Skip to content

Commit

Permalink
changed naming to Elastic Defend
Browse files Browse the repository at this point in the history
  • Loading branch information
@terrancedejesus
terrancedejesus committed Mar 28, 2024
1 parent cb7ec5a commit ecae598
Show file tree
Hide file tree
Showing 9 changed files with 35 additions and 35 deletions.
22 changes: 11 additions & 11 deletions rules/integrations/endpoint/elastic_endpoint_security.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ updated_date = "2024/03/24"
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to
immediately begin investigating your Endpoint alerts.
"""
enabled = true
Expand All @@ -19,21 +19,21 @@ index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Endpoint Security"
name = "Elastic Defend"
note = """
If this rule is disabled, you will not receive alerts for Elastic Endpoint Security alerts. This rule is designed to capture all alerts generated by Elastic Endpoint Security. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Endpoint Security alerts.
If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.
If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.
Related rules:
- Behavior - Detected - Endpoint Security (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
- Behavior - Prevented - Endpoint Security (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
- Malicious File - Detected - Endpoint Security (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
- Malicious File - Prevented - Endpoint Security (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
- Memory Signature - Detected - Endpoint Security (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
- Memory Signature - Prevented - Endpoint Security (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
- Ransomware - Detected - Endpoint Security (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
- Ransomware - Prevented - Endpoint Security (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)
- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
- Memory Signature - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
- Memory Signature - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)
"""
risk_score = 47
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for malicious behavior is received. Enabling this rule allows you to
immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Security behavior detections only, and does not include prevention alerts.
Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to
immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior detections only, and does not include prevention alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Behavior - Detected - Endpoint Security"
name = "Behavior - Detected - Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/behavior",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for malicious behavior is received. Enabling this rule allows you to
immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Security behavior preventions only, and does not include detection only alerts.
Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to
immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior preventions only, and does not include detection only alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Behavior - Prevented - Endpoint Security"
name = "Behavior - Prevented - Endpoint Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/behavior",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for malicious files is received. Enabling this rule allows you to
immediately begin investigating your Endpoint malicious file alerts. This rule identifies Endpoint Security malicious file detections only, and does not include prevention alerts.
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to
immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Malicious File - Detected - Endpoint Security"
name = "Malicious File - Detected - Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/yara",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for malicious files is received. Enabling this rule allows you to
immediately begin investigating your Endpoint malicious file alerts. This rule identifies Endpoint Security malicious file preventions only, and does not include detection only alerts.
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to
immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Malicious File - Prevented - Endpoint Security"
name = "Malicious File - Prevented - Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/yara",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for memory signatures are received. Enabling this rule allows you to
immediately begin investigating your Endpoint memory signature alerts. This rule identifies Endpoint Security memory signature detections only, and does not include prevention alerts.
Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to
immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Memory Signature - Detected - Endpoint Security"
name = "Memory Signature - Detected - Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/yara",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for memory signatures are received. Enabling this rule allows you to
immediately begin investigating your Endpoint memory signature alerts. This rule identifies Endpoint Security memory signature preventions only, and does not include detection only alerts.
Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to
immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Memory Signature - Prevented- Endpoint Security"
name = "Memory Signature - Prevented- Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/yara",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for ransomware are received. Enabling this rule allows you to
immediately begin investigating your Endpoint ransomware alerts. This rule identifies Endpoint Security ransomware detections only, and does not include prevention alerts.
Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to
immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Ransomware - Detected - Endpoint Security"
name = "Ransomware - Detected - Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/ransomware",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down
6 changes: 3 additions & 3 deletions rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ promotion = true
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert for ransomware are received. Enabling this rule allows you to
immediately begin investigating your Endpoint ransomware alerts. This rule identifies Endpoint Security ransomware preventions only, and does not include detection only alerts.
Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to
immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Ransomware - Prevented - Endpoint Security"
name = "Ransomware - Prevented - Elastic Defend"
references = [
"https:/elastic/protections-artifacts/tree/main/ransomware",
"https://docs.elastic.co/en/integrations/endpoint"
Expand Down

0 comments on commit ecae598

Please sign in to comment.