices().core.notifications.toasts, + uiSettings: getServices().core.uiSettings, }); this.state = { ...appState.getState() }; this.anchorId = $routeParams.id; diff --git a/src/plugins/discover/public/application/angular/context_state.test.ts b/src/plugins/discover/public/application/angular/context_state.test.ts index e7622a13394c13..b49a6546a993d3 100644 --- a/src/plugins/discover/public/application/angular/context_state.test.ts +++ b/src/plugins/discover/public/application/angular/context_state.test.ts @@ -6,10 +6,12 @@ * Side Public License, v 1. */ +import { IUiSettingsClient } from 'kibana/public'; import { getState } from './context_state'; import { createBrowserHistory, History } from 'history'; import { FilterManager, Filter } from '../../../../data/public'; import { coreMock } from '../../../../../core/public/mocks'; +import { SEARCH_FIELDS_FROM_SOURCE } from '../../../common'; const setupMock = coreMock.createSetup(); describe('Test Discover Context State', () => { @@ -23,6 +25,10 @@ describe('Test Discover Context State', () => { defaultStepSize: '4', timeFieldName: 'time', history, + uiSettings: { + get: (key: string) => + ((key === SEARCH_FIELDS_FROM_SOURCE ? true : ['_source']) as unknown) as T, + } as IUiSettingsClient, }); state.startSync(); }); diff --git a/src/plugins/discover/public/application/angular/context_state.ts b/src/plugins/discover/public/application/angular/context_state.ts index d109badbdd1646..0bae006ec1f6e4 100644 --- a/src/plugins/discover/public/application/angular/context_state.ts +++ b/src/plugins/discover/public/application/angular/context_state.ts @@ -8,7 +8,7 @@ import _ from 'lodash'; import { History } from 'history'; -import { NotificationsStart } from 'kibana/public'; +import { NotificationsStart, IUiSettingsClient } from 'kibana/public'; import { createStateContainer, createKbnUrlStateStorage, @@ -17,6 +17,7 @@ import { withNotifyOnErrors, } from '../../../../kibana_utils/public'; import { esFilters, FilterManager, Filter, Query } from '../../../../data/public'; +import { handleSourceColumnState } from './helpers'; export interface AppState { /** @@ -73,6 +74,11 @@ interface GetStateParams { * kbnUrlStateStorage will use it notifying about inner errors */ toasts?: NotificationsStart['toasts']; + + /** + * core ui settings service + */ + uiSettings: IUiSettingsClient; } interface GetStateReturn { @@ -123,6 +129,7 @@ export function getState({ storeInSessionStorage = false, history, toasts, + uiSettings, }: GetStateParams): GetStateReturn { const stateStorage = createKbnUrlStateStorage({ useHash: storeInSessionStorage, @@ -134,7 +141,12 @@ export function getState({ const globalStateContainer = createStateContainer(globalStateInitial); const appStateFromUrl = stateStorage.get(APP_STATE_URL_KEY) as AppState; - const appStateInitial = createInitialAppState(defaultStepSize, timeFieldName, appStateFromUrl); + const appStateInitial = createInitialAppState( + defaultStepSize, + timeFieldName, + appStateFromUrl, + uiSettings + ); const appStateContainer = createStateContainer(appStateInitial); const { start, stop } = syncStates([ @@ -257,7 +269,8 @@ function getFilters(state: AppState | GlobalState): Filter[] { function createInitialAppState( defaultSize: string, timeFieldName: string, - urlState: AppState + urlState: AppState, + uiSettings: IUiSettingsClient ): AppState { const defaultState = { columns: ['_source'], @@ -270,8 +283,11 @@ function createInitialAppState( return defaultState; } - return { - ...defaultState, - ...urlState, - }; + return handleSourceColumnState( + { + ...defaultState, + ...urlState, + }, + uiSettings + ); } diff --git a/src/plugins/discover/public/application/angular/discover.js b/src/plugins/discover/public/application/angular/discover.js index c2bbbf2e57a9ad..78ad40e48fd965 100644 --- a/src/plugins/discover/public/application/angular/discover.js +++ b/src/plugins/discover/public/application/angular/discover.js @@ -110,7 +110,7 @@ app.config(($routeProvider) => { const history = getHistory(); const savedSearchId = $route.current.params.id; return data.indexPatterns.ensureDefaultIndexPattern(history).then(() => { - const { appStateContainer } = getState({ history }); + const { appStateContainer } = getState({ history, uiSettings: config }); const { index } = appStateContainer.getState(); return Promise.props({ ip: loadIndexPattern(index, data.indexPatterns, config), @@ -195,6 +195,7 @@ function discoverController($route, $scope, Promise) { storeInSessionStorage: config.get('state:storeInSessionStorage'), history, toasts: core.notifications.toasts, + uiSettings: config, }); const { diff --git a/src/plugins/discover/public/application/angular/discover_state.test.ts b/src/plugins/discover/public/application/angular/discover_state.test.ts index d3b7ed53e421af..e7322a85886311 100644 --- a/src/plugins/discover/public/application/angular/discover_state.test.ts +++ b/src/plugins/discover/public/application/angular/discover_state.test.