Closed sbcd90 closed 1 year ago
Rule: azure_aad_secops_signin_failure_bad_password_threshold.yml
detection: selection: ResultType: 50126 ResultDescription: Invalid username or password or Invalid on-premises username or password. filter_computer: TargetUserName|endswith: '$' condition: selection and not filter_computer
Applicable beat: Winlogbeat
Fields: ResultType, ResultDescription, TargetUserName
Fields that exist: TargetUserName: winlog.event_data.TargetUserName Fields that do not exist in ecs mappings: ResultType, ResultDescription https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog
Note: One of the fields used in the rule appears in the ecs documentation.
Rule: azure_aadhybridhealth_adfs_new_server.yml
detection: selection: CategoryValue: 'Administrative' ResourceProviderValue: 'Microsoft.ADHybridHealthService' ResourceId|contains: 'AdFederationService' OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' condition: selection
Applicable beat: Winlogbeat
Fields:
CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue
Fields that do not exist in ecs mappings:
CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue
Note: None of the fields used in the rule appear in the ecs documentation
Rule: azure_aadhybridhealth_adfs_service_delete.yml detection: selection: CategoryValue: 'Administrative' ResourceProviderValue: 'Microsoft.ADHybridHealthService' ResourceId|contains: 'AdFederationService' OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' condition: selection
Applicable beat: Winlogbeat
Fields:
CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue
Fields that do not exist in ecs mappings:
CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_bitlocker_key_retrieval.yml detection: selection: Category: KeyManagement OperationName: Read BitLocker key condition: selection
Applicable beat: Winlogbeat Fields: Category, OperationName Fields that do not exist in ecs mappings: Category, OperationName
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_device_registration_or_join_without_mfa.yml detection: selection: ResourceDisplayName: 'Device Registration Service' conditionalAccessStatus: 'success' filter_mfa: AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa
Applicable beat: Winlogbeat Fields: ResourceDisplayName, conditionalAccessStatus Fields that do not exist in ecs mappings: ResourceDisplayName, conditionalAccessStatus
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_device_registration_policy_changes.yml detection: selection: ResourceDisplayName: 'Device Registration Service' conditionalAccessStatus: 'success' filter_mfa: AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa
Applicable beat: Winlogbeat Fields: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement Fields that do not exist in ecs mappings: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_device_registration_policy_changes.yml detection: selection: ResourceDisplayName: 'Device Registration Service' conditionalAccessStatus: 'success' filter_mfa: AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa
Applicable beat: Winlogbeat Fields: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement Fields that do not exist in ecs mappings: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_sign_ins_from_noncompliant_devices.yml detection: selection: DeviceDetail.isCompliant: 'false' condition: selection
Applicable beat: Winlogbeat Fields: DeviceDetail Fields that do not exist in ecs mappings: DeviceDetail
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_sign_ins_from_unknown_devices.yml detection: selection: AuthenticationRequirement: singleFactorAuthentication ResultType: '0' NetworkLocationDetails: '[]' DeviceDetail.deviceId: '' condition: selection
Applicable beat: Winlogbeat Fields: AuthenticationRequirement, ResultType, NetworkLocationDetails, DeviceDetail Fields that do not exist in ecs mappings: AuthenticationRequirement, ResultType, NetworkLocationDetails, DeviceDetail
Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_user_added_to_admin_role.yml detection: selection: Operation: 'Add member to role.' Workload: 'AzureActiveDirectory' ModifiedProperties.NewValue|endswith:
Applicable beat: Winlogbeat Fields: Operation, Workload, ModifiedProperties Fields that do not exist in ecs mappings: Operation, Workload, ModifiedProperties
Note: None of the fields used in the rule appear in the ecs documentation
Rule: azure_ad_users_added_to_device_admin_roles.yml detection: selection: Category: RoleManagement OperationName|contains|all:
Applicable beat: Winlogbeat Fields: Category, OperationName, TargetResources Fields that do not exist in ecs mappings: Category, OperationName, TargetResources
Note: None of the fields used in the rule appear in the ecs documentation Rule: win_ldap_recon.yml detection: generic_search: EventID: 30 SearchFilter|contains:
'(groupType:1.2.840.113556.1.4.803:=2147483648)'
'(groupType:1.2.840.113556.1.4.803:=2147483656)'
'(groupType:1.2.840.113556.1.4.803:=2147483652)'
'(groupType:1.2.840.113556.1.4.803:=2147483650)' …..
'(primaryGroupID=512)'
'Domain Admins' suspicious_flag: EventID: 30 SearchFilter|contains:
'(userAccountControl:1.2.840.113556.1.4.803:=4194304)' ….
'ms-MCS-AdmPwd' narrow_down_filter: EventID: 30 SearchFilter|contains:
'(domainSid=*)'
'(objectSid=*)' condition: (generic_search and not narrow_down_filter) or (suspicious_flag)
Applicable beat: Winlogbeat Fields: EventID, SearchFilter Fields that do not exist in ecs mappings: EventID, SearchFilter
Note: None of the fields used in the rule appear in the ecs documentation
Rule: net_firewall_high_dns_bytes_out.yml detection: selection: dst_port: 53 timeframe: 1m condition: selection
Applicable beat: Filebeat Fields: dst_port Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html
Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow.
