[Docs | Rule Tuning] Add blog references to rules

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/07/05"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
 language = "eql"
 license = "Elastic License v2"
 name = "Tampering of Shell Command-Line History"
+references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
 risk_score = 47
 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 setup = """## Setup

rules/cross-platform/execution_revershell_via_shell_cmd.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -48,6 +48,7 @@ references = [
     "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
     "https://github.com/WangYihang/Reverse-Shell-Manager",
     "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/",
+    "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
 ]
 risk_score = 73
 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"

rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Privilege Escalation via Sudoers File Modification"
+references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
 risk_score = 73
 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
 severity = "high"

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/19"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "SUID/SGID Bit Set"
+references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
 risk_score = 21
 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
 severity = "low"
@@ -32,6 +33,7 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
+
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
   (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
@@ -48,28 +50,29 @@ process where host.os.type == "linux" and event.type == "start" and event.action
 )
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1548"
 name = "Abuse Elevation Control Mechanism"
 reference = "https://attack.mitre.org/techniques/T1548/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1548.001"
 name = "Setuid and Setgid"
 reference = "https://attack.mitre.org/techniques/T1548/001/"
 
+
+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/cross-platform/privilege_escalation_sudoers_file_mod.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Sudoers File Modification"
+references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
 risk_score = 47
 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
 severity = "medium"

rules/integrations/fim/persistence_suspicious_file_modifications.toml

@@ -1,27 +1,30 @@
 [metadata]
 creation_date = "2024/06/03"
-maturity = "production"
 integration = ["fim"]
-updated_date = "2024/07/09"
+maturity = "production"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
-commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for
-cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control,
-init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the
-paths specified in the query need to be added to the FIM policy in the Elastic Security app.
+commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron
+jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init
+daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths
+specified in the query need to be added to the FIM policy in the Elastic Security app.
 """
 from = "now-9m"
 index = ["logs-fim.event-*", "auditbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Persistence via File Modification"
+references = [
+    "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
+]
 risk_score = 21
 rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
-setup = """
-## Setup
+setup = """## Setup
 
 This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
 
@@ -46,10 +49,11 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Persistence",
     "Tactic: Privilege Escalation",
-    "Data Source: File Integrity Monitoring"
+    "Data Source: File Integrity Monitoring",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
+
 query = '''
 file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
 file.path : (
@@ -112,29 +116,39 @@ file.path : (
 )
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1037.004"
 name = "RC Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/004/"
 
+
+[[rule.threat.technique]]
+id = "T1136"
+name = "Create Account"
+reference = "https://attack.mitre.org/techniques/T1136/"
+[[rule.threat.technique.subtechnique]]
+id = "T1136.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1136/001/"
+
+
 [[rule.threat.technique]]
 id = "T1543"
 name = "Create or Modify System Process"
 reference = "https://attack.mitre.org/techniques/T1543/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1543.002"
 name = "Systemd Service"
 reference = "https://attack.mitre.org/techniques/T1543/002/"
 
+
 [[rule.threat.technique]]
 id = "T1556"
 name = "Modify Authentication Process"
@@ -144,51 +158,42 @@ reference = "https://attack.mitre.org/techniques/T1556/"
 id = "T1574"
 name = "Hijack Execution Flow"
 reference = "https://attack.mitre.org/techniques/T1574/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1574.006"
 name = "Dynamic Linker Hijacking"
 reference = "https://attack.mitre.org/techniques/T1574/006/"
 
-[[rule.threat.technique]]
-id = "T1136"
-name = "Create Account"
-reference = "https://attack.mitre.org/techniques/T1136/"
 
-[[rule.threat.technique.subtechnique]]
-id = "T1136.001"
-name = "Local Account"
-reference = "https://attack.mitre.org/techniques/T1136/001/"
 
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1053"
 name = "Scheduled Task/Job"
 reference = "https://attack.mitre.org/techniques/T1053/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1053.003"
 name = "Cron"
 reference = "https://attack.mitre.org/techniques/T1053/003/"
 
+
 [[rule.threat.technique]]
 id = "T1548"
 name = "Abuse Elevation Control Mechanism"
 reference = "https://attack.mitre.org/techniques/T1548/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1548.003"
 name = "Sudo and Sudo Caching"
 reference = "https://attack.mitre.org/techniques/T1548/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+

rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/24"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,10 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
   - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
-references = ["https://support.google.com/a/answer/1247799?hl=en"]
+references = [
+    "https://support.google.com/a/answer/1247799?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
+]
 risk_score = 47
 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce"
 severity = "medium"

rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/17"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,10 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
   - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
-references = ["https://support.google.com/a/answer/2406043?hl=en"]
+references = [
+    "https://support.google.com/a/answer/2406043?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
+]
 risk_score = 47
 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be"
 severity = "medium"

rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -58,6 +58,8 @@ references = [
     "https://developer.okta.com/docs/reference/api/system-log/",
     "https://developer.okta.com/docs/reference/api/event-types/",
     "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
+    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
+    "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know",
 ]
 risk_score = 73
 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"

rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ references = [
     "https://developer.okta.com/docs/reference/api/system-log/",
     "https://developer.okta.com/docs/reference/api/event-types/",
     "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
+    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 ]
 risk_score = 21
 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/22"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/08"
+updated_date = "2024/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Attempt to Disable IPTables or Firewall"
+references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
 risk_score = 21
 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f"
 setup = """## Setup
@@ -74,20 +75,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   )
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
+
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+