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +import { IUiSettingsClient } from 'kibana/public'; import { getState, GetStateReturn, @@ -14,11 +15,17 @@ import { import { createBrowserHistory, History } from 'history'; import { dataPluginMock } from '../../../../data/public/mocks'; import { SavedSearch } from '../../saved_searches'; +import { SEARCH_FIELDS_FROM_SOURCE } from '../../../common'; let history: History; let state: GetStateReturn; const getCurrentUrl = () => history.createHref(history.location); +const uiSettingsMock = { + get: (key: string) => + ((key === SEARCH_FIELDS_FROM_SOURCE ? true : ['_source']) as unknown) as T, +} as IUiSettingsClient; + describe('Test discover state', () => { beforeEach(async () => { history = createBrowserHistory(); @@ -26,6 +33,7 @@ describe('Test discover state', () => { state = getState({ getStateDefaults: () => ({ index: 'test' }), history, + uiSettings: uiSettingsMock, }); await state.replaceUrlAppState({}); await state.startSync(); @@ -81,6 +89,7 @@ describe('Test discover state with legacy migration', () => { state = getState({ getStateDefaults: () => ({ index: 'test' }), history, + uiSettings: uiSettingsMock, }); expect(state.appStateContainer.getState()).toMatchInlineSnapshot(` Object { @@ -106,6 +115,7 @@ describe('createSearchSessionRestorationDataProvider', () => { data: mockDataPlugin, appStateContainer: getState({ history: createBrowserHistory(), + uiSettings: uiSettingsMock, }).appStateContainer, getSavedSearch: () => mockSavedSearch, }); diff --git a/src/plugins/discover/public/application/angular/discover_state.ts b/src/plugins/discover/public/application/angular/discover_state.ts index 93fc49b65cbc92..e7d5ed469525f7 100644 --- a/src/plugins/discover/public/application/angular/discover_state.ts +++ b/src/plugins/discover/public/application/angular/discover_state.ts @@ -9,7 +9,7 @@ import { isEqual } from 'lodash'; import { i18n } from '@kbn/i18n'; import { History } from 'history'; -import { NotificationsStart } from 'kibana/public'; +import { NotificationsStart, IUiSettingsClient } from 'kibana/public'; import { createKbnUrlStateStorage, createStateContainer, @@ -30,6 +30,7 @@ import { migrateLegacyQuery } from '../helpers/migrate_legacy_query'; import { DiscoverGridSettings } from '../components/discover_grid/types'; import { DISCOVER_APP_URL_GENERATOR, DiscoverUrlGeneratorState } from '../../url_generator'; import { SavedSearch } from '../../saved_searches'; +import { handleSourceColumnState } from './helpers'; export interface AppState { /** @@ -90,6 +91,11 @@ interface GetStateParams { * kbnUrlStateStorage will use it notifying about inner errors */ toasts?: NotificationsStart['toasts']; + + /** + * core ui settings service + */ + uiSettings: IUiSettingsClient; } export interface GetStateReturn { @@ -149,6 +155,7 @@ export function getState({ storeInSessionStorage = false, history, toasts, + uiSettings, }: GetStateParams): GetStateReturn { const defaultAppState = getStateDefaults ? getStateDefaults() : {}; const stateStorage = createKbnUrlStateStorage({ @@ -163,10 +170,14 @@ export function getState({ appStateFromUrl.query = migrateLegacyQuery(appStateFromUrl.query); } - let initialAppState = { - ...defaultAppState, - ...appStateFromUrl, - }; + let initialAppState = handleSourceColumnState( + { + ...defaultAppState, + ...appStateFromUrl, + }, + uiSettings + ); + // todo filter source depending on fields fetchinbg flag (if no columns remain and source fetching is enabled, use default columns) let previousAppState: AppState; const appStateContainer = createStateContainer(initialAppState); diff --git a/src/plugins/discover/public/application/angular/helpers/index.ts b/src/plugins/discover/public/application/angular/helpers/index.ts index a4ab9e575e4217..3d4893268fdee8 100644 --- a/src/plugins/discover/public/application/angular/helpers/index.ts +++ b/src/plugins/discover/public/application/angular/helpers/index.ts @@ -8,3 +8,4 @@ export { buildPointSeriesData } from './point_series'; export { formatRow } from './row_formatter'; +export { handleSourceColumnState } from './state_helpers'; diff --git a/src/plugins/discover/public/application/angular/helpers/state_helpers.ts b/src/plugins/discover/public/application/angular/helpers/state_helpers.ts new file mode 100644 index 00000000000000..ec5009dcf48392 --- /dev/null +++ b/src/plugins/discover/public/application/angular/helpers/state_helpers.