Copy over local package sources

elastic · Mar 22, 2022 · c38a4f3 · c38a4f3
1 parent e5b0c17
commit c38a4f3
Show file tree

Hide file tree

Showing 162 changed files with 368 additions and 807 deletions.
diff --git a/packages/security_detection_engine/0.16.1/changelog.yml b/packages/security_detection_engine/0.16.1/changelog.yml
@@ -1,5 +1,10 @@
 # newer versions go on top
 # NOTE: please use pre-release versions (e.g. -dev.0) until a package is ready for production
+- changes:
+    - description: Release security rules update
+      link: https://github.com/elastic/integrations/pull/2709
+      type: enhancement
+  version: 0.16.1
 - changes:
     - description: Release security rules update
       link: https://github.com/elastic/integrations/pull/2605

diff --git a/...ty_detection_engine/0.16.1/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json b/...ty_detection_engine/0.16.1/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json
@@ -15,7 +15,7 @@
         "language": "kuery",
         "license": "Elastic License v2",
         "name": "Microsoft 365 User Restricted from Sending Email",
-        "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+        "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
         "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n",
         "references": [
             "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
@@ -51,7 +51,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "query",
-        "version": 1
+        "version": 2
     },
     "id": "0136b315-b566-482f-866c-1d8e2477ba16",
     "type": "security-rule"

diff --git a/...ty_detection_engine/0.16.1/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json b/...ty_detection_engine/0.16.1/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json
@@ -15,7 +15,7 @@
         "language": "kuery",
         "license": "Elastic License v2",
         "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
-        "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+        "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
         "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
         "references": [
             "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
@@ -50,7 +50,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "query",
-        "version": 4
+        "version": 5
     },
     "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
     "type": "security-rule"

diff --git a/...ty_detection_engine/0.16.1/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json b/...ty_detection_engine/0.16.1/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json
@@ -3,9 +3,9 @@
         "author": [
             "Austin Songer"
         ],
-        "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+        "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.",
         "false_positives": [
-            "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+            "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
         ],
         "from": "now-25m",
         "index": [
@@ -57,7 +57,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "query",
-        "version": 1
+        "version": 2
     },
     "id": "09d028a5-dcde-409f-8ae0-557cef1b7082",
     "type": "security-rule"

diff --git a/...ty_detection_engine/0.16.1/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json b/...ty_detection_engine/0.16.1/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json
diff --git a/...ty_detection_engine/0.16.1/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json b/...ty_detection_engine/0.16.1/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json
@@ -4,7 +4,7 @@
             "Elastic",
             "Austin Songer"
         ],
-        "description": "Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms.",
+        "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.",
         "false_positives": [
             "Assignment of rights to a service account."
         ],
@@ -15,8 +15,8 @@
         "language": "kuery",
         "license": "Elastic License v2",
         "name": "O365 Exchange Suspicious Mailbox Right Delegation",
-        "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-        "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success\n",
+        "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+        "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n",
         "risk_score": 21,
         "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc",
         "severity": "low",
@@ -54,7 +54,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "query",
-        "version": 1
+        "version": 2
     },
     "id": "0ce6487d-8069-4888-9ddd-61b52490cebc",
     "type": "security-rule"

diff --git a/...ty_detection_engine/0.16.1/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json b/...ty_detection_engine/0.16.1/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json
@@ -3,7 +3,7 @@
         "author": [
             "Elastic"
         ],
-        "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+        "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
         "from": "now-9m",
         "index": [
             "winlogbeat-*",
@@ -12,7 +12,7 @@
         "language": "kuery",
         "license": "Elastic License v2",
         "name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
-        "note": "## Config\n\nThis is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.",
+        "note": "## Config\n\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.",
         "query": "event.category:process and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n",
         "references": [
             "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
@@ -66,7 +66,7 @@
         },
         "timestamp_override": "event.ingested",
         "type": "threshold",
-        "version": 1
+        "version": 2
     },
     "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283",
     "type": "security-rule"