diff --git a/docs/siem/cases/api/actions-api/cases-actions-api-intro.asciidoc b/docs/siem/cases/api/actions-api/cases-actions-api-intro.asciidoc index 7966262340..3889a4c132 100644 --- a/docs/siem/cases/api/actions-api/cases-actions-api-intro.asciidoc +++ b/docs/siem/cases/api/actions-api/cases-actions-api-intro.asciidoc @@ -4,9 +4,12 @@ beta[] -You can use the Actions API to open and update cases in external ticketing -systems. This requires creating a connector, which stores the information -required to interface with the external system. +You can push {siem-soln} cases to third-party systems, currently {sn} and Jira. +This requires creating a connector using the {kib} Actions API, which stores +the information required to interface with the external system. For {sn}, cases +are send via {sn}'s https://developer.servicenow.com/dev.do#!/reference/api/madrid/rest/c_TableAPI[Table API]. +For Jira, the https://developer.atlassian.com/cloud/jira/platform/rest/v2/[REST API v2] +is used. To send cases to an external system and keep the {siem-ui} updated: @@ -19,14 +22,12 @@ required for updating the the {siem-soln} case. . [[update-case-sn-data]]<>: Update the {siem-soln} case with the associated external system data returned in <> (Cases API). -. Repeat <> and <> each -time you open or update a case. [[register-connector]] === Create connector -Creates a {sn} connector, which can then be used to open {sn} incidents from -{siem-soln} cases. +Creates a connector, which can then be used to open and update cases in external +systems. ==== Request URL @@ -40,15 +41,26 @@ A JSON object with these fields: |============================================== |Name |Type |Description |Required -|`actionTypeId` |String |Must be: `.servicenow`. |Yes +|`actionTypeId` |String a|Must be one of these: + +* `.servicenow`: Send cases to {sn} +* `.jira`: Send cases to Jira +|Yes |`config` |<> |Object containing the action's configuration. |Yes -|`secrets` |Object a|Object containing the {sn} account credentials used -to create and update incidents: +|`secrets` |Object a|Object containing the third-party account information used +to create and update incidents. + +For {sn} connectors: * `username` (string): The account username. * `password` (string): The account password. +For Jira connectors: + +* `email` (string): The account email. +* `apiToken` (string): Jira API authentication token. + |Yes |`name` |String |The registered {sn} connector. |Yes @@ -61,21 +73,26 @@ to create and update incidents: |============================================== |Name |Type |Description |Required -|`casesConfiguration` |Object a|Contains a `mapping` array, which determines how {siem-soln} case fields are mapped to {sn} incident fields: +|`casesConfiguration` |Object a|Contains a `mapping` array, which determines how {siem-soln} case fields are mapped to external system fields: * `source` (string): The name of the {siem-soln} case field, which can be `title`, `description`, or `comments`. -* `target` (string): The name of the mapped {sn} incident field. For example: `short_description`, `description`, and `comments`. +* `target` (string): The name of the mapped exterals field. For example: +`short_description` ({sn}), `title` (Jira), `description`, and `comments`. * `actionType` (string): Determines whether {siem-soln} case updates overwrite -or append to the mapped {sn} incident fields. Valid values are `overwrite` and +or append to the mapped incident fields. Valid values are `overwrite` and `append`. |Yes -|`apiUrl` |String |URL of the {sn} instance. |Yes +|`apiUrl` |String |URL of the third-party instance. |Yes +|`projectKey` |String |Jira project key. |For Jira connectors, yes. For {sn} +connectors, no. |============================================== -===== Example request +===== Example requests + +Creates a {sn} connector: [source,sh] -------------------------------------------------- @@ -125,7 +142,48 @@ the {sn} `description` field is overwritten. When a {siem-soln} `comments` field is updated and sent to {sn}, the updated text is appended to the {sn} `comments` field. -==== Response code +Creates a Jira connector: + +[source,sh] +-------------------------------------------------- +POST api/action +{ + "actionTypeId": ".jira", + "config": { + "casesConfiguration": { + "mapping": [ + { + "source": "title", <1> + "target": "summary", + "actionType": "overwrite" + }, + { + "source": "description", + "target": "description", + "actionType": "overwrite" + }, + { + "source": "comments", + "target": "comments", + "actionType": "append" + } + ] + }, + "apiUrl": "https://hms.atlassian.net", + "projectKey": "HMS" + }, + "secrets": { + "email": "admin@hms.gov.co.uk", + "apiToken": "2REegzCVGoMJaHafJou83372" + }, + "name": "Jira" +} +-------------------------------------------------- +// KIBANA + +<1> {siem-soln} case `title` fields are mapped to Jira `summary` fields. + +===== Response code `200`:: Indicates a successful call. @@ -134,7 +192,9 @@ text is appended to the {sn} `comments` field. A JSON object with a connector `id` that is required to push cases to {sn}. -===== Example response +===== Example responses + +{sn} connector: [source,json] -------------------------------------------------- @@ -163,14 +223,50 @@ A JSON object with a connector `id` that is required to push cases to {sn}. ] }, "apiUrl": "https://dev78437.service-now.com" - } + }, + "isPreconfigured": false +} +-------------------------------------------------- + +Jira connector: + +[source,json] +-------------------------------------------------- +{ + "id": "05da469f-1fde-4058-99a3-91e4807e2de8", + "actionTypeId": ".jira", + "name": "Jira", + "config": { + "casesConfiguration": { + "mapping": [ + { + "source": "title", + "target": "summary", + "actionType": "overwrite" + }, + { + "source": "description", + "target": "description", + "actionType": "overwrite" + }, + { + "source": "comments", + "target": "comments", + "actionType": "append" + } + ] + }, + "apiUrl": "https://hms.atlassian.net", + "projectKey": "HMS" + }, + "isPreconfigured": false } -------------------------------------------------- [[update-connector]] === Update connector -Updates a {sn} connector. +Updates a connector. ==== Request URL @@ -191,12 +287,19 @@ A JSON object with the fields you want to update: |`config` |<> |Object containing the action's configuration. |Yes -|`secrets` |Object a|Object containing the {sn} account credentials used -to create and update incidents: +|`secrets` |Object a|Object containing the third-party account information used +to create and update incidents. + +For {sn} connectors: * `username` (string): The account username. * `password` (string): The account password. +For Jira connectors: + +* `email` (string): The account email. +* `apiToken` (string): Jira API authentication token. + |Yes |`name` |String |The registered {sn} connector. |Yes @@ -213,14 +316,16 @@ to create and update incidents: * `source` (string): The name of the {siem-soln} case field, which can be `title`, `description`, or `comments`. -* `target` (string): The name of the mapped {sn} incident field. For example: `short_description`, `description`, and `comments`. +* `target` (string): The name of the mapped exterals field. For example: +`short_description` ({sn}), `title` (Jira), `description`, and `comments`. * `actionType` (string): Determines whether {siem-soln} case updates overwrite -or append to the mapped {sn} incident fields. Valid values are `overwrite` and -`append`. +or append to the mapped fields. Valid values are `overwrite` and `append`. |Yes -|`apiUrl` |String |URL of the {sn} instance. |Yes +|`apiUrl` |String |URL of the third-party instance. |Yes +|`projectKey` |String |Jira project key. |For Jira connectors, yes. For {sn} +connectors, no. |============================================== ===== Example request @@ -308,12 +413,12 @@ The updated JSON connector object. [[cases-actions-api-execute]] === Create or update an external incident -Creates a new or updates an existing {sn} incident from a {siem-soln} case. +Creates a new or updates an existing external incident from a {siem-soln} case. NOTE: You can only send cases to external systems after you have <> a connector. After you have sent the case to -{sn}, you must call <> to update the -{siem-soln} case with the returned {sn} incident details. +an external system, you must call <> to update +the {siem-soln} case with the returned external incident details. ==== Request URL @@ -321,9 +426,9 @@ NOTE: You can only send cases to external systems after you have ===== URL parts -The URL must include the ServiceNow connector ID. Call -<> to retrieve the currently used connector ID, or -<> to retrieve all connectors IDs. +The URL must include the connector ID. Call <> to retrieve +the currently used connector ID, or <> to retrieve +all connectors IDs. ==== Request body @@ -334,7 +439,7 @@ A JSON object with these fields: |Name |Type |Description |Required |`params` |<> |Contains the {siem-soln} case details -for which you are opening a {sn} incident. |Yes +for which you are opening or updating an external incident. |Yes |============================================== [[case-conf-params]] @@ -343,6 +448,17 @@ for which you are opening a {sn} incident. |Yes |============================================== |Name |Type |Description |Required + +|`subAction` |String|The action to be performed. When opening or updating cases +in external systems, must be: `pushToService`. |Yes +|`subActionParams` |<> |Case details to send +to external systems. |Yes +|============================================== + +[[subaction-params]] +*`subActionParams` schema* +|============================================== +|Name |Type |Description |Required |`caseId` |String |The case ID. |Yes |`createdAt` |String |The time the case was created, using ISO 8601 with UTC notation. For example, `2020-03-31T06:40:21.674Z`. |Yes @@ -357,8 +473,8 @@ notation. For example, `2020-03-31T06:40:21.674Z`. |Yes * `commentId` (string, required): The comment ID. * `comment` (string, required): The comment text. -* `createdAt` (string, required): The time the comment was created, using ISO 8601 with -UTC notation. +* `createdAt` (string, required): The time the comment was created, using ISO +8601 with UTC notation. * `createdBy` (object, required): The user who created the comment, containing `fullName` and `username` fields. * `updatedBy` (object, optional): The user who last updated the comment, @@ -367,8 +483,8 @@ containing `fullName` and `username` fields. |No |`description` |String |The case description. |No -|`incidentId` |String |The {sn} incident ID. Required when updating an existing -{sn} incident. |No +|`externalId` |String |The external incident/issue ID. |No, only required +when updating an existing {sn} incident or Jira issue. |`title` |String |The case title. |Yes |`updatedAt` |String |The time the case was updated, using ISO 8601 with UTC notation. |No @@ -381,8 +497,8 @@ notation. |No |============================================== NOTE: When updating an existing case, call <> or -<> to retrieve the `incidentId`. In the case JSON -object, the `incidentId` value is stored in the `external_id` field. +<> to retrieve the `externalId`. In