[Docs]add new rules for 7.10 (#309) (#349)

* add new rules for 7.10 * Updating generated files from latest rules Co-authored-by: Garrett Spong <garrett.spong@elastic.co> Co-authored-by: Ben Skelker <54019610+benskelker@users.noreply.github.com> Co-authored-by: Garrett Spong <garrett.spong@elastic.co>
elastic · Nov 9, 2020 · 05967d8 · 05967d8
1 parent 6f2888c
commit 05967d8
Show file tree

Hide file tree

Showing 336 changed files with 57,591 additions and 13,419 deletions.
diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc
@@ -26,7 +26,7 @@ modifying your own rules.
 
 There are two special prebuilt rules you need to know about:
 
-* <<elastic-endpoint-security, *Elastic Endpoint Security*>>:
+* <<endpoint-security, *Endpoint Security*>>:
 Automatically creates an alert from all incoming Elastic Endpoint alerts. To
 receive Elastic Endpoint alerts, you must install the Endpoint agent on your
 hosts (see <<install-endpoint>>).

diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
@@ -7,6 +7,105 @@ The following lists prebuilt rule updates per release. Only rules with
 significant modifications to their query or scope are listed. For detailed
 information about a rule's changes, see the rule's description page.
 
+[float]
+=== 7.10.0
+
+<<aws-ec2-snapshot-activity>>
+
+<<aws-execution-via-system-manager>>
+
+<<aws-iam-assume-role-policy-update>>
+
+<<aws-iam-brute-force-of-assume-role-policy>>
+
+<<aws-management-console-root-login>>
+
+<<aws-root-login-without-mfa>>
+
+<<aws-waf-rule-or-rule-group-deletion>>
+
+<<administrator-privileges-assigned-to-okta-group>>
+
+<<attempt-to-create-okta-api-token>>
+
+<<attempt-to-deactivate-mfa-for-okta-user-account>>
+
+<<attempt-to-deactivate-okta-mfa-rule>>
+
+<<attempt-to-deactivate-okta-policy>>
+
+<<attempt-to-delete-okta-policy>>
+
+<<attempt-to-modify-okta-mfa-rule>>
+
+<<attempt-to-modify-okta-network-zone>>
+
+<<attempt-to-modify-okta-policy>>
+
+<<attempt-to-reset-mfa-factors-for-okta-user-account>>
+
+<<attempt-to-revoke-okta-api-token>>
+
+<<attempted-bypass-of-okta-mfa>>
+
+<<command-prompt-network-connection>>
+
+<<connection-to-external-network-via-telnet>>
+
+<<connection-to-internal-network-via-telnet>>
+
+<<direct-outbound-smb-connection>>
+
+<<microsoft-build-engine-using-an-alternate-name>>
+
+<<modification-or-removal-of-an-okta-application-sign-on-policy>>
+
+<<msbuild-making-network-connections>>
+
+<<net-command-via-system-account>>
+
+<<netcat-network-activity>>
+
+<<network-connection-via-certutil>>
+
+<<network-connection-via-compiled-html-file>>
+
+<<network-connection-via-msxsl>>
+
+<<network-connection-via-registration-utility>>
+
+<<network-connection-via-signed-binary>>
+
+<<okta-brute-force-or-password-spraying-attack>>
+
+<<possible-okta-dos-attack>>
+
+<<potential-application-shimming-via-sdbinst>>
+
+<<potential-evasion-via-filter-manager>>
+
+<<potential-modification-of-accessibility-binaries>>
+
+<<process-activity-via-compiled-html-file>>
+
+<<process-discovery-via-tasklist>>
+
+<<psexec-network-connection>>
+
+<<suspicious-activity-reported-by-okta-user>>
+
+<<threat-detected-by-okta-threatinsight>>
+
+<<trusted-developer-application-usage>>
+
+<<unusual-network-connection-via-rundll32>>
+
+<<unusual-parent-child-relationship>>
+
+<<unusual-process-network-connection>>
+
+<<whoami-process-activity>>
+
 [float]
 === 7.9.0
 
@@ -100,9 +199,7 @@ information about a rule's changes, see the rule's description page.
 