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { IUiSettingsClient } from 'src/core/public'; +import { SEARCH_FIELDS_FROM_SOURCE, DEFAULT_COLUMNS_SETTING } from '../../../../common'; + +/** + * Makes sure the current state is not referencing the source column when using the fields api + * @param state + * @param uiSettings + */ +export function handleSourceColumnState( + state: TState, + uiSettings: IUiSettingsClient +): TState { + if (!state.columns) { + return state; + } + const useNewFieldsApi = !uiSettings.get(SEARCH_FIELDS_FROM_SOURCE); + const defaultColumns = uiSettings.get(DEFAULT_COLUMNS_SETTING); + if (useNewFieldsApi) { + // if fields API is used, filter out the source column + return { + ...state, + columns: state.columns.filter((column) => column !== '_source'), + }; + } else if (state.columns.length === 0) { + // if _source fetching is used and there are no column, switch back to default columns + // this can happen if the fields API was previously used + return { + ...state, + columns: [...defaultColumns], + }; + } + + return state; +} diff --git a/src/plugins/discover/public/application/components/discover_grid/discover_grid.tsx b/src/plugins/discover/public/application/components/discover_grid/discover_grid.tsx index a4e59a50a2f6c7..fcaea63f2a77c4 100644 --- a/src/plugins/discover/public/application/components/discover_grid/discover_grid.tsx +++ b/src/plugins/discover/public/application/components/discover_grid/discover_grid.tsx @@ -315,7 +315,8 @@ export const DiscoverGrid = ({ Date: Thu, 18 Feb 2021 17:15:22 +0100 Subject: [PATCH 13/15] [Lens] Support index pattern runtime fields in existence and field stats API (#90600) --- .../field_item.test.tsx | 115 +++----- .../indexpattern_datasource/field_item.tsx | 5 +- .../server/routes/existing_fields.test.ts | 27 ++ .../lens/server/routes/existing_fields.ts | 10 +- .../plugins/lens/server/routes/field_stats.ts | 43 +-- .../api_integration/apis/lens/field_stats.ts | 253 +++++++++--------- .../es_archives/visualize/default/data.json | 25 ++ 7 files changed, 250 insertions(+), 228 deletions(-) diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/field_item.test.tsx b/x-pack/plugins/lens/public/indexpattern_datasource/field_item.test.tsx index fca958a39b086f..0871ef47494960 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/field_item.test.tsx +++ b/x-pack/plugins/lens/public/indexpattern_datasource/field_item.test.tsx @@ -116,27 +116,6 @@ describe('IndexPattern Field Item', () => { ); }); - it('should request field stats without a time field, if the index pattern has none', async () => { - indexPattern.timeFieldName = undefined; - core.http.post.mockImplementationOnce(() => { - return Promise.resolve({}); - }); - const wrapper = mountWithIntl(); - - await act(async () => { - clickField(wrapper, 'bytes'); - }); - - expect(core.http.post).toHaveBeenCalledWith( - '/api/lens/index_stats/my-fake-index-pattern/field', - expect.anything() - ); - // Function argument types not detected correctly (https://github.com/microsoft/TypeScript/issues/26591) - // eslint-disable-next-line @typescript-eslint/no-explicit-any - const { body } = (core.http.post.mock.calls[0] as any)[1]; - expect(JSON.parse(body)).not.toHaveProperty('timeFieldName'); - }); - it('should request field stats every time the button is clicked', async () => { let resolveFunction: (arg: unknown) => void; @@ -150,31 +129,21 @@ describe('IndexPattern Field Item', () => { clickField(wrapper, 'bytes'); - expect(core.http.post).toHaveBeenCalledWith( - `/api/lens/index_stats/my-fake-index-pattern/field`, - { - body: JSON.stringify({ - dslQuery: { - bool: { - must: [{ match_all: {} }], - filter: [], - should: [], - must_not: [], - }, + expect(core.http.post).toHaveBeenCalledWith(`/api/lens/index_stats/1/field`, { + body: JSON.stringify({ + dslQuery: { + bool: { + must: [{ match_all: {} }], + filter: [], + should: [], + must_not: [], }, - fromDate: 'now-7d', - toDate: 'now', - timeFieldName: 'timestamp', - field: { - name: 'bytes', - displayName: 'bytesLabel', - type: 'number', - aggregatable: true, - searchable: true, - }, - }), - } - ); + }, + fromDate: 'now-7d', + toDate: 'now', + fieldName: 'bytes', + }), + }); expect(wrapper.find(EuiPopover).prop('isOpen')).toEqual(true); @@ -227,40 +196,30 @@ describe('IndexPattern Field Item', () => { clickField(wrapper, 