Rule: net_firewall_high_dns_requests_rate.yml
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection
Applicable beat: Filebeat Fields: dst_port Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html
Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: net_firewall_susp_network_scan_by_ip.yml detection: selection: action: denied timeframe: 24h condition: selection
Applicable beat: Filebeat Fields: action Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html
Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: net_firewall_susp_network_scan_by_port.yml detection: selection: action: denied timeframe: 24h condition: selection
Applicable beat: Filebeat Fields: action Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html
Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: zeek_dce_rpc_domain_user_enumeration.yml detection: selection: operation:
#- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
- LsarLookupNames3 #method translates a batch of security principal names to their SID form
- LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
- SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
- SamrLookupIdsInDomain #method translates a set of RIDs into account names
- SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
- SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
- SamrQueryInformationGroup #obtains attributes from a group object
timeframe: 30s
condition: selection
Applicable beat: Filebeat Fields: operation Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_dce_rpc_mitre_bzar_execution.yml detection: op1: endpoint: 'JobAdd' operation: 'atsvc' op2: endpoint: 'ITaskSchedulerService' operation: 'SchRpcEnableTask' op3: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRegisterTask' op4: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRun' op5: endpoint: 'IWbemServices' operation: 'ExecMethod' op6: endpoint: 'IWbemServices' operation: 'ExecMethodAsync' op7: endpoint: 'svcctl' operation: 'CreateServiceA' op8: endpoint: 'svcctl' operation: 'CreateServiceW' op9: endpoint: 'svcctl' operation: 'StartServiceA' op10: endpoint: 'svcctl' operation: 'StartServiceW' condition: 1 of op*
Applicable beat: Filebeat Fields: operation, endpoint Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_dce_rpc_mitre_bzar_persistence.yml detection: op1: endpoint: 'JobAdd' operation: 'atsvc' op2: endpoint: 'ITaskSchedulerService' operation: 'SchRpcEnableTask' op3: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRegisterTask' op4: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRun' op5: endpoint: 'IWbemServices' operation: 'ExecMethod' op6: endpoint: 'IWbemServices' operation: 'ExecMethodAsync' op7: endpoint: 'svcctl' operation: 'CreateServiceA' op8: endpoint: 'svcctl' operation: 'CreateServiceW' op9: endpoint: 'svcctl' operation: 'StartServiceA' op10: endpoint: 'svcctl' operation: 'StartServiceW' condition: 1 of op*
Applicable beat: Filebeat Fields: operation, endpoint Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml detection: selection: operation|startswith:
Applicable beat: Filebeat Fields: operation Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dce_rpc_printnightmare_print_driver_install.yml detection: selection: operation:
Applicable beat: Filebeat Fields: operation Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dce_rpc_smb_spoolss_named_pipe.yml detection: selection: path|endswith: IPC$ name: spoolss condition: selection
Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_default_cobalt_strike_certificate.yml detection: selection: certificate.serial: 8BB00EE condition: selection
Applicable beat: Filebeat Fields: certificate.serial Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_default_cobalt_strike_certificate.yml detection: selection: certificate.serial: 8BB00EE condition: selection
Applicable beat: Filebeat Fields: certificate.serial Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_mining_pools.yml detection: selection: query|endswith:
Applicable beat: Filebeat Fields: query Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_nkn.yml detection: selection: query|contains|all:
Applicable beat: Filebeat Fields: query Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_susp_zbit_flag.yml detection: z_flag_unset: Z: '0' most_probable_valid_domain: query|contains: '.' exclude_tlds: query|endswith:
Applicable beat: Filebeat Fields: Z, query, qtype_name, answers, id.resp_p Fields that do not exist in ecs mappings: Z, id.resp_p
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_torproxy.yml detection: selection: query:
Applicable beat: Filebeat Fields: query Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_http_executable_download_from_webdav.yml detection: selection_webdav:
Applicable beat: Filebeat Fields: c-useragent, c-uri, resp_mime_types Fields that do not exist in ecs mappings: c-useragent, c-uri
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_http_omigod_no_auth_rce.yml detection: selection: status_code: 200 uri: /wsman method: POST auth_header: client_header_names|contains: 'AUTHORIZATION' too_small_http_client_body: request_body_len: 0
# id.resp_p:
# - 5985
# - 5986
# - 1270
condition: selection and not auth_header and not too_small_http_client_body
#condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
Applicable beat: Filebeat Fields: status_code, uri, method, client_header_names, request_body_len Fields that do not exist in ecs mappings: status_code, uri, method, request_body_len
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_http_webdav_put_request.yml detection: selection: user_agent|contains: 'WebDAV' method: 'PUT' filter: id.resp_h:
Applicable beat: Filebeat Fields: user_agent, method, id.resp_h Fields that do not exist in ecs mappings: user_agent, method, id.resp_h
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Note: user_agent and method are available for the sip protocol but the rule is refering to http Rule: zeek_rdp_public_listener.yml detection: selection: id.orig_h|startswith:
#- x.x.x.x
condition: not selection #and not approved_rdp
Applicable beat: Filebeat Fields: id.orig_h Fields that do not exist in ecs mappings: id.orig_h
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_smb_converted_win_atsvc_task.yml detection: selection: path: \*\IPC$ name: atsvc
condition: selection
Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_smb_converted_win_lm_namedpipe.yml detection: selection1: path: \*\IPC$ selection2: path: \*\IPC$ name:
Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_smb_converted_win_susp_psexec.yml detection: selection1: path|contains|all:
Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_smb_converted_win_susp_raccess_sensitive_fext.yml detection: selection: name|endswith:
Applicable beat: Filebeat Fields: name Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_smb_converted_win_transferring_files_with_credential_data.yml detection: selection: name:
Applicable beat: Filebeat Fields: name Fields that do not exist in ecs mappings:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
Rule: zeek_susp_kerberos_rc4.yml detection: selection: request_type: 'TGS' cipher: 'rc4-hmac' computer_acct: service|startswith: '$' condition: selection and not computer_acct
Applicable beat: Filebeat Fields: request_type, cipher, service Fields that do not exist in ecs mappings: request_type
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
There already exists a PR for it https://github.com/opensearch-project/security-analytics/pull/153 Enhance it for new log types. like firewall logs @phaseshiftg @sbcd90