 <<network-connection-via-msxsl>>
 
-<<network-connection-via-mshta>>
-
-<<network-connection-via-regsvr>>
+<<network-connection-via-registration-utility>>
 
 <<network-connection-via-signed-binary>>
 
@@ -219,19 +316,19 @@ These prebuilt rules have been updated:
 
 <<adding-hidden-file-attribute-via-attrib>>
 
-<<adversary-behavior-detected-elastic-endpoint-security>>
+<<adversary-behavior-detected-endpoint-security>>
 
 <<clearing-windows-event-logs>>
 
 <<command-prompt-network-connection>>
 
-<<credential-dumping-detected-elastic-endpoint-security>>
+<<credential-dumping-detected-endpoint-security>>
 
-<<credential-dumping-prevented-elastic-endpoint-security>>
+<<credential-dumping-prevented-endpoint-security>>
 
-<<credential-manipulation-detected-elastic-endpoint-security>>
+<<credential-manipulation-detected-endpoint-security>>
 
-<<credential-manipulation-prevented-elastic-endpoint-security>>
+<<credential-manipulation-prevented-endpoint-security>>
 
 <<dns-activity-to-the-internet>>
 
@@ -245,9 +342,9 @@ These prebuilt rules have been updated:
 
 <<encoding-or-decoding-files-via-certutil>>
 
-<<exploit-detected-elastic-endpoint-security>>
+<<exploit-detected-endpoint-security>>
 
-<<exploit-prevented-elastic-endpoint-security>>
+<<exploit-prevented-endpoint-security>>
 
 <<ftp-file-transfer-protocol-activity-to-the-internet>>
 
@@ -259,9 +356,9 @@ These prebuilt rules have been updated:
 
 <<local-service-commands>>
 
-<<malware-detected-elastic-endpoint-security>>
+<<malware-detected-endpoint-security>>
 
-<<malware-prevented-elastic-endpoint-security>>
+<<malware-prevented-endpoint-security>>
 
 <<mknod-process-activity>>
 
@@ -271,9 +368,7 @@ These prebuilt rules have been updated:
 
 <<network-connection-via-compiled-html-file>>
 
-<<network-connection-via-mshta>>
-
-<<network-connection-via-regsvr>>
+<<network-connection-via-registration-utility>>
 
 <<network-connection-via-signed-binary>>
 
@@ -283,19 +378,19 @@ These prebuilt rules have been updated:
 
 <<nping-process-activity>>
 
-<<permission-theft-detected-elastic-endpoint-security>>
+<<permission-theft-detected-endpoint-security>>
 
-<<permission-theft-prevented-elastic-endpoint-security>>
+<<permission-theft-prevented-endpoint-security>>
 
 <<persistence-via-kernel-module-modification>>
 
 <<potential-dns-tunneling-via-iodine>>
 
 <<potential-modification-of-accessibility-binaries>>
 
-<<process-injection-detected-elastic-endpoint-security>>
+<<process-injection-detected-endpoint-security>>
 
-<<process-injection-prevented-elastic-endpoint-security>>
+<<process-injection-prevented-endpoint-security>>
 
 <<proxy-port-activity-to-the-internet>>
 
@@ -309,9 +404,9 @@ These prebuilt rules have been updated:
 
 <<rpc-remote-procedure-call-to-the-internet>>
 
-<<ransomware-detected-elastic-endpoint-security>>
+<<ransomware-detected-endpoint-security>>
 
-<<ransomware-prevented-elastic-endpoint-security>>
+<<ransomware-prevented-endpoint-security>>
 
 <<smb-windows-file-sharing-activity-to-the-internet>>