[Detection Rules] Add 7.11 rules

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json

@@ -8,14 +8,15 @@
  ],
  "from": "now-130m",
  "index": [
- "filebeat-*"
+ "filebeat-*",
+ "logs-google_workspace*"
  ],
  "interval": "10m",
  "language": "kuery",
  "license": "Elastic License",
  "name": "Application Added to Google Workspace Domain",
  "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
- "query": "event.dataset:gsuite.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+ "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
  "references": [
  "https://support.google.com/a/answer/6328701?hl=en#"
  ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json

@@ -0,0 +1,50 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
+ "false_positives": [
+ "Legitimate exchange system administration activity."
+ ],
+ "index": [
+ "logs-endpoint.events.*",
+ "winlogbeat-*"
+ ],
+ "language": "eql",
+ "license": "Elastic License",
+ "name": "Exporting Exchange Mailbox via PowerShell",
+ "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+ "references": [
+ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
+ ],
+ "risk_score": 47,
+ "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Collection"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0009",
+ "name": "Collection",
+ "reference": "https://attack.mitre.org/tactics/TA0009/"
+ },
+ "technique": [
+ {
+ "id": "T1114",
+ "name": "Email Collection",
+ "reference": "https://attack.mitre.org/techniques/T1114/"
+ }
+ ]
+ }
+ ],
+ "type": "eql",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json

@@ -7,13 +7,14 @@
  "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
  ],
  "index": [
- "filebeat-*"
+ "filebeat-*",
+ "logs-gcp*"
  ],
  "language": "kuery",
  "license": "Elastic License",
  "name": "GCP Pub/Sub Subscription Creation",
  "note": "The GCP Filebeat module must be enabled to use this rule.",
- "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+ "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
  "references": [
  "https://cloud.google.com/pubsub/docs/overview"
  ],
@@ -46,5 +47,5 @@
  }
  ],
  "type": "query",
- "version": 1
+ "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json

@@ -7,13 +7,14 @@
  "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
  ],
  "index": [
- "filebeat-*"
+ "filebeat-*",
+ "logs-gcp*"
  ],
  "language": "kuery",
  "license": "Elastic License",
  "name": "GCP Pub/Sub Topic Creation",
  "note": "The GCP Filebeat module must be enabled to use this rule.",
- "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+ "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
  "references": [
  "https://cloud.google.com/pubsub/docs/admin"
  ],
@@ -46,5 +47,5 @@
  }
  ],
  "type": "query",
- "version": 1
+ "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json

@@ -0,0 +1,50 @@
+{
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
+ "false_positives": [
+ "Legitimate exchange system administration activity."
+ ],
+ "index": [
+ "logs-endpoint.events.*",
+ "winlogbeat-*"
+ ],
+ "language": "eql",
+ "license": "Elastic License",
+ "name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
+ "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+ "references": [
+ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
+ ],
+ "risk_score": 47,
+ "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Collection"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0009",
+ "name": "Collection",
+ "reference": "https://attack.mitre.org/tactics/TA0009/"
+ },
+ "technique": [
+ {
+ "id": "T1114",
+ "name": "Email Collection",
+ "reference": "https://attack.mitre.org/techniques/T1114/"
+ }
+ ]
+ }
+ ],
+ "type": "eql",
+ "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json

@@ -8,13 +8,14 @@
  ],
  "from": "now-25m",
  "index": [
- "filebeat-*"
+ "filebeat-*",
+ "logs-azure*"
  ],
  "language": "kuery",
  "license": "Elastic License",
  "name": "Azure Event Hub Authorization Rule Created or Updated",
  "note": "The Azure Filebeat module must be enabled to use this rule.",
- "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
+ "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:(Success or success)",
  "references": [
  "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
  ],
@@ -62,5 +63,5 @@
  }
  ],
  "type": "query",
- "version": 1
+ "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_winrar_encryption.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json

@@ -28,9 +28,9 @@
  {
  "framework": "MITRE ATT&CK",
  "tactic": {
- "id": "TA0010",
- "name": "Exfiltration",
- "reference": "https://attack.mitre.org/tactics/TA0010/"
+ "id": "TA0009",
+ "name": "Collection",
+ "reference": "https://attack.mitre.org/tactics/TA0009/"
  },
  "technique": [
  {