the case JSON +object, the `externalId` value is stored in the `external_service` field. ===== Example requests @@ -393,25 +509,28 @@ Creates a new {sn} incident: POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute { "params": { - "caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2", - "createdAt": "2020-03-31T08:36:45.661Z", - "createdBy": { - "fullName": "Alan Hunley", - "username": "ahunley" - }, - "comments": [ - { - "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2", - "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", - "createdAt": "2020-03-31T08:37:33.240Z", - "createdBy": { - "fullName": "Ms Moneypenny", - "username": "moneypenny" + "subAction": "pushToService", + "subActionParams": { + "caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2", + "createdAt": "2020-03-31T08:36:45.661Z", + "createdBy": { + "fullName": "Alan Hunley", + "username": "ahunley" + }, + "comments": [ + { + "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2", + "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", + "createdAt": "2020-03-31T08:37:33.240Z", + "createdBy": { + "fullName": "Ms Moneypenny", + "username": "moneypenny" + } } - } - ], - "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.", - "title": "This case will self-destruct in 5 seconds" + ], + "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.", + "title": "This case will self-destruct in 5 seconds" + } } } -------------------------------------------------- @@ -424,25 +543,28 @@ Updates an existing {sn} incident: POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute { "params": { - "caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2", - "createdAt": "2020-03-31T08:36:45.661Z", - "createdBy": { - "fullName": "Alan Hunley", - "username": "ahunley" - }, - "comments": [ - { - "commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2", - "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", - "createdAt": "2020-03-31T09:11:08.736Z", - "createdBy": { - "fullName": "Ms Moneypenny", - "username": "moneypenny" + "subAction": "pushToService", + "subActionParams": { + "caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2", + "createdAt": "2020-03-31T08:36:45.661Z", + "createdBy": { + "fullName": "Alan Hunley", + "username": "ahunley" + }, + "comments": [ + { + "commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2", + "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", + "createdAt": "2020-03-31T09:11:08.736Z", + "createdBy": { + "fullName": "Ms Moneypenny", + "username": "moneypenny" + } } - } - ], - "incidentId": "cc6ef44bdb7300106ba884da0b9619cf", - "title": "This case will self-destruct in 5 seconds" + ], + "externalId": "cc6ef44bdb7300106ba884da0b9619cf", + "title": "This case will self-destruct in 5 seconds" + } } } -------------------------------------------------- @@ -455,10 +577,10 @@ POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute ==== Response payload -A JSON object with the {sn} incident number and link to the {sn} incident. +A JSON object with the ID and the URL of the external incident. IMPORTANT: You need the returned information to associate it with the original -{siem-soln} case. To add the {sn} incident details to the {siem-soln} case, +{siem-soln} case. To add the external incident details to the {siem-soln} case, call <>. ===== Example response @@ -469,8 +591,8 @@ call <>. "status": "ok", "actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7", "data": { - "number": "INC0010012", - "incidentId": "62dc3c8bdb7300106ba884da0b9619ea", + "title": "INC0010012", + "id": "62dc3c8bdb7300106ba884da0b9619ea", "pushedDate": "2020-03-31T09:01:33.000Z", "url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea", "comments": [ @@ -481,4 +603,4 @@ call <>. ] } } --------------------------------------------------- \ No newline at end of file +-------------------------------------------------- diff --git a/docs/siem/cases/api/cases-api/case-api-update-connector.asciidoc b/docs/siem/cases/api/cases-api/case-api-update-connector.asciidoc index e782214e0d..0072213724 100644 --- a/docs/siem/cases/api/cases-api/case-api-update-connector.asciidoc +++ b/docs/siem/cases/api/cases-api/case-api-update-connector.asciidoc @@ -20,7 +20,7 @@ A JSON object with these fields: |Name |Type |Description |Required |`connector_id` |String |The ID of the connector you want to use for sending -cases to external systems. |No +cases to external systems. |Yes |`connector_name` |String |The connector name. |No |`closure_type` |String a|Determines whether a case is automatically closed in the {siem-app} when it is pushed to {sn}. Valid values are: diff --git a/docs/siem/cases/api/cases-api/cases-api-assign-connector.asciidoc b/docs/siem/cases/api/cases-api/cases-api-assign-connector.asciidoc index 7901fd773a..ec789806e7 100644 --- a/docs/siem/cases/api/cases-api/cases-api-assign-connector.asciidoc +++ b/docs/siem/cases/api/cases-api/cases-api-assign-connector.asciidoc @@ -1,5 +1,5 @@ [[assign-connector]] -=== Set connector +=== Set default {siem-ui} connector Sets the default connector in the {siem-ui}. @@ -8,6 +8,9 @@ method after you have created a connector (see <>). After a connector has been created and assigned, call <> to send cases to the external system. +NOTE: You can also set the default connector in the {siem-ui} for each case +individually (see <>). + ==== Request URL `POST :/api/cases/configure` diff --git a/docs/siem/cases/api/cases-api/cases-api-associate-sn.asciidoc b/docs/siem/cases/api/cases-api/cases-api-associate-sn.asciidoc index 2d2e6a5fcc..b83d7ed1ea 100644 --- a/docs/siem/cases/api/cases-api/cases-api-associate-sn.asciidoc +++ b/docs/siem/cases/api/cases-api/cases-api-associate-sn.asciidoc @@ -1,11 +1,11 @@ [[cases-api-associate-sn-incident]] === Add external details to case -Adds the data returned from {sn} to the specified case. +Adds the data returned from an external system to the specified case. -After sending a new or updated case to {sn} using the -<>, you must associate the returned -{sn} incident fields with the case in the {siem-app}. +After sending a new or updated case to an external system using the +<>, you must associate +the external system's returned object with the case in the {siem-app}. ==== Request URL @@ -18,19 +18,19 @@ The URL must include the `case ID` of the case you are updating. Call ==== Request body -A JSON object with the data returned from {sn}: +A JSON object with the data returned from the external system: [width="100%",options="header"] |============================================== |Name |Type |Description |Required -|`connector_id` |String |The ID of the connector used to send the case to {sn}. -|Yes -|`connector_name` |String |The ID of the connector used to send the case to -{sn}. |Yes -|`external_id` |String |The `incidentId` returned when calling +|`connector_id` |String |The ID of the connector used to send the case to the +external system. |Yes +|`connector_name` |String |The name of the connector used to send the case to +the external system.. |Yes +|`external_id` |String |The `id` returned when calling <>. |Yes -|`external_title` |String |The `number` returned when calling +|`external_title` |String |The `title` returned when calling <>. |Yes |`external_url` |String |The `url` returned when calling <>. |Yes diff --git a/docs/siem/cases/api/cases-api/cases-api-create.asciidoc b/docs/siem/cases/api/cases-api/cases-api-create.asciidoc index 512ca99f99..d0da26cb0e 100644 --- a/docs/siem/cases/api/cases-api/cases-api-create.asciidoc +++ b/docs/siem/cases/api/cases-api/cases-api-create.asciidoc @@ -53,30 +53,34 @@ version, and creation time. [source,json] -------------------------------------------------- { - "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", - "version": "Wzc0LDFd", + "id": "66b9aa00-94fa-11ea-9f74-e7e108796192", + "version": "WzUzMiwxXQ==", "comments": [], "totalComment": 0, + "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8", <1> + "title": "This case will self-destruct in 5 seconds", + "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active", + "tags": [ + "phishing", + "social engineering", + "bubblegum" + ], "closed_at": null, "closed_by": null, - "created_at": "2020-03-29T11:30:02.658Z", + "created_at": "2020-05-13T09:16:17.416Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, - "external_service": null, <1> - "updated_at": null, - "updated_by": null, - "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.", - "title": "This case will self-destruct in 5 seconds", + "external_service": null, <2> "status": "open", - "tags": [ - "phishing", - "social engineering" - ] + "updated_at": null, + "updated_by": null } -------------------------------------------------- -<1> The `external_service` object stores information when the case is pushed to +<1> The default connector ID used to push cases to external services (see +<>). +<2> The `external_service` object stores information when the case is pushed to external systems. For more information, see <>. diff --git a/docs/siem/cases/api/cases-api/cases-api-find-connectors.asciidoc b/docs/siem/cases/api/cases-api/cases-api-find-connectors.asciidoc index 010df2f5ca..c11139cf8d 100644 --- a/docs/siem/cases/api/cases-api/cases-api-find-connectors.asciidoc +++ b/docs/siem/cases/api/cases-api/cases-api-find-connectors.asciidoc @@ -3,8 +3,8 @@ Retrieves a paginated subset of all {sn} connectors. -NOTE: Only {sn} connectors are returned. For more information on connectors, -see <>. +NOTE: Only {sn} and Jira connectors are returned. For more information on +connectors, see <>. ==== Request URL diff --git a/docs/siem/cases/api/cases-api/cases-api-update.asciidoc b/docs/siem/cases/api/cases-api/cases-api-update.asciidoc index 520a679f8d..49ee1c63be 100644 --- a/docs/siem/cases/api/cases-api/cases-api-update.asciidoc +++ b/docs/siem/cases/api/cases-api/cases-api-update.asciidoc @@ -25,6 +25,9 @@ A JSON array containing one or more case objects with updated field values: |`id` |String |The ID of the case being updated. |Yes |`title` |String |The updated case title. |No +| `connector_id` |String |ID of the <> +used for pushing case updates to external systems (returned when calling +<>). |No |`description` |String |The updated case description. |No |`status` |String a|The updated case status, which can be: @@ -39,7 +42,7 @@ A JSON array containing one or more case objects with updated field values: ===== Example request -Updates the `description` and `tags` fields of case ID +Updates the description, tags, and connector of case ID `a18b38a0-71b0-11ea-a0b2-c51ea50a58e2`: [source,sh] @@ -48,6 +51,7 @@ PATCH api/cases { "cases": [ { + "connector_id": "5b347c7b-6925-4452-a4dd-215550294ba2", "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. @@ -80,33 +84,46 @@ The updated case with a new `version` value. -------------------------------------------------- [ { - "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", - "version": "Wzk4LDFd", + "id": "66b9aa00-94fa-11ea-9f74-e7e108796192", + "version": "WzU0OCwxXQ==", "comments": [], "totalComment": 0, + "connector_id": "5b347c7b-6925-4452-a4dd-215550294ba2", + "title": "This case will self-destruct in 5 seconds", + "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", + "tags": [ + "phishing", + "social engineering", + "bubblegum" + ], "closed_at": null, "closed_by": null, - "created_at": "2020-03-29T11:30:02.658Z", + "created_at": "2020-05-13T09:16:17.416Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, - "external_service": null, - "updated_at": "2020-03-29T12:01:50.244Z", + "external_service": { + "external_title": "IS-4", + "pushed_by": { + "full_name": "Classified", + "email": "classified@hms.oo.gov.uk", + "username": "M" + }, + "external_url": "https://hms.atlassian.net/browse/IS-4", + "pushed_at": "2020-05-13T09:20:40.672Z", + "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8", + "external_id": "10003", + "connector_name": "Jira" + }, + "status": "open", + "updated_at": "2020-05-13T09:48:33.043Z", "updated_by": { "email": "classified@hms.oo.gov.uk", "full_name": "Classified", "username": "M" - }, - "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", - "title": "This case will self-destruct in 5 seconds", - "status": "open", - "tags": [ - "phishing", - "social engineering", - "bubblegum" - ] + } } ] -------------------------------------------------- \ No newline at end of file diff --git a/docs/siem/cases/api/cases-api/cases-api.asciidoc b/docs/siem/cases/api/cases-api/cases-api.asciidoc index 2f2920db85..d123a50832 100644 --- a/docs/siem/cases/api/cases-api/cases-api.asciidoc +++ b/docs/siem/cases/api/cases-api/cases-api.asciidoc @@ -11,5 +11,4 @@ these APIs: * Actions API: Used to send cases to external systems. <> stores the data required to interface with third-party systems, and -<> sends {siem-soln} cases to external systems -(currently, {sn}). +<> sends {siem-soln} cases to external systems. diff --git a/docs/siem/cases/cases-overview.asciidoc b/docs/siem/cases/cases-overview.asciidoc index 2d73f042eb..bfd7463fe7 100644 --- a/docs/siem/cases/cases-overview.asciidoc +++ b/docs/siem/cases/cases-overview.asciidoc @@ -9,12 +9,12 @@ Cases are used to open and track security issues directly in the {siem-app}. All cases list the original reporter and all users who contribute to a case (`participants`). Comments support Markdown syntax, and allow linking to saved <>. Additionally, you can send cases to external -systems from within the {siem-app} (currently {sn}). <> -describes how to set this up. +systems from within the {siem-app} (currently {sn} and Jira). +<> describes how to set this up. You can create and manage cases via the UI or the <>. -NOTE: To send cases to {sn}, you need the +NOTE: To send cases to external systems, you need the https://www.elastic.co/subscriptions[appropriate license]. IMPORTANT: To make sure you can view and open cases, see <>. @@ -36,7 +36,11 @@ https://www.markdownguide.org/cheat-sheet[Markdown] syntax and insert a timeline link (click the icon in the top right corner of the area). . When ready, create the case. -. If external connections are configured, you can send the case to {sn}. +. If external connections are configured, you can: +* Select which connector is used to send the case to an external system +(`External incident management system`). +* Send the case to an external system. You can send the case to more than one +external system. [role="screenshot"] image::images/cases-ui-open.png[] @@ -52,12 +56,14 @@ To view a case, click on its name. You can then: * Add a new comment. * Edit existing comments and the case's description. -* Send updates to {sn} (if external connections are configured). +* Send updates to external systems (if external connections are configured). * Close the case. * Reopen a closed case. * Edit tags. * Refresh the case to retrieve the latest updates. +NOTE: Comments can also contain Markdown syntax and timeline links. + [float] [[case-permisions]] == Cases prerequisites diff --git a/docs/siem/cases/cases-ui-integrations.asciidoc b/docs/siem/cases/cases-ui-integrations.asciidoc index c1c9cdd403..f23d9288b5 100644 --- a/docs/siem/cases/cases-ui-integrations.asciidoc +++ b/docs/siem/cases/cases-ui-integrations.asciidoc @@ -2,13 +2,17 @@ [role="xpack"] == Configuring external connections -You can push new cases and case updates to {sn}. To do this, you need to create -a connector, which stores the information required to push cases to {sn} via -{sn}'s https://developer.servicenow.com/dev.do#!/reference/api/madrid/rest/c_TableAPI[Table API]. +You can push new cases and case updates to {sn} and Jira. To do this, you need +to create a connector, which stores the information required to push cases to +external systems. For {sn}, cases are send via {sn}'s +https://developer.servicenow.com/dev.do#!/reference/api/madrid/rest/c_TableAPI[Table API]. For Jira, the +https://developer.atlassian.com/cloud/jira/platform/rest/v2/[REST API v2] is +used. + After you have created a connector, you can set {siem-soln} cases to -automatically close when they are sent to {sn}. +automatically close when they are sent to external systems. -NOTE: To create a {sn} connector and send cases to {sn}, you need the +NOTE: To create connectors and send cases to external systems, you need the https://www.elastic.co/subscriptions[appropriate license]. [float] @@ -18,18 +22,29 @@ https://www.elastic.co/subscriptions[appropriate license]. + [role="screenshot"] image::images/cases-ui-connector.png[] -. Click `Add new connector option`, and then click {sn}. -+ -[role="screenshot"] -image::images/cases-ui-sn-connector.png[] +. From the `Incident management system` list, select `Add new connector`. +. Select one of these: +* {sn}: To send cases to {sn}. +* Jira: To send cases to Jira. + . Fill in the following: * _Connector name_: A name for the connector. -* _URL_: The URL of the {sn} instance to which you want to send cases. -* _Username_: The username of the {sn} account used to access the {sn} -instance. -* _Password_: The password of the {sn} account used to access the {sn} instance. -. To represent a SIEM case as a {sn} incident, these SIEM case fields are -mapped to {sn} incidents fields as follows: +* _URL_: The URL of the external system to which you want to send cases. +* _Username_ ({sn} connectors only): The username of the {sn} account used to +access the {sn} instance. +* _Password_ ({sn} connectors only): The password of the {sn} account used to access the {sn} instance. +* _Project key_ (Jira connectors only): The key of the Jira project to which +you are sending cases. +* _Email_ (Jira connectors only): The Jira account's email address. +* _API token_ (Jira connectors only): The API token used to authenticate Jira +updates. + +. Save the connector. + +To represent a SIEM case in an external system, SIEM case fields are mapped as +follows: + +* For {sn} incidents: ** `Title`: Mapped to the {sn} `Short description` field. When an update to a SIEM case title is sent to {sn}, the existing {sn} `Short description` field is overwritten. @@ -38,14 +53,22 @@ SIEM case description is sent to {sn}, the existing {sn} `Description` field is overwritten. ** `Comments`: Mapped to the {sn} `Comments` field. When a comment is updated in a SIEM case, a new comment is added to the {sn} incident. -. Save the connector. +* For Jira issues: +** `Title`: Mapped to the Jira `Summary` field. When an update to a +SIEM case title is sent to Jira, the existing Jira `Summary` field is +overwritten. +** `Description`: Mapped to the Jira `Description` field. When an update to a +SIEM case description is sent to Jira, the existing Jira `Description` field is +overwritten. +** `Comments`: Mapped to the Jira `Comments` field. When a comment is updated +in a SIEM case, a new comment is added to the Jira incident. + [float] === Close sent cases automatically -To close cases when they are sent to {sn}, select the -_Automatically close SIEM cases when pushing new incident to third-party_ -option. +To close cases when they are sent to an external system, select +_Automatically close SIEM cases when pushing new incident to external system_. [float] === Change and update connectors @@ -53,9 +76,12 @@ option. You can create additional connectors, update existing connectors, and change the connector used to send cases to {sn}. -. To change the connector used to send cases to {sn}: +TIP: You can also configure which connector is used for each case individually +(see <>). + +. To change the default connector used to send cases to external systems: .. Go to *SIEM* -> *Cases* -> *Edit external connection*. .. Select the required connector from the `Incident management system` list. . To update an existing connector: -.. Click `Update connector`. +.. Click `Update `. .. Update the connector fields as required. \ No newline at end of file diff --git a/docs/siem/cases/images/cases-ui-connector.png b/docs/siem/cases/images/cases-ui-connector.png index ea36f6a87e..a7637d19ea 100644 Binary files a/docs/siem/cases/images/cases-ui-connector.png and b/docs/siem/cases/images/cases-ui-connector.png differ diff --git a/docs/siem/cases/images/cases-ui-home.png b/docs/siem/cases/images/cases-ui-home.png index b513efb664..bff5573e3e 100644 Binary files a/docs/siem/cases/images/cases-ui-home.png and b/docs/siem/cases/images/cases-ui-home.png differ diff --git a/docs/siem/cases/images/cases-ui-open.png b/docs/siem/cases/images/cases-ui-open.png index 5fb7a6cb63..662abef78f 100644 Binary files a/docs/siem/cases/images/cases-ui-open.png and b/docs/siem/cases/images/cases-ui-open.png differ diff --git a/docs/siem/detections/images/all-rules.png b/docs/siem/detections/images/all-rules.png index 93541c2293..e1d2b7bf37 100644 Binary files a/docs/siem/detections/images/all-rules.png and b/docs/siem/detections/images/all-rules.png differ diff --git a/docs/siem/detections/images/detections-ui.png b/docs/siem/detections/images/detections-ui.png index 5f6691ccd2..98ae536b42 100644 Binary files a/docs/siem/detections/images/detections-ui.png and b/docs/siem/detections/images/detections-ui.png differ diff --git a/docs/siem/detections/machine-learning/images/cloned-job-details.png b/docs/siem/detections/machine-learning/images/cloned-job-details.png index 2e4a7ce4ce..d331277668 100644 Binary files a/docs/siem/detections/machine-learning/images/cloned-job-details.png and b/docs/siem/detections/machine-learning/images/cloned-job-details.png differ diff --git a/docs/siem/detections/machine-learning/images/ml-ui.png b/docs/siem/detections/machine-learning/images/ml-ui.png index c405da2c77..49bf894ff0 100644 Binary files a/docs/siem/detections/machine-learning/images/ml-ui.png and b/docs/siem/detections/machine-learning/images/ml-ui.png differ diff --git a/docs/siem/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/siem/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc index 34ef580572..ed92dc2664 100644 --- a/docs/siem/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc +++ b/docs/siem/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc @@ -7,204 +7,225 @@ The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule's changes, see the rule's description page. +[float] +=== 7.8.0 + +These prebuilt rules have been updated: + +* <> + +* <> + [float] === 7.7.0 -<> +These prebuilt rules have been removed: -<> +* Execution via Signed Binary +* Suspicious Process spawning from Script Interpreter +* Suspicious Script Object Execution -<> +These prebuilt rules have been updated: -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> + +* <> + +* <> + +* <> [float] === 7.6.2 -<> +This prebuilt rule has been updated: + +* <> [float] === 7.6.1 -<> +These prebuilt rules have been updated: + +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> -<> +* <> diff --git a/docs/siem/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/siem/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index e437d99f83..298bf80ce3 100644 --- a/docs/siem/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/siem/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -8,8 +8,8 @@ This section lists all available prebuilt rules. IMPORTANT: To run {ml} prebuilt rules, you must have the https://www.elastic.co/subscriptions[appropriate license] or use a -{ess-trial}[cloud deployment]. All machine learning prebuilt rules are tagged -with `ML`, and their rule type is `machine_learning`. +{ess-trial}[Cloud] deployment. All {ml} prebuilt rules are tagged with `ML`, +and their rule type is `machine_learning`. [width="100%",options="header"] |============================================== @@ -28,12 +28,24 @@ with `ML`, and their rule type is `machine_learning`. |<> |Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners. |[Elastic] [ML] [Windows] |7.7.0 |1 -|<> |Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Elastic] [Windows] |7.7.0 |1 +|<> |Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Identifies User Account Control (UAC) bypass via `eventvwr.exe.` Attackers bypass UAC to stealthily execute code with elevated permissions. |[Elastic] [Windows] |7.7.0 |1 |<> |Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Elastic] [Windows] |7.7.0 |2 <> |<> |Identifies `cmd.exe` making a network connection. Adversaries can abuse `cmd.exe` to download or execute malware from a remote URL. |[Elastic] [Windows] |7.7.0 |2 <> +|<> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Elastic] [Linux] |7.8.0 |1 + |<> |Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the `event.module` column or the link in the `rule.reference` column in the External Alerts tab of the SIEM *Detections* page for additional information. |[Elastic] [Endpoint] |7.7.0 |2 <> |<> |Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the `event.module` column or the link in the `rule.reference` column in the External Alerts tab of the SIEM *Detections* page for additional information. |[Elastic] [Endpoint] |7.7.0 |2 <> @@ -44,7 +56,7 @@ with `ML`, and their rule type is `machine_learning`. |<> |Detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications. |[Elastic] [Network] |7.7.0 |3 <> -|<> |A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 +|<> |Detects unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, `dnscat` tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 |<> |Identifies use of the `fsutil.exe` to delete the `USNJRNL` volume. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. |[Elastic] [Windows] |7.7.0 |2 <> @@ -56,9 +68,9 @@ with `ML`, and their rule type is `machine_learning`. |<> |Identifies the use of `certutil.exe` to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration. |[Elastic] [Windows] |7.7.0 |2 <> -|<> |RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility. |[Elastic] [Windows] |7.7.0 |1 +|<> |Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. |[Elastic] [Linux] |7.8.0 |1 -|<> |Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to _live off the land_ and execute malicious files that could bypass application whitelisting and signature validation. |[Elastic] [Windows] |7.6.0 |1 +|<> |`RegSvcs.exe` and `RegAsm.exe` are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use `RegSvcs.exe` and `RegAsm.exe` to proxy execution of code through a trusted Windows utility. |[Elastic] [Windows] |7.7.0 |1 |<> |Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the `event.module` column or the link in the `rule.reference` column in the External Alerts tab of the SIEM *Detections* page for additional information. |[Elastic] [Endpoint] |7.7.0 |2 <> @@ -66,12 +78,24 @@ with `ML`, and their rule type is `machine_learning`. |<> |Detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized. |[Elastic] [Network] |7.7.0 |3 <> +|<> |Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. |[Elastic] [Linux] |7.8.0 |1 + |<> |Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. |[Elastic] [Linux] |7.7.0 |2 <> |<> |Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection. |[Elastic] [Network] |7.6.1 |2 <> |<> |Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network. |[Elastic] [Network] |7.7.0 |3 <> +|<> |Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. |[Elastic] [Linux] |7.8.0 |1 + +|<> |Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. |[Elastic] [Linux] |7.8.0 |1 + |<> |A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Windows] |7.7.0 |2 <> |<> |Identifies use of `sc.exe` to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. |[Elastic] [Windows] |7.7.0 |2 <> @@ -90,11 +114,11 @@ with `ML`, and their rule type is `machine_learning`. |<> |An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload. |[Elastic] [Windows] |7.7.0 |1 -|<> |An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. |[Elastic] [Windows] |7.7.0 |1 +|<> |An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run MSBuild unnoticed or undetected. |[Elastic] [Windows] |7.7.0 |1 |<> |The Linux `mknod` program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of `netcat` is not available to the payload. |[Elastic] [Linux] |7.7.0 |2 <> -|<> |Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. |[Elastic] [Windows] |7.7.0 |1 +|<> |Identifies use of `bcdedit.exe` to delete boot configuration data. Malware and attackers sometimes use this tactic as a destructive technique. |[Elastic] [Windows] |7.7.0 |1 |<> |Identifies `MsBuild.exe` making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. |[Elastic] [Windows] |7.7.0 |2 <> @@ -102,11 +126,11 @@ with `ML`, and their rule type is `machine_learning`. |<> |A `netcat` process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. |[Elastic] [Linux] |7.7.0 |2 <> -|<> |Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. |[Elastic] [Windows] |7.7.0 |1 +|<> |Identifies `certutil.exe` making a network connection. Adversaries could abuse `certutil.exe` to download a certificate or malware from a remote URL. |[Elastic] [Windows] |7.7.0 |1 |<> |Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (`hh.exe`). |[Elastic] [Windows] |7.7.0 |2 <> -|<> |Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Windows] |7.7.0 |1 +|<> |Identifies `msxsl.exe` making a network connection. This may indicate adversarial activity as `msxsl.exe` is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Windows] |7.7.0 |1 |<> |Identifies `mshta.exe` making a network connection. This may indicate adversarial activity as `mshta.exe` is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Windows] |7.7.0 |2 <> @@ -132,11 +156,13 @@ with `ML`, and their rule type is `machine_learning`. |<> |Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection. |[Elastic] [Linux] |7.7.0 |2 <> +|<> |Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Elastic] [Linux] |7.8.0 |1 + |<> |The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. |[Elastic] [Windows] |7.7.0 |2 <> |<> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Elastic] [Windows] |7.7.0 |2 <> -|<> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Elastic] [Linux] |7.6.1 |2 <> +|<> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Elastic] [Linux] |7.8.0 |3 <> |<> |Identifies a suspicious parent child process relationship with `cmd.exe` descending from `PowerShell.exe`. |[Elastic] [Windows] |7.7.0 |2 <> @@ -166,7 +192,7 @@ with `ML`, and their rule type is `machine_learning`. |<> |Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the `event.module` column or the link in the `rule.reference` column in the External Alerts tab of the SIEM *Detections* page for additional information. |[Elastic] [Endpoint] |7.7.0 |2 <> -|<> |Detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration. |[Elastic] [Network] |7.7.0 |3 <> +|<> |Detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back- door vector or for data exfiltration. |[Elastic] [Network] |7.7.0 |3 <> |<> |Detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. |[Elastic] [Network] |7.6.1 |2 <> @@ -178,10 +204,16 @@ with `ML`, and their rule type is `machine_learning`. |<> |Detects network events that may indicate the use of SSH traffic to the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network] |7.7.0 |3 <> +|<> |An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Elastic] [Linux] |7.8.0 |1 + +|<> |An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Elastic] [Linux] |7.8.0 |1 + |<> |A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. |[Elastic] [Linux] |7.7.0 |2 <> |<> |Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally. |[Elastic] [Linux] |7.7.0 |2 <> +|<> |A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Elastic] [Linux] |7.8.0 |1 + |<> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. |[Elastic] [Windows] |7.7.0 |2 <> |<> |Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. |[Elastic] [Windows] |7.7.0 |2 <> @@ -190,10 +222,6 @@ with `ML`, and their rule type is `machine_learning`. |<> |A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks. |[Elastic] [ML] [Windows] |7.7.0 |1 -|<> |Identifies a suspicious process being spawned from a script interpreter, which could be indicative of a potential phishing attack. |[Elastic] [Windows] |7.6.0 |1 - -|<> |Identifies scrobj.dll loaded into unusual Microsoft processes. This may indicate a malicious scriptlet is being executed in the target process. |[Elastic] [Windows] |7.6.0 |1 - |<> |Identifies a suspicious parent-child process relationship with cmd.exe descending from `svchost.exe`. |[Elastic] [Windows] |7.7.0 |2 <> |<> |Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. |[Elastic] [Windows] |7.7.0 |2 <> @@ -206,11 +234,11 @@ with `ML`, and their rule type is `machine_learning`. |<> |Identifies possibly suspicious activity using a trusted Windows developer utility program. |[Elastic] [Windows] |7.7.0 |2 <> -|<> |A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 +|<> |A machine learning job detected a rare and unusual DNS query that indicates network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 |<> |Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. |[Elastic] [Linux] [ML] |7.7.0 |1 -|<> |Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity. |[Elastic] [Linux] [ML] |7.7.0 |1 +|<> |Identifies unusual destination port activity that can indicate command-and- control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity. |[Elastic] [Linux] [ML] |7.7.0 |1 |<> |Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms. |[Elastic] [Linux] [ML] |7.7.0 |1 @@ -220,7 +248,7 @@ with `ML`, and their rule type is `machine_learning`. |<> |Identifies an unusually high number of authentication attempts. |[Elastic] [Linux] [ML] |7.7.0 |1 -|<> |Identifies unusual instances of `rundll32.exe` making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. |[Elastic] [Windows] |7.7.0 |2 <> +|<> |Identifies unusual instances of `rundll32.exe` making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. |[Elastic] [Windows] |7.8.0 |3 <> |<> |A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 @@ -234,21 +262,21 @@ with `ML`, and their rule type is `machine_learning`. |<> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Elastic] [Windows] |7.7.0 |2 <> -|<> |A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 +|<> |A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command- and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 |<> |A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity. |[Elastic] [ML] [Packetbeat] |7.7.0 |1 |<> |Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. |[Elastic] [ML] [Windows] |7.7.0 |1 -|<> |Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware. |[Elastic] [ML] [Windows] |7.7.0 |1 +|<> |Identifies processes started from atypical folders in the file system, which may indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware. |[Elastic] [ML] [Windows] |7.7.0 |1 |<> |A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames. |[Elastic] [ML] [Windows] |7.7.0 |1 |<> |A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service. |[Elastic] [ML] [Windows] |7.7.0 |1 -|<> |A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users. |[Elastic] [ML] [Windows] |7.7.0 |1 +|<> |A machine learning job detected an unusual user context switch, using the `runas` command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like `runas` are more commonly used by domain and network administrators than by regular Windows users. |[Elastic] [ML] [Windows] |7.7.0 |1 -|<> |A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. |[Elastic] [ML] [Windows] |7.7.0 |1 +|<> |A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. |[Elastic] [ML] [Windows] |7.7.0 |1 |<> |Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain. |[Elastic] [Windows] |7.7.0 |2 <> @@ -258,6 +286,8 @@ with `ML`, and their rule type is `machine_learning`. |<> |Detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network] |7.7.0 |3 <> +|<> |An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. |[Elastic] [Linux] |7.8.0 |1 + |<> |Identifies use of `vssadmin.exe` for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Windows] |7.7.0 |2 <> |<> |Identifies use of `wmic.exe` for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Windows] |7.7.0 |2 <> @@ -272,7 +302,7 @@ with `ML`, and their rule type is `machine_learning`. |<> |Identifies use of `whoami.exe` which displays user, group, and privileges information for the user who is currently logged on to the local system. |[Elastic] [Windows] |7.7.0 |2 <> -|<> |A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. |[Elastic] [Windows] |7.7.0 |1 +|<> |A spoofing vulnerability exists in the way Windows CryptoAPI (`Crypt32.dll`) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. |[Elastic] [Windows] |7.7.0 |1 |<> |Identifies a PowerShell process launched by either `cscript.exe` or `wscript.exe`. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. |[Elastic] [Windows] |7.7.0 |2 <> diff --git a/docs/siem/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/siem/detections/prebuilt-rules/rule-desc-index.asciidoc index 84af15d3a6..e25b218c74 100644 --- a/docs/siem/detections/prebuilt-rules/rule-desc-index.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-desc-index.asciidoc @@ -10,12 +10,24 @@ include::rule-details/anomalous-process-for-a-windows-population.asciidoc[] include::rule-details/anomalous-windows-process-creation.asciidoc[] +include::rule-details/attempt-to-disable-iptables-or-firewall.asciidoc[] + +include::rule-details/attempt-to-disable-syslog-service.asciidoc[] + +include::rule-details/base16-or-base32-encoding-decoding-activity.asciidoc[] + +include::rule-details/base64-encoding-decoding-activity.asciidoc[] + include::rule-details/bypass-uac-via-event-viewer.asciidoc[] include::rule-details/clearing-windows-event-logs.asciidoc[] include::rule-details/command-prompt-network-connection.asciidoc[] +include::rule-details/connection-to-external-network-via-telnet.asciidoc[] + +include::rule-details/connection-to-internal-network-via-telnet.asciidoc[] + include::rule-details/credential-dumping-detected-elastic-endpoint.asciidoc[] include::rule-details/credential-dumping-prevented-elastic-endpoint.asciidoc[] @@ -38,9 +50,9 @@ include::rule-details/disable-windows-firewall-rules-via-netsh.asciidoc[] include::rule-details/encoding-or-decoding-files-via-certutil.asciidoc[] -include::rule-details/execution-via-regsvcs-regasm.asciidoc[] +include::rule-details/enumeration-of-kernel-modules.asciidoc[] -include::rule-details/execution-via-signed-binary.asciidoc[] +include::rule-details/execution-via-regsvcs-regasm.asciidoc[] include::rule-details/exploit-detected-elastic-endpoint.asciidoc[] @@ -48,12 +60,24 @@ include::rule-details/exploit-prevented-elastic-endpoint.asciidoc[] include::rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc[] +include::rule-details/file-deletion-via-shred.asciidoc[] + +include::rule-details/file-permission-modification-in-writable-directory.asciidoc[] + +include::rule-details/hex-encoding-decoding-activity.asciidoc[] + include::rule-details/hping-process-activity.asciidoc[] include::rule-details/ipsec-nat-traversal-port-activity.asciidoc[] include::rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc[] +include::rule-details/interactive-terminal-spawned-via-perl.asciidoc[] + +include::rule-details/interactive-terminal-spawned-via-python.asciidoc[] + +include::rule-details/kernel-module-removal.asciidoc[] + include::rule-details/local-scheduled-task-commands.asciidoc[] include::rule-details/local-service-commands.asciidoc[] @@ -114,6 +138,8 @@ include::rule-details/potential-application-shimming-via-sdbinst.asciidoc[] include::rule-details/potential-dns-tunneling-via-iodine.asciidoc[] +include::rule-details/potential-disabling-of-selinux.asciidoc[] + include::rule-details/potential-evasion-via-filter-manager.asciidoc[] include::rule-details/potential-modification-of-accessibility-binaries.asciidoc[] @@ -160,10 +186,16 @@ include::rule-details/ssh-secure-shell-from-the-internet.asciidoc[] include::rule-details/ssh-secure-shell-to-the-internet.asciidoc[] +include::rule-details/setgid-bit-set-via-chmod.asciidoc[] + +include::rule-details/setuid-bit-set-via-chmod.asciidoc[] + include::rule-details/socat-process-activity.asciidoc[] include::rule-details/strace-process-activity.asciidoc[] +include::rule-details/sudoers-file-modification.asciidoc[] + include::rule-details/suspicious-ms-office-child-process.asciidoc[] include::rule-details/suspicious-ms-outlook-child-process.asciidoc[] @@ -172,10 +204,6 @@ include::rule-details/suspicious-pdf-reader-child-process.asciidoc[] include::rule-details/suspicious-powershell-script.asciidoc[] -include::rule-details/suspicious-process-spawning-from-script-interpreter.asciidoc[] - -include::rule-details/suspicious-script-object-execution.asciidoc[] - include::rule-details/svchost-spawning-cmd.asciidoc[] include::rule-details/system-shells-via-services.asciidoc[] @@ -240,6 +268,8 @@ include::rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc[] include::rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc[] +include::rule-details/virtual-machine-fingerprinting.asciidoc[] + include::rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc[] include::rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc[] diff --git a/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc index 3b83520376..571f904702 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc @@ -57,4 +57,4 @@ schedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. * Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is -performing. +performing. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc index 6b7277035d..e890ff9f95 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc @@ -66,4 +66,4 @@ updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. * If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified -as malware by anti-malware tools. +as malware by anti-malware tools. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc new file mode 100644 index 0000000000..015abaf6bf --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc @@ -0,0 +1,56 @@ +[[attempt-to-disable-iptables-or-firewall]] +=== Attempt to Disable IPTables or Firewall + +Identifies attempts to disable iptables or a firewall service, a technique +adversaries can to modify the network traffic hosts are allowed to send and +receive. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed or process_started) and (process.name:service +and process.args:stop or process.name:chkconfig and process.args:off) +and process.args:(ip6tables or iptables) or process.name:systemctl and +process.args:(firewalld and (disable or stop or kill)) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Disabling Security Tools +** ID: T1089 +** Reference URL: https://attack.mitre.org/techniques/T1089/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc new file mode 100644 index 0000000000..b914216db7 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc @@ -0,0 +1,55 @@ +[[attempt-to-disable-syslog-service]] +=== Attempt to Disable Syslog Service + +Identifies attempts to disable the syslog service, a technique adversaries can +use to disrupt event logging and evade detection by security controls. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed or process_started) and ((process.name:service +and process.args:stop) or (process.name:chkconfig and +process.args:off) or (process.name:systemctl and process.args:(disable +or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng") +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Disabling Security Tools +** ID: T1089 +** Reference URL: https://attack.mitre.org/techniques/T1089/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc new file mode 100644 index 0000000000..45707b4bd5 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc @@ -0,0 +1,69 @@ +[[base16-or-base32-encoding-decoding-activity]] +=== Base16 or Base32 Encoding/Decoding Activity + +Identifies attempts to encode and decode data, a technique adversaries can +use to evade detection by host- or network-based security controls. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Automated tools such as Jenkins may encode or decode files as part of their +normal behavior. These events can be filtered by the process executable or +username values. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed or process_started) and process.name:(base16 or +base32 or base32plain or base32hex) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ + + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc new file mode 100644 index 0000000000..4b8fe4ce7d --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc @@ -0,0 +1,67 @@ +[[base64-encoding-decoding-activity]] +=== Base64 Encoding/Decoding Activity + +Identifies attempts to encode and decode data, a technique adversaries can +use to evade detection by host- or network-based security controls. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed or process_started) and process.name:(base64 or +base64plain or base64url or base64mime or base64pem) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ + + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc new file mode 100644 index 0000000000..f9398c06a1 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc @@ -0,0 +1,57 @@ +[[connection-to-external-network-via-telnet]] +=== Connection to External Network via Telnet + +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:("connected-to" or "network_flow") and +process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 +or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128") +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc new file mode 100644 index 0000000000..82eb10cf08 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc @@ -0,0 +1,57 @@ +[[connection-to-internal-network-via-telnet]] +=== Connection to Internal Network via Telnet + +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:("connected-to" or "network_flow") and +process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 +or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128")) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc new file mode 100644 index 0000000000..f49aa01024 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc @@ -0,0 +1,59 @@ +[[enumeration-of-kernel-modules]] +=== Enumeration of Kernel Modules + +Identifies attempts to enumerate information about a kernel module. Loadable +Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into +the kernel upon demand. They extend the functionality of the kernel without the +need to reboot the system. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and process.args:(kmod and list and sudo or sudo +and (depmod or lsmod or modinfo)) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/execution-via-signed-binary.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/execution-via-signed-binary.asciidoc deleted file mode 100644 index ce4d1a5d4f..0000000000 --- a/docs/siem/detections/prebuilt-rules/rule-details/execution-via-signed-binary.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[[execution-via-signed-binary]] -=== Execution via Signed Binary - -Binaries signed with trusted digital certificates can execute on Windows systems -protected by digital signature validation. Adversaries may use these binaries to -_live off the land_ and execute malicious files that could bypass application -whitelisting and signature validation. - -*Rule type*: query - -*Rule indices*: - -* winlogbeat-* - -*Severity*: low - -*Risk score*: 21 - -*Runs every*: 5 minutes - -*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum signals per execution*: 100 - -*Tags*: - -* Elastic -* Windows - -*Version*: 1 - -*Added ({stack} release)*: 7.6.0 - - -==== Potential false positives - -Security testing may produce events like this. Activity of this kind performed -by non-engineers and ordinary users is unusual. - -==== Rule query - - -[source,js] ----------------------------------- -event.code:1 and http and (process.name:certutil.exe or -process.name:msiexec.exe) ----------------------------------- - -==== Threat mapping - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Defense Evasion -** ID: TA0005 -** Reference URL: https://attack.mitre.org/tactics/TA0005/ -* Technique: -** Name: Signed Binary Proxy Execution -** ID: T1218 -** Reference URL: https://attack.mitre.org/techniques/T1218/ - - -* Tactic: -** Name: Execution -** ID: TA0002 -** Reference URL: https://attack.mitre.org/tactics/TA0002/ -* Technique: -** Name: Signed Binary Proxy Execution -** ID: T1218 -** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc new file mode 100644 index 0000000000..75497c6be4 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc @@ -0,0 +1,56 @@ +[[file-deletion-via-shred]] +=== File Deletion via Shred + +Identifies file deletions using the `shred` command. Malware or other files +dropped or created on a system by an adversary may leave traces behind as to +what was done within a network and how. Adversaries may remove these files over +the course of an intrusion to keep their footprint low or remove them at the +end as part of the post-intrusion cleanup process. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed or process_started) and process.name:shred and +process.args:("-u" or "--remove" or "-z" or "--zero") +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File Deletion +** ID: T1107 +** Reference URL: https://attack.mitre.org/techniques/T1107/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc new file mode 100644 index 0000000000..1df2288f5c --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc @@ -0,0 +1,59 @@ +[[file-permission-modification-in-writable-directory]] +=== File Permission Modification in Writable Directory + +Identifies file permission modifications in common writable directories by a +non-root user. Adversaries often drop files or payloads into a writable +directory, and change permissions prior to execution. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and process.name:(chmod or chown or chattr or +chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) +and not user.name:root +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc new file mode 100644 index 0000000000..0aa26eda87 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc @@ -0,0 +1,67 @@ +[[hex-encoding-decoding-activity]] +=== Hex Encoding/Decoding Activity + +Identifies attempts to encode and decode data, a technique adversaries can +use to evade detection by host- or network-based security controls. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed or process_started) and process.name:(hex or +xxd) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ + + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc new file mode 100644 index 0000000000..70e316ecce --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc @@ -0,0 +1,54 @@ +[[interactive-terminal-spawned-via-perl]] +=== Interactive Terminal Spawned via Perl + +Identifies when a terminal (`tty`) is spawned via Perl. Attackers may upgrade a +simple reverse shell to a fully interactive `tty` after obtaining initial +access to a host. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and process.name:perl and process.args:("exec +\"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command-Line Interface +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc new file mode 100644 index 0000000000..2190a1f914 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc @@ -0,0 +1,55 @@ +[[interactive-terminal-spawned-via-python]] +=== Interactive Terminal Spawned via Python + +Identifies when a terminal (`tty`) is spawned via Python. Attackers may upgrade +a simple reverse shell to a fully interactive `tty` after obtaining initial +access to a host. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and process.name:python and +process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; +pty.spawn(\"/bin/dash\")" or "import pty; pty.spawn(\"/bin/bash\")") +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command-Line Interface +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc new file mode 100644 index 0000000000..2fbb024188 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc @@ -0,0 +1,74 @@ +[[kernel-module-removal]] +=== Kernel Module Removal + +Identifies attempts to remove a kernel module. Kernel modules are pieces of +code that can be loaded and unloaded into the kernel upon demand. They extend +the functionality of the kernel without the need to reboot the system. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*References*: + +* http://man7.org/linux/man-pages/man8/modprobe.8.html + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +There is usually no reason to remove modules, but some buggy modules require +removal. These can be exempted by username. Note that some Linux distributions +are not built to support the removal of modules at all. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and process.args:(rmmod and sudo or modprobe and +sudo and ("--remove" or "-r")) +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Disabling Security Tools +** ID: T1089 +** Reference URL: https://attack.mitre.org/techniques/T1089/ + + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Kernel Modules and Extensions +** ID: T1215 +** Reference URL: https://attack.mitre.org/techniques/T1215/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc new file mode 100644 index 0000000000..6af4ccf8ef --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc @@ -0,0 +1,54 @@ +[[potential-disabling-of-selinux]] +=== Potential Disabling of SELinux + +Identifies potential attempts to disable Security-Enhanced Linux (SELinux), +which is a Linux kernel security feature that supports access control policies. +Adversaries may disable security tools to avoid possible detection of their +tools and activities. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and process.name:setenforce and process.args:0 +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Disabling Security Tools +** ID: T1089 +** Reference URL: https://attack.mitre.org/techniques/T1089/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc index ccd6586e00..b1f6092d08 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc @@ -29,11 +29,11 @@ vulnerability and remote shell access. * Elastic * Linux -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.6.0 -*Last modified ({stack} release)*: 7.6.1 +*Last modified ({stack} release)*: 7.8.0 ==== Potential false positives @@ -46,8 +46,8 @@ runs shell commands as part of normal behavior. [source,js] ---------------------------------- -process.name:bash and user.name:(apache or www or www-data) and -event.action:executed +process.name:(bash or dash) and user.name:(apache or nginx or www or +"www-data") and event.action:executed ---------------------------------- ==== Threat mapping @@ -66,6 +66,15 @@ event.action:executed [[potential-shell-via-web-server-history]] ==== Rule version history +Version 3 (7.8.0 release):: +Updated query, changed from: ++ +[source, js] +---------------------------------- +process.name:bash and user.name:(apache or www or www-data) and +event.action:executed +---------------------------------- + Version 2 (7.6.1 release):: Updated query, changed from: + diff --git a/docs/siem/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc new file mode 100644 index 0000000000..156a0cdb3b --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc @@ -0,0 +1,62 @@ +[[setgid-bit-set-via-chmod]] +=== Setgid Bit Set via chmod + +An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 33 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed OR process_started) AND process.name:chmod AND +process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Setuid and Setgid +** ID: T1166 +** Reference URL: https://attack.mitre.org/techniques/T1166/ + + +* Tactic: +** Name: Persistence +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Setuid and Setgid +** ID: T1166 +** Reference URL: https://attack.mitre.org/techniques/T1166/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc new file mode 100644 index 0000000000..2bea0cb824 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc @@ -0,0 +1,62 @@ +[[setuid-bit-set-via-chmod]] +=== Setuid Bit Set via chmod + +An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 33 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.action:(executed OR process_started) AND process.name:chmod AND +process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Setuid and Setgid +** ID: T1166 +** Reference URL: https://attack.mitre.org/techniques/T1166/ + + +* Tactic: +** Name: Persistence +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Setuid and Setgid +** ID: T1166 +** Reference URL: https://attack.mitre.org/techniques/T1166/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc new file mode 100644 index 0000000000..9949b68c44 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc @@ -0,0 +1,52 @@ +[[sudoers-file-modification]] +=== Sudoers File Modification + +A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Rule query + + +[source,js] +---------------------------------- +event.module:file_integrity and event.action:updated and +file.path:/etc/sudoers +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Sudo +** ID: T1169 +** Reference URL: https://attack.mitre.org/techniques/T1169/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/suspicious-process-spawning-from-script-interpreter.