protectionsmachine
commented
1 month ago Rule: New - Guidelines
These guidelines serve as a reminder set of considerations when proposing a new rule.
Documentation and Context
- [ ] Detailed description of the rule.
- [ ] List any new fields required in ECS/data sources.
- [ ] Link related issues or PRs.
- [ ] Include references.
Rule Metadata Checks
- [ ]
creation_datematches the date of creation PR initially merged. - [ ]
min_stack_versionshould support the widest stack versions. - [ ]
nameanddescriptionshould be descriptive and not include typos. - [ ]
queryshould be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added tonon-ecs-schema.jsonif not available in an integration. - [ ]
min_stack_commentsandmin_stack_versionshould be included if the rule is only compatible starting from a specific stack version. - [ ]
indexpattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data). - [ ]
integrationshould align with theindex. If the integration is newly introduced, ensure the manifest, schemas, andnew_rule.yamltemplate are updated. - [ ]
setupshould include the necessary steps to configure the integration. - [ ]
noteshould include any additional information (e.g. Triage and analysis investigation guides, timeline templates). - [ ]
tagsshould be relevant to the threat and align/added to theEXPECTED_RULE_TAGSin the definitions.py file. - [ ]
threat,techniques, andsubtechniquesshould map to ATT&CK always if possible.
New BBR Rules
- [ ]
building_block_typeshould be included if the rule is a building block and the rule should be located in therules_building_blockfolder. - [ ]
bypass_bbr_timingshould be included if adding custom lookback timing to the rule.
Testing and Validation
- [ ] Provide evidence of testing and detecting the expected threat.
- [ ] Check for existence of coverage to prevent duplication.
Summary
This rule detects the deletion of SSL certificates on a Linux system. Adversaries may delete SSL certificates to subvert trust controls and negatively impact the system.
Telemetry
This behavior is not inherently malicious, so telemetry shows 70 hits last 90d. I bumped it to low, rather than BBR, because it is a note worthy event.
One TP in detonate stack: