-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] Endpoint Security Promotion Rules for Specific Events #3533
base: main
Are you sure you want to change the base?
Conversation
risk_score = 47 | ||
rule_id = "0c74cd7e-ea35-11ee-a417-f661ea17fbce" | ||
rule_name_override = "message" | ||
severity = "medium" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
imo risk score for Ransomware, shellcode and memory signature should default to high
language = "kuery" | ||
license = "Elastic License v2" | ||
max_signals = 10000 | ||
name = "Behavior - Detected - Endpoint Security" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
current naming convention is Elastic Defend
vs old Elastic Endpoint Security
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description need to be linted
…astic/detection-rules into new-rule-endpoint-security-promotions
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
other than severity that need to be bumped, rest looks fine
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
integration = ["endpoint"] | ||
maturity = "production" | ||
min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
min_stack_version = "8.3.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
min_stack_version = "8.3.0" | |
min_stack_version = "8.16.0" |
?
@terrancedejesus re: testing we need to coordinate with @banderror and the RM team to double check on what they expect from the rules side. Moving to blocked in the interim. |
@Mikaayenson @terrancedejesus Thanks for the ping, I think it could be a topic for this week's (or any of the following) Simplified Protections. |
Issues
Summary
This pull request includes 8 new promotional rules. These promotional rules are for the Elastic Defend integration, more specifically, the Endpoint Security feature and alerts.
Before this pull request, we had a single promotional rule that captured all Elastic Endpoint Security alerts.
Additional notes:
event.code
was used to distinguish between each Defend policy featureResponses.message
was used to distinguish between prevention and detection. TheResponses.
fields are only available in alert docs if prevention measures were taken or assigned to the rule or feature.shellcode_thread
is not a specific feature in the Defend policy, it was added to thememory_signature
alerts.Please refer to the issue linked for further information or to continue conversation and considerations for these changes.
Testing Evidence
TBD