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/suspicious-process-spawning-from-script-interpreter.asciidoc deleted file mode 100644 index 0a15598a33..0000000000 --- a/docs/siem/detections/prebuilt-rules/rule-details/suspicious-process-spawning-from-script-interpreter.asciidoc +++ /dev/null @@ -1,72 +0,0 @@ -[[suspicious-process-spawning-from-script-interpreter]] -=== Suspicious Process spawning from Script Interpreter - -Identifies a suspicious process being spawned from a script interpreter, which -could be indicative of a potential phishing attack. - -*Rule type*: query - -*Rule indices*: - -* winlogbeat-* - -*Severity*: low - -*Risk score*: 21 - -*Runs every*: 5 minutes - -*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum signals per execution*: 100 - -*Tags*: - -* Elastic -* Windows - -*Version*: 1 - -*Added ({stack} release)*: 7.6.0 - - -==== Potential false positives - -Security testing may produce events like this. Activity of this kind performed -by non-engineers and ordinary users is unusual. - -==== Rule query - - -[source,js] ----------------------------------- -(process.parent.name:cmd.exe or process.parent.name:cscript.exe or -process.parent.name:mshta.exe or process.parent.name:powershell.exe or -process.parent.name:rundll32.exe or process.parent.name:wscript.exe or -process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or -process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or -process.name:schtasks.exe) and event.code:1 ----------------------------------- - -==== Threat mapping - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Defense Evasion -** ID: TA0005 -** Reference URL: https://attack.mitre.org/tactics/TA0005/ -* Technique: -** Name: Scripting -** ID: T1064 -** Reference URL: https://attack.mitre.org/techniques/T1064/ - - -* Tactic: -** Name: Execution -** ID: TA0002 -** Reference URL: https://attack.mitre.org/tactics/TA0002/ -* Technique: -** Name: Scripting -** ID: T1064 -** Reference URL: https://attack.mitre.org/techniques/T1064/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc deleted file mode 100644 index 7b2f981e24..0000000000 --- a/docs/siem/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc +++ /dev/null @@ -1,63 +0,0 @@ -[[suspicious-script-object-execution]] -=== Suspicious Script Object Execution - -Identifies `scrobj.dll` loaded into unusual Microsoft processes. This may -indicate a malicious scriptlet is being executed in the target process. - -*Rule type*: query - -*Rule indices*: - -* winlogbeat-* - -*Severity*: low - -*Risk score*: 21 - -*Runs every*: 5 minutes - -*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum signals per execution*: 100 - -*Tags*: - -* Elastic -* Windows - -*Version*: 1 - -*Added ({stack} release)*: 7.6.0 - - -==== Rule query - - -[source,js] ----------------------------------- -event.code: 1 and scrobj.dll and (process.name:certutil.exe or -process.name:regsvr32.exe or process.name:rundll32.exe) ----------------------------------- - -==== Threat mapping - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Defense Evasion -** ID: TA0005 -** Reference URL: https://attack.mitre.org/tactics/TA0005/ -* Technique: -** Name: Scripting -** ID: T1064 -** Reference URL: https://attack.mitre.org/techniques/T1064/ - - -* Tactic: -** Name: Execution -** ID: TA0002 -** Reference URL: https://attack.mitre.org/tactics/TA0002/ -* Technique: -** Name: Scripting -** ID: T1064 -** Reference URL: https://attack.mitre.org/techniques/T1064/ diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc index 22844c4764..57fa8d9d15 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc @@ -67,4 +67,4 @@ consistent schedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process. * Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is -performing. +performing. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc index b3d2ebb9dd..35e77c4fae 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc @@ -66,4 +66,4 @@ consistent schedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. * Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the -user is performing. +user is performing. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc index aca5e829a1..3866495dbf 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc @@ -26,11 +26,11 @@ DLLs. * Elastic * Windows -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.6.0 -*Last modified ({stack} release)*: 7.7.0 +*Last modified ({stack} release)*: 7.8.0 ==== Rule query @@ -40,7 +40,7 @@ DLLs. ---------------------------------- process.name:rundll32.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or -172.16.0.0/12 or 192.168.0.0/16) +172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8) ---------------------------------- ==== Threat mapping @@ -59,6 +59,16 @@ detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or [[unusual-network-connection-via-rundll32-history]] ==== Rule version history +Version 3 (7.8.0 release):: +Updated query, changed from: ++ +[source, js] +---------------------------------- +process.name:rundll32.exe and event.action:"Network connection +detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or +172.16.0.0/12 or 192.168.0.0/16) +---------------------------------- + Version 2 (7.7.0 release):: Updated query, changed from: + diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc index 6ef0e6ec81..e8d74be1f9 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc @@ -55,4 +55,4 @@ schedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. * Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks -it is performing. +it is performing. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc index 026ad9169d..6987fa737a 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc @@ -64,4 +64,4 @@ or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. * If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified -as malware by anti-malware tools. +as malware by anti-malware tools. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc index 16df9afa06..d94d26ad5e 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc @@ -72,4 +72,4 @@ or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. * If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified -as malware by anti-malware tools. +as malware by anti-malware tools. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc index aa03d19cfe..c378a0a8bb 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc @@ -53,4 +53,4 @@ group who normally logs in to Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? * Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an -employee working remotely? +employee working remotely? \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc index ba7d02cd7b..94d3a429ac 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc @@ -9,7 +9,7 @@ than by regular Windows users. *Rule type*: machine_learning -$1 +*Machine learning job*: windows_rare_user_runas_event *Machine learning anomaly threshold*: 50 diff --git a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc index ed8edf5ec6..6a11da0a70 100644 --- a/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc +++ b/docs/siem/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc @@ -67,4 +67,4 @@ that the user is performing. * Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an -Office application, this process could be more suspicious. +Office application, this process could be more suspicious. \ No newline at end of file diff --git a/docs/siem/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc new file mode 100644 index 0000000000..96680968e7 --- /dev/null +++ b/docs/siem/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc @@ -0,0 +1,58 @@ +[[virtual-machine-fingerprinting]] +=== Virtual Machine Fingerprinting + +An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5 minutes + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum signals per execution*: 100 + +*Tags*: + +* Elastic +* Linux + +*Version*: 1 + +*Added ({stack} release)*: 7.8.0 + + +==== Potential false positives + +Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise. + +==== Rule query + + +[source,js] +---------------------------------- +event.action:executed and +process.args:("/sys/class/dmi/id/bios_version" or +"/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor" +or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root +---------------------------------- + +==== Threat mapping + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/siem/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/siem/detections/prebuilt-rules/tune-rule-signals.asciidoc index d829ec8511..3e4c864588 100644 --- a/docs/siem/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/siem/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -110,8 +110,6 @@ Normal user activity may sometimes trigger one or more of these rules: * <> * <> * <> -* <> -* <> * <> * <> * <> diff --git a/docs/siem/field-ref.asciidoc b/docs/siem/field-ref.asciidoc index c0cb134733..e611163fa2 100644 --- a/docs/siem/field-ref.asciidoc +++ b/docs/siem/field-ref.asciidoc @@ -1,23 +1,26 @@ [[siem-field-reference]] [chapter, role="xpack"] -= Field reference and mappings += SIEM field reference guide -This section lists all fields required to populate {siem-soln} data. +This section lists ECS fields the {siem-app} uses to display data. -NOTE: Unless noted otherwise, all listed fields are {ecs-ref}[ECS fields]. +IMPORTANT: It is recommended to use {beats} to ship your data. Beat modules +(for example, {filebeat-ref}/filebeat-modules.html[{filebeat} modules]) +are ECS-compliant so manual field mapping is not required, and all {siem-app} +data is automatically populated. If you cannot use {beats}, map your data to +{ecs-ref}[ECS fields] (see {ecs-ref}/ecs-converting.html[how to map data to ECS]). +You can also try using the experimental https://github.com/elastic/ecs-mapper[ECS Mapper] tool. [float] -[[siem-global-fields]] -== Global fields +[[siem-host-fields]] +== Host fields -Fields required for populating all SIEM data: +These fields