'bytes'); expect(core.http.post).toHaveBeenCalledTimes(2); - expect(core.http.post).toHaveBeenLastCalledWith( - `/api/lens/index_stats/my-fake-index-pattern/field`, - { - body: JSON.stringify({ - dslQuery: { - bool: { - must: [], - filter: [ - { - bool: { - should: [{ match_phrase: { 'geo.src': 'US' } }], - minimum_should_match: 1, - }, - }, - { - match: { phrase: { 'geo.dest': 'US' } }, + expect(core.http.post).toHaveBeenLastCalledWith(`/api/lens/index_stats/1/field`, { + body: JSON.stringify({ + dslQuery: { + bool: { + must: [], + filter: [ + { + bool: { + should: [{ match_phrase: { 'geo.src': 'US' } }], + minimum_should_match: 1, }, - ], - should: [], - must_not: [], - }, + }, + { + match: { phrase: { 'geo.dest': 'US' } }, + }, + ], + should: [], + must_not: [], }, - fromDate: 'now-14d', - toDate: 'now-7d', - timeFieldName: 'timestamp', - field: { - name: 'bytes', - displayName: 'bytesLabel', - type: 'number', - aggregatable: true, - searchable: true, - }, - }), - } - ); + }, + fromDate: 'now-14d', + toDate: 'now-7d', + fieldName: 'bytes', + }), + }); }); }); diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx b/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx index e0198d6d7903e7..e5d46b4a7a0737 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx +++ b/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx @@ -129,7 +129,7 @@ export const InnerFieldItem = function InnerFieldItem(props: FieldItemProps) { setState((s) => ({ ...s, isLoading: true })); core.http - .post(`/api/lens/index_stats/${indexPattern.title}/field`, { + .post(`/api/lens/index_stats/${indexPattern.id}/field`, { body: JSON.stringify({ dslQuery: esQuery.buildEsQuery( indexPattern as IIndexPattern, @@ -139,8 +139,7 @@ export const InnerFieldItem = function InnerFieldItem(props: FieldItemProps) { ), fromDate: dateRange.fromDate, toDate: dateRange.toDate, - timeFieldName: indexPattern.timeFieldName, - field, + fieldName: field.name, }), }) .then((results: FieldStatsResponse) => { diff --git a/x-pack/plugins/lens/server/routes/existing_fields.test.ts b/x-pack/plugins/lens/server/routes/existing_fields.test.ts index c6364eca0ff499..3f3e94099f6669 100644 --- a/x-pack/plugins/lens/server/routes/existing_fields.test.ts +++ b/x-pack/plugins/lens/server/routes/existing_fields.test.ts @@ -61,6 +61,20 @@ describe('existingFields', () => { expect(result).toEqual(['bar']); }); + it('supports runtime fields', () => { + const result = existingFields( + [searchResults({ runtime_foo: ['scriptvalue'] })], + [ + field({ + name: 'runtime_foo', + runtimeField: { type: 'long', script: { source: '2+2' } }, + }), + ] + ); + + expect(result).toEqual(['runtime_foo']); + }); + it('supports meta fields', () => { const result = existingFields( [{ _mymeta: 'abc', ...searchResults({ bar: ['scriptvalue'] }) }], @@ -78,6 +92,11 @@ describe('buildFieldList', () => { typeMeta: 'typemeta', fields: [ { name: 'foo', scripted: true, lang: 'painless', script: '2+2' }, + { + name: 'runtime_foo', + isMapped: false, + runtimeField: { type: 'long', script: { source: '2+2' } }, + }, { name: 'bar' }, { name: '@bar' }, { name: 'baz' }, @@ -95,6 +114,14 @@ describe('buildFieldList', () => { }); }); + it('supports runtime fields', () => { + const fields = buildFieldList((indexPattern as unknown) as IndexPattern, []); + expect(fields.find((f) => f.runtimeField)).toMatchObject({ + name: 'runtime_foo', + runtimeField: { type: 'long', script: { source: '2+2' } }, + }); + }); + it('supports meta fields', () => { const fields = buildFieldList((indexPattern as unknown) as IndexPattern, ['_mymeta']); expect(fields.find((f) => f.isMeta)).toMatchObject({ diff --git a/x-pack/plugins/lens/server/routes/existing_fields.ts b/x-pack/plugins/lens/server/routes/existing_fields.ts index e76abf4598efa9..11db9360749eaf 100644 --- a/x-pack/plugins/lens/server/routes/existing_fields.ts +++ b/x-pack/plugins/lens/server/routes/existing_fields.ts @@ -10,7 +10,7 @@ import { errors } from '@elastic/elasticsearch'; import { schema } from '@kbn/config-schema'; import { RequestHandlerContext, ElasticsearchClient } from 'src/core/server'; import { CoreSetup, Logger } from 'src/core/server'; -import { IndexPattern, IndexPatternsService } from 'src/plugins/data/common'; +import { IndexPattern, IndexPatternsService, RuntimeField } from 'src/plugins/data/common'; import { BASE_API_URL } from '../../common'; import { UI_SETTINGS } from '../../../../../src/plugins/data/server'; import { PluginStartContract } from '../plugin'; @@ -30,6 +30,7 @@ export interface Field { isMeta: boolean; lang?: string; script?: string; + runtimeField?: RuntimeField; } export async function existingFieldsRoute(setup: CoreSetup, logger: Logger) { @@ -138,6 +139,7 @@ export function buildFieldList(indexPattern: IndexPattern, metaFields: string[]) // id is a special case - it doesn't show up in the meta field list, // but as it's not part of source, it has to be handled separately. isMeta: metaFields.includes(field.name) || field.name === '_id', + runtimeField: !field.isMapped ? field.runtimeField : undefined, }; }); } @@ -181,6 +183,7 @@ async function fetchIndexPatternStats({ }; const scriptedFields = fields.filter((f) => f.isScript); + const runtimeFields = fields.filter((f) => f.runtimeField); const { body: result } = await client.search({ index, body: { @@ -189,6 +192,11 @@ async function fetchIndexPatternStats({ sort: timeFieldName && fromDate && toDate ? [{ [timeFieldName]: 'desc' }] : [], fields: ['*'], _source: false, + runtime_mappings: runtimeFields.reduce((acc, field) => { + if (!field.runtimeField) return acc; + acc[field.name] = field.runtimeField; + return acc; + }, {} as Record), script_fields: scriptedFields.reduce((acc, field) => { acc[field.name] = { script: { diff --git a/x-pack/plugins/lens/server/routes/field_stats.ts b/x-pack/plugins/lens/server/routes/field_stats.ts index 7fd884755d86df..9094e5442dc511 100644 --- a/x-pack/plugins/lens/server/routes/field_stats.ts +++ b/x-pack/plugins/lens/server/routes/field_stats.ts @@ -11,6 +11,7 @@ import DateMath from '@elastic/datemath'; import { schema } from '@kbn/config-schema'; import { CoreSetup } from 'src/core/server'; import { IFieldType } from 'src/plugins/data/common'; +import { SavedObjectNotFound } from '../../../../../src/plugins/kibana_utils/common'; import { ESSearchResponse } from '../../../../typings/elasticsearch'; import { FieldStatsResponse, BASE_API_URL } from '../../common'; import { PluginStartContract } from '../plugin'; @@ -21,28 +22,17 @@ export async function initFieldsRoute(setup: CoreSetup) { const router = setup.http.createRouter(); router.post( { - path: `${BASE_API_URL}/index_stats/{indexPatternTitle}/field`, + path: `${BASE_API_URL}/index_stats/{indexPatternId}/field`, validate: { params: schema.object({ - indexPatternTitle: schema.string(), + indexPatternId: schema.string(), }), body: schema.object( { dslQuery: schema.object({}, { unknowns: 'allow' }), fromDate: schema.string(), toDate: schema.string(), - timeFieldName: schema.maybe(schema.string()), - field: schema.object( - { - name: schema.string(), - type: schema.string(), - esTypes: schema.maybe(schema.arrayOf(schema.string())), - scripted: schema.maybe(schema.boolean()), - lang: schema.maybe(schema.string()), - script: schema.maybe(schema.string()), - }, - { unknowns: 'allow' } - ), + fieldName: schema.string(), }, { unknowns: 'allow' } ), @@ -50,9 +40,26 @@ export async function initFieldsRoute(setup: CoreSetup) { }, async (context, req, res) => { const requestClient = context.core.elasticsearch.client.asCurrentUser; - const { fromDate, toDate, timeFieldName, field, dslQuery } = req.body; + const { fromDate, toDate, fieldName, dslQuery } = req.body; + + const [{ savedObjects, elasticsearch }, { data }] = await setup.getStartServices(); + const savedObjectsClient = savedObjects.getScopedClient(req); + const esClient = elasticsearch.client.asScoped(req).asCurrentUser; + const indexPatternsService = await data.indexPatterns.indexPatternsServiceFactory( + savedObjectsClient, + esClient + ); try { + const indexPattern = await indexPatternsService.get(req.params.indexPatternId); + + const timeFieldName = indexPattern.timeFieldName; + const field = indexPattern.fields.find((f) => f.name === fieldName); + + if (!field) { + throw new Error(`Field {fieldName} not found in index pattern ${indexPattern.title}`); + } + const filter = timeFieldName ? [ { @@ -75,11 +82,12 @@ export async function initFieldsRoute(setup: CoreSetup) { const search = async (aggs: unknown) => { const { body: result } = await requestClient.search({ - index: req.params.indexPatternTitle, + index: indexPattern.title, track_total_hits: true, body: { query, aggs, + runtime_mappings: field.runtimeField ? { [fieldName]: field.runtimeField } : {}, }, size: 0, }); @@ -104,6 +112,9 @@ export async function initFieldsRoute(setup: CoreSetup) { body: await getStringSamples(search, field), }); } catch (e) { + if (e instanceof SavedObjectNotFound) { + return res.notFound(); + } if (e instanceof errors.ResponseError && e.statusCode === 404) { return res.notFound(); } diff --git a/x-pack/test/api_integration/apis/lens/field_stats.ts b/x-pack/test/api_integration/apis/lens/field_stats.ts index ac4ebb4e5b02c2..94960b98591219 100644 --- a/x-pack/test/api_integration/apis/lens/field_stats.ts +++ b/x-pack/test/api_integration/apis/lens/field_stats.ts @@ -22,29 +22,29 @@ export default ({ getService }: FtrProviderContext) => { describe('index stats apis', () => { before(async () => { await esArchiver.loadIfNeeded('logstash_functional'); - await esArchiver.loadIfNeeded('visualize/default'); - await esArchiver.loadIfNeeded('pre_calculated_histogram'); }); after(async () => { await esArchiver.unload('logstash_functional'); - await esArchiver.unload('visualize/default'); - await esArchiver.unload('pre_calculated_histogram'); }); describe('field distribution', () => { + before(async () => { + await esArchiver.loadIfNeeded('visualize/default'); + }); + after(async () => { + await esArchiver.unload('visualize/default'); + }); + it('should return a 404 for missing index patterns', async () => { await supertest - .post('/api/lens/index_stats/logstash/field') + .post('/api/lens/index_stats/123/field') .set(COMMON_HEADERS) .send({ dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, timeFieldName: '@timestamp', - field: { - name: 'bytes', - type: 'number', - }, + fieldName: 'bytes', }) .expect(404); }); @@ -57,10 +57,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - field: { - name: 'bytes', - type: 'number', - }, + fieldName: 'bytes', }) .expect(200); @@ -75,11 +72,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: 'bytes', - type: 'number', - }, + fieldName: 'bytes', }) .expect(200); @@ -186,11 +179,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: '@timestamp', - type: 'date', - }, + fieldName: '@timestamp', }) .expect(200); @@ -223,11 +212,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: 'geo.src', - type: 'string', - }, + fieldName: 'geo.src', }) .expect(200); @@ -290,11 +275,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: 'ip', - type: 'ip', - }, + fieldName: 'ip', }) .expect(200); @@ -349,6 +330,113 @@ export default ({ getService }: FtrProviderContext) => { }); }); + it('should return histograms for scripted date fields', async () => { + const { body } = await supertest + .post('/api/lens/index_stats/logstash-2015.09.22/field') + .set(COMMON_HEADERS) + .send({ + dslQuery: { match_all: {} }, + fromDate: TEST_START_TIME, + toDate: TEST_END_TIME, + fieldName: 'scripted_date', + }) + .expect(200); + + expect(body).to.eql({ + histogram: { + buckets: [ + { + count: 4634, + key: 0, + }, + ], + }, + totalDocuments: 4634, + }); + }); + + it('should return top values for scripted string fields', async () => { + const { body } = await supertest + .post('/api/lens/index_stats/logstash-2015.09.22/field') + .set(COMMON_HEADERS) + .send({ + dslQuery: { match_all: {} }, + fromDate: TEST_START_TIME, + toDate: TEST_END_TIME, + fieldName: 'scripted_string', + }) + .expect(200); + + expect(body).to.eql({ + totalDocuments: 4634, + sampledDocuments: 4634, + sampledValues: 4634, + topValues: { + buckets: [ + { + count: 4634, + key: 'hello', + }, + ], + }, + }); + }); + + it('should return top values for index pattern runtime string fields', async () => { + const { body } = await supertest + .post('/api/lens/index_stats/logstash-2015.09.22/field') + .set(COMMON_HEADERS) + .send({ + dslQuery: { match_all: {} }, + fromDate: TEST_START_TIME, + toDate: TEST_END_TIME, + fieldName: 'runtime_string_field', + }) + .expect(200); + + expect(body).to.eql({ + totalDocuments: 4634, + sampledDocuments: 4634, + sampledValues: 4634, + topValues: { + buckets: [ + { + count: 4634, + key: 'hello world!', + }, + ], + }, + }); + }); + + it('should apply filters and queries', async () => { + const { body } = await supertest + .post('/api/lens/index_stats/logstash-2015.09.22/field') + .set(COMMON_HEADERS) + .send({ + dslQuery: { + bool: { + filter: [{ match: { 'geo.src': 'US' } }], + }, + }, + fromDate: TEST_START_TIME, + toDate: TEST_END_TIME, + fieldName: 'bytes', + }) + .expect(200); + + expect(body.totalDocuments).to.eql(425); + }); + }); + + describe('histogram', () => { + before(async () => { + await esArchiver.loadIfNeeded('pre_calculated_histogram'); + }); + after(async () => { + await esArchiver.unload('pre_calculated_histogram'); + }); + it('should return an auto histogram for precalculated histograms', async () => { const { body } = await supertest .post('/api/lens/index_stats/histogram-test/field') @@ -357,10 +445,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match_all: {} }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - field: { - name: 'histogram-content', - type: 'histogram', - }, + fieldName: 'histogram-content', }) .expect(200); @@ -428,10 +513,7 @@ export default ({ getService }: FtrProviderContext) => { dslQuery: { match: { 'histogram-title': 'single value' } }, fromDate: TEST_START_TIME, toDate: TEST_END_TIME, - field: { - name: 'histogram-content', - type: 'histogram', - }, + fieldName: 'histogram-content', }) .expect(200); @@ -443,95 +525,6 @@ export default ({ getService }: FtrProviderContext) => { topValues: { buckets: [] }, }); }); - - it('should return histograms for scripted date fields', async () => { - const { body } = await supertest - .post('/api/lens/index_stats/logstash-2015.09.22/field') - .set(COMMON_HEADERS) - .send({ - dslQuery: { match_all: {} }, - fromDate: TEST_START_TIME, - toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: 'scripted date', - type: 'date', - scripted: true, - script: '1234', - lang: 'painless', - }, - }) - .expect(200); - - expect(body).to.eql({ - histogram: { - buckets: [ - { - count: 4634, - key: 0, - }, - ], - }, - totalDocuments: 4634, - }); - }); - - it('should return top values for scripted string fields', async () => { - const { body } = await supertest - .post('/api/lens/index_stats/logstash-2015.09.22/field') - .set(COMMON_HEADERS) - .send({ - dslQuery: { match_all: {} }, - fromDate: TEST_START_TIME, - toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: 'scripted string', - type: 'string', - scripted: true, - script: 'return "hello"', - lang: 'painless', - }, - }) - .expect(200); - - expect(body).to.eql({ - totalDocuments: 4634, - sampledDocuments: 4634, - sampledValues: 4634, - topValues: { - buckets: [ - { - count: 4634, - key: 'hello', - }, - ], - }, - }); - }); - - it('should apply filters and queries', async () => { - const { body } = await supertest - .post('/api/lens/index_stats/logstash-2015.09.22/field') - .set(COMMON_HEADERS) - .send({ - dslQuery: { - bool: { - filter: [{ match: { 'geo.src': 'US' } }], - }, - }, - fromDate: TEST_START_TIME, - toDate: TEST_END_TIME, - timeFieldName: '@timestamp', - field: { - name: 'bytes', - type: 'number', - }, - }) - .expect(200); - - expect(body.totalDocuments).to.eql(425); - }); }); }); }; diff --git a/x-pack/test/functional/es_archives/visualize/default/data.json b/x-pack/test/functional/es_archives/visualize/default/data.json index 26b033e28b4da7..7d0ad0c25f96db 100644 --- a/x-pack/test/functional/es_archives/visualize/default/data.json +++ b/x-pack/test/functional/es_archives/visualize/default/data.json @@ -145,6 +145,31 @@ } } +{ + "type": "doc", + "value": { + "index": ".kibana", + "type": "doc", + "id": "index-pattern:logstash-2015.09.22", + "index": ".kibana_1", + "source": { + "index-pattern": { + "timeFieldName": "@timestamp", + "title": "logstash-2015.09.22", + "fields":"[{\"name\":\"scripted_date\",\"type\":\"date\",\"count\":0,\"scripted\":true,\"script\":\"1234\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"scripted_string\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"return 'hello'\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", + "runtimeFieldMap":"{\"runtime_string_field\":{\"type\":\"keyword\",\"script\":{\"source\":\"emit('hello world!')\"}}}" + }, + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [ + ], + "type": "index-pattern", + "updated_at": "2018-12-21T00:43:07.096Z" + } + } +} + { "type": "doc", "value": { From c5dabc2e86c4ab7a8ae7f9c7a747538985f54a71 Mon Sep 17 00:00:00 2001 From: Maja Grubic Date: Thu, 18 Feb 2021 16:25:57 +0000 Subject: [PATCH 14/15] [Discover] Always request unmapped fields in a single doc view and a context view (#91825) * [Discover] Always request unmapped fields in a single doc view * Updating unit test * Request unmapped fields in context view --- .../public/application/angular/context/api/anchor.js | 2 +- .../public/application/angular/context/api/anchor.test.js | 2 +- .../public/application/angular/context/api/context.ts | 2 +- .../application/components/doc/use_es_doc_search.test.tsx | 5 ++++- .../public/application/components/doc/use_es_doc_search.ts | 2 +- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/plugins/discover/public/application/angular/context/api/anchor.js b/src/plugins/discover/public/application/angular/context/api/anchor.js index f1074be2ebcf25..83b611cb0d6488 100644 --- a/src/plugins/discover/public/application/angular/context/api/anchor.js +++ b/src/plugins/discover/public/application/angular/context/api/anchor.js @@ -32,7 +32,7 @@ export function fetchAnchorProvider(indexPatterns, searchSource, useNewFieldsApi .setField('sort', sort); if (useNewFieldsApi) { searchSource.removeField('fieldsFromSource'); - searchSource.setField('fields', ['*']); + searchSource.setField('fields', [{ field: '*', include_unmapped: 