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json

@@ -42,13 +42,20 @@
  "reference": "https://attack.mitre.org/techniques/T1071/"
  },
  {
- "id": "T1483",
- "name": "Domain Generation Algorithms",
- "reference": "https://attack.mitre.org/techniques/T1483/"
+ "id": "T1568",
+ "name": "Dynamic Resolution",
+ "reference": "https://attack.mitre.org/techniques/T1568/",
+ "subtechnique": [
+ {
+ "id": "T1568.002",
+ "name": "Domain Generation Algorithms",
+ "reference": "https://attack.mitre.org/techniques/T1568/002/"
+ }
+ ]
  }
  ]
  }
  ],
  "type": "query",
- "version": 1
+ "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json

@@ -35,13 +35,7 @@
  "name": "Command and Control",
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
- "technique": [
- {
- "id": "T1043",
- "name": "Commonly Used Port",
- "reference": "https://attack.mitre.org/techniques/T1043/"
- }
- ]
+ "technique": []
  }
  ],
  "type": "query",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json

@@ -35,19 +35,26 @@
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
  "technique": [
- {
- "id": "T1483",
- "name": "Domain Generation Algorithms",
- "reference": "https://attack.mitre.org/techniques/T1483/"
- },
  {
  "id": "T1071",
  "name": "Application Layer Protocol",
  "reference": "https://attack.mitre.org/techniques/T1071/"
+ },
+ {
+ "id": "T1568",
+ "name": "Dynamic Resolution",
+ "reference": "https://attack.mitre.org/techniques/T1568/",
+ "subtechnique": [
+ {
+ "id": "T1568.002",
+ "name": "Domain Generation Algorithms",
+ "reference": "https://attack.mitre.org/techniques/T1568/002/"
+ }
+ ]
  }
  ]
  }
  ],
  "type": "query",
- "version": 1
+ "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json

@@ -33,13 +33,7 @@
  "name": "Command and Control",
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
- "technique": [
- {
- "id": "T1043",
- "name": "Commonly Used Port",
- "reference": "https://attack.mitre.org/techniques/T1043/"
- }
- ]
+ "technique": []
  },
  {
  "framework": "MITRE ATT&CK",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json

@@ -42,13 +42,20 @@
  "reference": "https://attack.mitre.org/techniques/T1071/"
  },
  {
- "id": "T1483",
- "name": "Domain Generation Algorithms",
- "reference": "https://attack.mitre.org/techniques/T1483/"
+ "id": "T1568",
+ "name": "Dynamic Resolution",
+ "reference": "https://attack.mitre.org/techniques/T1568/",
+ "subtechnique": [
+ {
+ "id": "T1568.002",
+ "name": "Domain Generation Algorithms",
+ "reference": "https://attack.mitre.org/techniques/T1568/002/"
+ }
+ ]
  }
  ]
  }
  ],
  "type": "query",
- "version": 1
+ "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json

@@ -33,13 +33,7 @@
  "name": "Command and Control",
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
- "technique": [
- {
- "id": "T1043",
- "name": "Commonly Used Port",
- "reference": "https://attack.mitre.org/techniques/T1043/"
- }
- ]
+ "technique": []
  },
  {
  "framework": "MITRE ATT&CK",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json

@@ -33,15 +33,9 @@
  "name": "Command and Control",
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
- "technique": [
- {
- "id": "T1043",
- "name": "Commonly Used Port",
- "reference": "https://attack.mitre.org/techniques/T1043/"
- }
- ]
+ "technique": []
  }
  ],
  "type": "query",
- "version": 4
+ "version": 5
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json

@@ -37,13 +37,7 @@
  "name": "Command and Control",
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
- "technique": [
- {
- "id": "T1043",
- "name": "Commonly Used Port",
- "reference": "https://attack.mitre.org/techniques/T1043/"
- }
- ]
+ "technique": []
  },
  {
  "framework": "MITRE ATT&CK",
@@ -62,5 +56,5 @@
  }
  ],
  "type": "query",
- "version": 4
+ "version": 5
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json

@@ -33,13 +33,7 @@
  "name": "Command and Control",
  "reference": "https://attack.mitre.org/tactics/TA0011/"
  },
- "technique": [
- {
- "id": "T1043",
- "name": "Commonly Used Port",
- "reference": "https://attack.mitre.org/techniques/T1043/"
- }
- ]
+ "technique": []
  }
  ],
  "type": "query",