must be mapped to display host data in the {siem-app}: * `@timestamp` * `host.name` -[float] -[[siem-host-fields]] -== Host fields +These fields can be mapped to display additional host data in the {siem-app}: * `cloud.instance.id` * `cloud.machine.type` @@ -35,13 +38,32 @@ Fields required for populating all SIEM data: [discrete] ==== Authentication fields +These fields must be mapped to display host authentication data in the +{siem-app}: + * `event.category` ++ +NOTE: To display authentication data in the {siem-app}, you must map authentication events to the `event.category` field with a value of +`authentication`. + * `event.outcome` + +This field can be mapped to display additional host authentication data in the +{siem-app}: + * `user.name` [discrete] ==== Uncommon process fields +This field must be mapped to display host uncommon process data in the +{siem-app}: + +* `process.name` + +These fields can be mapped to display additional uncommon process data in the +{siem-app}: + * `agent.type` * `event.action` * `event.category` @@ -49,46 +71,66 @@ Fields required for populating all SIEM data: * `event.dataset` * `event.module` * `process.args` -* `process.name` * `user.id` * `user.name` -* `winlog.channel` {winlogbeat-ref}/exported-fields-winlog.html[(Winlogbeat field)] -* `winlog.event_id` (Winlogbeat field) [float] [[siem-network-fields]] == Network fields -* `destination.geo.location` (for <>) +These fields must be mapped to display network data in the {siem-app}: + +* `@timestamp` +* `destination.geo.location` (required for displaying <>) * `destination.ip` -* `source.geo.location` (for map data) +* `source.geo.location` (required for displaying map data) * `source.ip` +These fields can be mapped to display additional network data in the {siem-app}: + +* `destination.as` +* `destination.bytes` +* `destination.domain` +* `destination.geo.country_iso_code` +* `source.as` +* `source.bytes` +* `source.domain` +* `source.geo.country_iso_code` + [discrete] ==== DNS query fields -* `dns.question.type` +These fields must be mapped to display DNS data in the {siem-app}: -NOTE: If you want to be able to filter out PTR records, make sure relevant events populate the `dns.question.type` field with a value of `PTR`. - -* `destination.bytes` * `dns.question.name` * `dns.question.registered_domain` -* `source.bytes` + +This field can be mapped to display additional DNS data in the {siem-app}: + +* `dns.question.type` ++ +NOTE: If you want to be able to filter out PTR records, make sure relevant +events populate the `dns.question.type` field with a value of `PTR`. [discrete] ==== HTTP request fields +These fields must be mapped to display HTTP request data in the {siem-app}: + * `http.request.method` * `http.response.status_code` -* `source.ip` * `url.domain` * `url.path` [discrete] ==== TLS fields +This field must be mapped to display TLS data in the {siem-app}: + * `tls.server.hash.sha1` + +These fields can be mapped to display additional TLS data in the {siem-app}: + * `tls.server.issuer` * `tls.server.ja3s` * `tls.server.not_after` @@ -97,21 +139,17 @@ NOTE: If you want to be able to filter out PTR records, make sure relevant event [float] == Event and external alert fields +These fields must be mapped to display event and external alert data in the +{siem-app}: + +* `@timestamp` +* `event.kind` ++ NOTE: For external alerts, the `event.kind` field value must be `alert`. -* `auditd.data.acct` {auditbeat-ref}/exported-fields-auditd.html[(Auditbeat field)] -* `auditd.data.op` (Auditbeat field) -* `auditd.data.terminal` (Auditbeat field) -* `auditd.result` (Auditbeat field) -* `auditd.session` (Auditbeat field) -* `auditd.summary.actor.primary` (Auditbeat field) -* `auditd.summary.actor.secondary` (Auditbeat field) -* `auditd.summary.how` (Auditbeat field) -* `auditd.summary.message_type` (Auditbeat field) -* `auditd.summary.object.primary` (Auditbeat field) -* `auditd.summary.object.secondary` (Auditbeat field) -* `auditd.summary.object.type` (Auditbeat field) -* `auditd.summary.sequence` (Auditbeat field) +These fields can be mapped to display additional event and external alert data +in the {siem-app}: + * `destination.bytes` * `destination.geo.city_name` * `destination.geo.continent_name` @@ -135,10 +173,10 @@ NOTE: For external alerts, the `event.kind` field value must be `alert`. * `event.end` * `event.hash` * `event.id` -* `event.kind` * `event.module` * `event.original` * `event.outcome` +* `event.provider` * `event.risk_score_norm` * `event.risk_score` * `event.severity` @@ -177,12 +215,15 @@ NOTE: For external alerts, the `event.kind` field value must be `alert`. * `network.packets` * `network.protocol` * `network.transport` +* `pe.original_file_name` * `process.args` * `process.executable` * `process.hash.md5` * `process.hash.sha1` * `process.hash.sha256` * `process.name` +* `process.parent.executable` +* `process.parent.name` * `process.pid` * `process.ppid` * `process.title` @@ -198,72 +239,5 @@ NOTE: For external alerts, the `event.kind` field value must be `alert`. * `source.ip` * `source.packets` * `source.port` -* `suricata.eve.alert.signature_id` {filebeat-ref}/exported-fields-suricata.html[(Filebeat field)] -* `suricata.eve.alert.signature` (Filebeat field) -* `suricata.eve.flow_id` (Filebeat field) -* `suricata.eve.proto` (Filebeat field) -* `system.audit.package.arch` {auditbeat-ref}/exported-fields-system.html[(Auditbeat field)] -* `system.audit.package.entity_id` (Auditbeat field) -* `system.audit.package.name` (Auditbeat field) -* `system.audit.package.size` (Auditbeat field) -* `system.audit.package.summary` (Auditbeat field) -* `system.audit.package.version` (Auditbeat field) -* `system.auth.ssh.method` {filebeat-ref}/exported-fields-system.html[(Filebeat field)] -* `system.auth.ssh.signature` (Filebeat field) -// Not documented since v7.3: -// * `tls.client_certificate.fingerprint.sha1` {packetbeat-ref}/exported-fields-tls_detailed.html[(Packetbeat field)] -// * `tls.fingerprints.ja3.hash` (Packetbeat field) -// * `tls.server_certificate.fingerprint.sha1` (Packetbeat field) * `user.domain` * `user.name` -* `winlog.event_id` {winlogbeat-ref}/exported-fields-winlog.html[(Winlogbeat field)] -* `zeek.connection.history` {filebeat-ref}/exported-fields-zeek.html[(Filebeat field)] -* `zeek.connection.local_orig` (Filebeat field) -* `zeek.connection.local_resp` (Filebeat field) -* `zeek.connection.missed_bytes` (Filebeat field) -* `zeek.connection.state` (Filebeat field) -* `zeek.dns.AA` (Filebeat field) -* `zeek.dns.qclass_name` (Filebeat field) -* `zeek.dns.qclass` (Filebeat field) -* `zeek.dns.qtype_name` (Filebeat field) -* `zeek.dns.qtype` (Filebeat field) -* `zeek.dns.query` (Filebeat field) -* `zeek.dns.RA` (Filebeat field) -* `zeek.dns.RD` (Filebeat field) -* `zeek.dns.TC` (Filebeat field) -* `zeek.dns.trans_id` (Filebeat field) -* `zeek.files.analyzers` (Filebeat field) -* `zeek.files.depth` (Filebeat field) -* `zeek.files.duration` (Filebeat field) -* `zeek.files.fuid` (Filebeat field) -* `zeek.files.is_orig` (Filebeat field) -* `zeek.files.local_orig` (Filebeat field) -* `zeek.files.md5` (Filebeat field) -* `zeek.files.mime_type` (Filebeat field) -* `zeek.files.missing_bytes` (Filebeat field) -* `zeek.files.overflow_bytes` (Filebeat field) -* `zeek.files.rx_host` (Filebeat field) -* `zeek.files.seen_bytes` (Filebeat field) -* `zeek.files.session_ids` (Filebeat field) -* `zeek.files.sha1` (Filebeat field) -* `zeek.files.source` (Filebeat field) -* `zeek.files.timedout` (Filebeat field) -* `zeek.files.total_bytes` (Filebeat field) -* `zeek.files.tx_host` (Filebeat field) -* `zeek.http.resp_fuids` (Filebeat field) -* `zeek.http.resp_mime_types` (Filebeat field) -* `zeek.http.status_msg` (Filebeat field) -* `zeek.http.tags` (Filebeat field) -* `zeek.http.trans_depth` (Filebeat field) -* `zeek.notice.dropped` (Filebeat field) -* `zeek.notice.dst` (Filebeat field) -* `zeek.notice.msg` (Filebeat field) -* `zeek.notice.note` (Filebeat field) -* `zeek.notice.peer_descr` (Filebeat field) -* `zeek.notice.sub` (Filebeat field) -* `zeek.notice.suppress_for` (Filebeat field) -* `zeek.session_id` (Filebeat field) -* `zeek.ssl.cipher` (Filebeat field) -* `zeek.ssl.established` (Filebeat field) -* `zeek.ssl.resumed` (Filebeat field) -* `zeek.ssl.version` (Filebeat field) diff --git a/docs/siem/images/add-data.png b/docs/siem/images/add-data.png index aaeea1bae3..ef4765e1d5 100644 Binary files a/docs/siem/images/add-data.png and b/docs/siem/images/add-data.png differ diff --git a/docs/siem/images/cases-ui-home.png b/docs/siem/images/cases-ui-home.png index b513efb664..bff5573e3e 100644 Binary files a/docs/siem/images/cases-ui-home.png and b/docs/siem/images/cases-ui-home.png differ diff --git a/docs/siem/images/detections-ui.png b/docs/siem/images/detections-ui.png index 5f6691ccd2..98ae536b42 100644 Binary files a/docs/siem/images/detections-ui.png and b/docs/siem/images/detections-ui.png differ diff --git a/docs/siem/images/events-count.png b/docs/siem/images/events-count.png index ffa1db74a4..df309f9559 100644 Binary files a/docs/siem/images/events-count.png and b/docs/siem/images/events-count.png differ diff --git a/docs/siem/images/hosts-ui.png b/docs/siem/images/hosts-ui.png index 1c1148a8d9..ffed2c6912 100644 Binary files a/docs/siem/images/hosts-ui.png and b/docs/siem/images/hosts-ui.png differ diff --git a/docs/siem/images/network-ui.png b/docs/siem/images/network-ui.png index 9fbc3ecd44..64558cf811 100644 Binary files a/docs/siem/images/network-ui.png and b/docs/siem/images/network-ui.png differ diff --git a/docs/siem/images/overview-ui.png b/docs/siem/images/overview-ui.png index e21eec8709..a4f5b772e5 100644 Binary files a/docs/siem/images/overview-ui.png and b/docs/siem/images/overview-ui.png differ diff --git a/docs/siem/images/timeline-ui.png b/docs/siem/images/timeline-ui.png index b00d6f3086..2af46b3060 100644 Binary files a/docs/siem/images/timeline-ui.png and b/docs/siem/images/timeline-ui.png differ diff --git a/docs/siem/index.asciidoc b/docs/siem/index.asciidoc index 1a4679d88a..1dcf43e6af 100644 --- a/docs/siem/index.asciidoc +++ b/docs/siem/index.asciidoc @@ -2,14 +2,14 @@ :siem-soln: SIEM :siem-app: SIEM app :siem-ui: SIEM UI -:ml-dir: {docdir}/../stack/ml/ +:ml-dir: {stack-docs-root}/docs/en/stack/ml :sn: ServiceNow = SIEM Guide -include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[] +include::{docs-root}/shared/versions/stack/{source_branch}.asciidoc[] -include::{asciidoc-dir}/../../shared/attributes.asciidoc[] +include::{docs-root}/shared/attributes.asciidoc[] include::overview.asciidoc[] diff --git a/docs/siem/installation.asciidoc b/docs/siem/installation.asciidoc index bcdabeba78..dd00f733aa 100644 --- a/docs/siem/installation.asciidoc +++ b/docs/siem/installation.asciidoc @@ -71,8 +71,8 @@ You can install {beats} using a {kib}-based guide or directly from the command l === Install {beats} using the {kib}-based guide Follow the instructions in the Add Data section of the {kib} home page. Click -*Add log data* or *Add metrics*, and follow the links for the types of data you -want to collect. +*Add events*, and follow the links for the types of data you want to +collect. [role="screenshot"] image::add-data.png[]