From 6563abe88dc5ce61a6a90e25e7e97d8ff07faea9 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 14 May 2024 11:15:12 -0500 Subject: [PATCH] [FR] Add max_signal note, unit test, and rule tuning (#3669) Removed changes from: - rules/integrations/cloud_defend/container_workload_protection.toml (selectively cherry picked from commit f07a9e6fbca0f35cc6db8d3cb056592e9a18b60b) --- .../endpoint/elastic_endpoint_security.toml | 11 +++++++- ..._access_endgame_cred_dumping_detected.toml | 11 +++++++- ...access_endgame_cred_dumping_prevented.toml | 11 +++++++- .../endgame_adversary_behavior_detected.toml | 11 +++++++- .../promotions/endgame_malware_detected.toml | 11 +++++++- .../promotions/endgame_malware_prevented.toml | 11 +++++++- .../endgame_ransomware_detected.toml | 11 +++++++- .../endgame_ransomware_prevented.toml | 11 +++++++- .../execution_endgame_exploit_detected.toml | 11 +++++++- .../execution_endgame_exploit_prevented.toml | 11 +++++++- rules/promotions/external_alerts.toml | 11 +++++++- ...on_endgame_cred_manipulation_detected.toml | 11 +++++++- ...n_endgame_cred_manipulation_prevented.toml | 11 +++++++- ...ion_endgame_permission_theft_detected.toml | 11 +++++++- ...on_endgame_permission_theft_prevented.toml | 11 +++++++- ...on_endgame_process_injection_detected.toml | 11 +++++++- ...n_endgame_process_injection_prevented.toml | 11 +++++++- tests/test_all_rules.py | 27 ++++++++++++++++++- 18 files changed, 196 insertions(+), 18 deletions(-) diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 750c639c338..ddc45fe6865 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/13" promotion = true [rule] @@ -23,6 +23,15 @@ name = "Endpoint Security" risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index d852586dfdd..d643f37fbe6 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Credential Dumping - Detected - Elastic Endgame" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index b9fa0659969..08734f9dda1 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Credential Dumping - Prevented - Elastic Endgame" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index bb6f24a7023..8866e3f788d 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Adversary Behavior - Detected - Elastic Endgame" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index f0e30664fda..c8865ab255e 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Malware - Detected - Elastic Endgame" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index cf572bfff5b..22c4fdbc579 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Malware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index d3fbddb0177..58870383f83 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Ransomware - Detected - Elastic Endgame" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 647d48bfd68..f8509c3a851 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Ransomware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index bd0793465ea..fff5c779778 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Exploit - Detected - Elastic Endgame" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index e830ee43dd4..b9e85a7bde9 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Exploit - Prevented - Elastic Endgame" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index dc709e80372..8f657c450fb 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -20,6 +20,15 @@ name = "External Alerts" risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index 61bd18b6fa4..caef5f6abe9 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Credential Manipulation - Detected - Elastic Endgame" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 45426c07a57..b9ddee16d41 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Credential Manipulation - Prevented - Elastic Endgame" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index aee92083b25..0a81cdd2fe7 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Permission Theft - Detected - Elastic Endgame" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 1671ec4011f..5c4cd362f22 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Permission Theft - Prevented - Elastic Endgame" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 0e874f5bf58..430a3a2c8ae 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Process Injection - Detected - Elastic Endgame" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index cbfacfd1bc9..3451dafac36 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -21,6 +21,15 @@ max_signals = 10000 name = "Process Injection - Prevented - Elastic Endgame" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" +setup = """## Setup + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index c66563c34a3..97edd6f70ac 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -147,6 +147,30 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") with self.assertRaises(ValidationError): build_rule(query=query, from_field="now-10m", interval="10m") + def test_max_signals_note(self): + """Ensure the max_signals note is present when max_signals > 1000.""" + max_signal_standard_setup = 'This rule is configured to generate more **Max alerts per run** than the ' \ + 'default 1000 alerts per run set for all rules. This is to ensure that it ' \ + "captures as many alerts as possible.\n\n**IMPORTANT:** The rule's " \ + '**Max alerts per run** setting can be superseded by the ' \ + '`xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines ' \ + 'the maximum alerts generated by _any_ rule in the Kibana alerting framework. ' \ + 'For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule ' \ + 'will still generate no more than 1000 alerts even if its own **Max alerts per ' \ + 'run** is set higher.\n\nTo make sure this rule can generate as many alerts as ' \ + "it's configured in its own **Max alerts per run** setting, increase the " \ + '`xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** ' \ + 'Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless ' \ + 'projects.' + for rule in self.all_rules: + if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: + error_message = f'{self.rule_str(rule)} note required for max_signals > 1000' + self.assertIsNotNone(rule.contents.data.setup, error_message) + if max_signal_standard_setup not in rule.contents.data.setup: + self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' + f'Expected: {max_signal_standard_setup}\n\n' + f'Actual: {rule.contents.data.setup}') + class TestThreatMappings(BaseRuleTest): """Test threat mapping data for rules.""" @@ -870,7 +894,8 @@ def test_integration_guide(self): note_str = integration_notes.get(integration) if note_str: - self.assert_(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') + error_message = f'{self.rule_str(rule)} note required for config information' + self.assertIsNotNone(rule.contents.data.note, error_message) if note_str not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n'