Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

Draft
wants to merge 12 commits into
base: main
Choose a base branch
from
Draft

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

wants to merge 12 commits into from

Conversation

terrancedejesus
Copy link
Contributor

@terrancedejesus terrancedejesus commented Mar 24, 2024
edited
Loading

Issues

Summary

This pull request includes 8 new promotional rules. These promotional rules are for the Elastic Defend integration, more specifically, the Endpoint Security feature and alerts.

Before this pull request, we had a single promotional rule that captured all Elastic Endpoint Security alerts.

Additional notes:

  • event.code was used to distinguish between each Defend policy feature
  • Responses.message was used to distinguish between prevention and detection. The Responses. fields are only available in alert docs if prevention measures were taken or assigned to the rule or feature.
  • Since shellcode_thread is not a specific feature in the Defend policy, it was added to the memory_signature alerts.

Please refer to the issue linked for further information or to continue conversation and considerations for these changes.

Testing Evidence

TBD

@terrancedejesus terrancedejesus added Rule: New Proposal for new rule Integration: Endpoint Elastic Endpoint Security labels Mar 24, 2024
@terrancedejesus terrancedejesus self-assigned this Mar 24, 2024
Samirbous
Samirbous reviewed Mar 27, 2024
View reviewed changes
rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
risk_score = 47
rule_id = "0c74cd7e-ea35-11ee-a417-f661ea17fbce"
rule_name_override = "message"
severity = "medium"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imo risk score for Ransomware, shellcode and memory signature should default to high

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Outdated
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Behavior - Detected - Endpoint Security"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

current naming convention is Elastic Defend vs old Elastic Endpoint Security

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

[rule]
author = ["Elastic"]
description = """
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

description need to be linted

@botelastic
Copy link

botelastic bot commented May 27, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label May 27, 2024
@botelastic
Copy link

botelastic bot commented Jun 3, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this Jun 3, 2024
@botelastic botelastic bot removed the stale 60 days of inactivity label Jun 25, 2024
Samirbous
Samirbous approved these changes Jun 25, 2024
View reviewed changes
Copy link
Contributor

@Samirbous Samirbous left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other than severity that need to be bumped, rest looks fine

@botelastic
Copy link

botelastic bot commented Aug 24, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Aug 24, 2024
@Mikaayenson Mikaayenson added backlog and removed stale 60 days of inactivity labels Aug 26, 2024
Mikaayenson
Mikaayenson reviewed Oct 10, 2024
View reviewed changes
rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
min_stack_version = "8.3.0"
min_stack_version = "8.16.0"

?

@Mikaayenson
Copy link
Contributor

Mikaayenson commented Oct 18, 2024
edited
Loading

@terrancedejesus re: testing we need to coordinate with @banderror and the RM team to double check on what they expect from the rules side. Moving to blocked in the interim.

@banderror
Copy link

banderror commented Oct 22, 2024
edited
Loading

@Mikaayenson @terrancedejesus Thanks for the ping, I think it could be a topic for this week's (or any of the following) Simplified Protections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Mikaayenson left review comments

@Samirbous Samirbous Samirbous approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@terrancedejesus terrancedejesus

Labels
backlog Integration: Endpoint Elastic Endpoint Security Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@terrancedejesus @Mikaayenson @banderror @Samirbous