-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Docs | Rule Tuning] Add blog references to rules #4097
base: main
Are you sure you want to change the base?
Conversation
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
references = ["https://support.google.com/a/answer/1247799?hl=en"] | ||
references = [ | ||
"https://support.google.com/a/answer/1247799?hl=en", | ||
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one
https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two
I'd just add these to each rule for Google Workspace then. They are referenced in docs.
@@ -58,6 +58,8 @@ references = [ | |||
"https://developer.okta.com/docs/reference/api/system-log/", | |||
"https://developer.okta.com/docs/reference/api/event-types/", | |||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", | |||
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd add these to all Okta, along with https://www.elastic.co/security-labs/starter-guide-to-understanding-okta
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a note for Okta and GWS.
@@ -128,10 +127,18 @@ This rule looks for processes outside known legitimate program locations communi | |||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. | |||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | |||
""" | |||
references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
siestagraph uses a websvc domain for C2 graph.microsoft.com
(covered in this rule)
references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"] | |
references = [ | |
"https://www.elastic.co/security-labs/operation-bleeding-bear", | |
"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" | |
] |
references = [ | ||
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", | ||
"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", | ||
"https://www.elastic.co/security-labs/operation-bleeding-bear", | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ghostengine also disables Windows defender:
references = [ | |
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", | |
"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", | |
"https://www.elastic.co/security-labs/operation-bleeding-bear", | |
] | |
references = [ | |
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", | |
"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", | |
"https://www.elastic.co/security-labs/operation-bleeding-bear", | |
"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" | |
] |
@@ -58,6 +58,7 @@ This rule monitors the execution of commands that can tamper the Windows Defende | |||
""" | |||
references = [ | |||
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", | |||
"https://www.elastic.co/security-labs/operation-bleeding-bear", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"https://www.elastic.co/security-labs/operation-bleeding-bear", | |
"https://www.elastic.co/security-labs/operation-bleeding-bear", | |
"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" |
@@ -102,6 +102,7 @@ This rule identifies processes that are executed from suspicious default Windows | |||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. | |||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | |||
""" | |||
references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Siestagraph executes from Windows\\Tasks
covered in this rule :
references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"] | |
references = [ | |
"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", | |
"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" | |
] |
references = [ | ||
"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
references = [ | |
"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", | |
] | |
references = [ | |
"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", | |
"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" | |
] |
Pull Request
Issue link(s): N/A
Summary - What I changed
How To Test
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hours