'true' }]); } const response = await searchSource.fetch(); diff --git a/src/plugins/discover/public/application/angular/context/api/anchor.test.js b/src/plugins/discover/public/application/angular/context/api/anchor.test.js index 5b077f7443c27e..12b9b4ab285567 100644 --- a/src/plugins/discover/public/application/angular/context/api/anchor.test.js +++ b/src/plugins/discover/public/application/angular/context/api/anchor.test.js @@ -154,7 +154,7 @@ describe('context app', function () { const removeFieldsSpy = searchSourceStub.removeField.withArgs('fieldsFromSource'); expect(setFieldsSpy.calledOnce).toBe(true); expect(removeFieldsSpy.calledOnce).toBe(true); - expect(setFieldsSpy.firstCall.args[1]).toEqual(['*']); + expect(setFieldsSpy.firstCall.args[1]).toEqual([{ field: '*', include_unmapped: 'true' }]); }); }); }); diff --git a/src/plugins/discover/public/application/angular/context/api/context.ts b/src/plugins/discover/public/application/angular/context/api/context.ts index 4887a0644b6eb6..43f6e83d286b36 100644 --- a/src/plugins/discover/public/application/angular/context/api/context.ts +++ b/src/plugins/discover/public/application/angular/context/api/context.ts @@ -114,7 +114,7 @@ function fetchContextProvider(indexPatterns: IndexPatternsContract, useNewFields const searchSource = await data.search.searchSource.create(); if (useNewFieldsApi) { searchSource.removeField('fieldsFromSource'); - searchSource.setField('fields', ['*']); + searchSource.setField('fields', [{ field: '*', include_unmapped: 'true' }]); } return searchSource .setParent(undefined) diff --git a/src/plugins/discover/public/application/components/doc/use_es_doc_search.test.tsx b/src/plugins/discover/public/application/components/doc/use_es_doc_search.test.tsx index ef2619070a6d8e..dc0b6416a7f576 100644 --- a/src/plugins/discover/public/application/components/doc/use_es_doc_search.test.tsx +++ b/src/plugins/discover/public/application/components/doc/use_es_doc_search.test.tsx @@ -67,7 +67,10 @@ describe('Test of helper / hook', () => { "_source": false, "docvalue_fields": Array [], "fields": Array [ - "*", + Object { + "field": "*", + "include_unmapped": "true", + }, ], "query": Object { "ids": Object { diff --git a/src/plugins/discover/public/application/components/doc/use_es_doc_search.ts b/src/plugins/discover/public/application/components/doc/use_es_doc_search.ts index 295b2ab3831194..703a1e557e801a 100644 --- a/src/plugins/discover/public/application/components/doc/use_es_doc_search.ts +++ b/src/plugins/discover/public/application/components/doc/use_es_doc_search.ts @@ -39,7 +39,7 @@ export function buildSearchBody( }, stored_fields: computedFields.storedFields, _source: !useNewFieldsApi, - fields: useNewFieldsApi ? ['*'] : undefined, + fields: useNewFieldsApi ? [{ field: '*', include_unmapped: 'true' }] : undefined, script_fields: computedFields.scriptFields, docvalue_fields: computedFields.docvalueFields, }; From 386afdca8ffc8b5c61aa0c2ce0ea1a3476fd0aa7 Mon Sep 17 00:00:00 2001 From: Ahmad Bamieh Date: Thu, 18 Feb 2021 18:34:44 +0200 Subject: [PATCH 15/15] [SOM] fix flaky suites (#91809) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- test/functional/apps/management/_import_objects.ts | 1 - .../apps/saved_objects_management/edit_saved_object.ts | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/test/functional/apps/management/_import_objects.ts b/test/functional/apps/management/_import_objects.ts index ca8d8c392ce49b..a3daaf86294939 100644 --- a/test/functional/apps/management/_import_objects.ts +++ b/test/functional/apps/management/_import_objects.ts @@ -23,7 +23,6 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const testSubjects = getService('testSubjects'); const log = getService('log'); - // FLAKY: https://github.com/elastic/kibana/issues/89478 describe('import objects', function describeIndexTests() { describe('.ndjson file', () => { beforeEach(async function () { diff --git a/test/functional/apps/saved_objects_management/edit_saved_object.ts b/test/functional/apps/saved_objects_management/edit_saved_object.ts index 81569c5bfc498a..89889088bd73ba 100644 --- a/test/functional/apps/saved_objects_management/edit_saved_object.ts +++ b/test/functional/apps/saved_objects_management/edit_saved_object.ts @@ -55,8 +55,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await button.click(); }; - // Flaky: https://github.com/elastic/kibana/issues/68400 - describe.skip('saved objects edition page', () => { + describe('saved objects edition page', () => { beforeEach(async () => { await esArchiver.load('saved_objects_management/edit_saved_object'); });