[Docs]Update prebuilt rule descriptions (elastic#66)

* initial dump * temporarily changes ml job link to allow docs built * removes the use of the word signal * ML rules formatting and minor text edits * new rule formatting and edits * missing full stop
benskelker · Aug 3, 2020 · 7ed034f · 7ed034f
1 parent d21bece
commit 7ed034f
Show file tree

Hide file tree

Showing 204 changed files with 7,061 additions and 1,115 deletions.
diff --git a/docs/siem/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/siem/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
diff --git a/docs/siem/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/siem/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
diff --git a/docs/siem/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/siem/detections/prebuilt-rules/rule-desc-index.asciidoc
@@ -1,5 +1,69 @@
+include::rule-details/aws-access-secret-in-secrets-manager.asciidoc[]
+
+include::rule-details/aws-cloudtrail-log-created.asciidoc[]
+
+include::rule-details/aws-cloudtrail-log-deleted.asciidoc[]
+
+include::rule-details/aws-cloudtrail-log-suspended.asciidoc[]
+
+include::rule-details/aws-cloudtrail-log-updated.asciidoc[]
+
+include::rule-details/aws-cloudwatch-alarm-deletion.asciidoc[]
+
+include::rule-details/aws-cloudwatch-log-group-deletion.asciidoc[]
+
+include::rule-details/aws-cloudwatch-log-stream-deletion.asciidoc[]
+
+include::rule-details/aws-config-service-tampering.asciidoc[]
+
+include::rule-details/aws-configuration-recorder-stopped.asciidoc[]
+
+include::rule-details/aws-ec2-encryption-disabled.asciidoc[]
+
+include::rule-details/aws-ec2-flow-log-deletion.asciidoc[]
+
+include::rule-details/aws-ec2-network-access-control-list-creation.asciidoc[]
+
+include::rule-details/aws-ec2-network-access-control-list-deletion.asciidoc[]
+
+include::rule-details/aws-ec2-snapshot-activity.asciidoc[]
+
+include::rule-details/aws-execution-via-system-manager.asciidoc[]
+
+include::rule-details/aws-guardduty-detector-deletion.asciidoc[]
+
+include::rule-details/aws-iam-assume-role-policy-update.asciidoc[]
+
+include::rule-details/aws-iam-deactivation-of-mfa-device.asciidoc[]
+
+include::rule-details/aws-iam-group-creation.asciidoc[]
+
+include::rule-details/aws-iam-group-deletion.asciidoc[]
+
+include::rule-details/aws-iam-password-recovery-requested.asciidoc[]
+
+include::rule-details/aws-iam-user-addition-to-group.asciidoc[]
+
+include::rule-details/aws-management-console-root-login.asciidoc[]
+
+include::rule-details/aws-rds-cluster-creation.asciidoc[]
+
+include::rule-details/aws-rds-cluster-deletion.asciidoc[]
+
+include::rule-details/aws-rds-instance-cluster-stoppage.asciidoc[]
+
+include::rule-details/aws-root-login-without-mfa.asciidoc[]
+
+include::rule-details/aws-s3-bucket-configuration-deletion.asciidoc[]
+
+include::rule-details/aws-waf-access-control-list-deletion.asciidoc[]
+
+include::rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc[]
+
 include::rule-details/adding-hidden-file-attribute-via-attrib.asciidoc[]
 
+include::rule-details/administrator-privileges-assigned-to-okta-group.asciidoc[]
+
 include::rule-details/adobe-hijack-persistence.asciidoc[]
 
 include::rule-details/adversary-behavior-detected-elastic-endpoint.asciidoc[]
@@ -10,10 +74,32 @@ include::rule-details/anomalous-process-for-a-windows-population.asciidoc[]
 
 include::rule-details/anomalous-windows-process-creation.asciidoc[]
 
+include::rule-details/attempt-to-create-okta-api-token.asciidoc[]
+
+include::rule-details/attempt-to-deactivate-mfa-for-okta-user-account.asciidoc[]
+
+include::rule-details/attempt-to-deactivate-okta-mfa-rule.asciidoc[]
+
+include::rule-details/attempt-to-deactivate-okta-policy.asciidoc[]
+
+include::rule-details/attempt-to-delete-okta-policy.asciidoc[]
+
 include::rule-details/attempt-to-disable-iptables-or-firewall.asciidoc[]
 
 include::rule-details/attempt-to-disable-syslog-service.asciidoc[]
 
+include::rule-details/attempt-to-modify-okta-mfa-rule.asciidoc[]
+
+include::rule-details/attempt-to-modify-okta-network-zone.asciidoc[]
+
+include::rule-details/attempt-to-modify-okta-policy.asciidoc[]
+
+include::rule-details/attempt-to-reset-mfa-factors-for-okta-user-account.asciidoc[]
+
+include::rule-details/attempt-to-revoke-okta-api-token.asciidoc[]
+
+include::rule-details/attempted-bypass-of-okta-mfa.asciidoc[]
+
 include::rule-details/base16-or-base32-encoding-decoding-activity.asciidoc[]
 
 include::rule-details/base64-encoding-decoding-activity.asciidoc[]
@@ -28,6 +114,8 @@ include::rule-details/connection-to-external-network-via-telnet.asciidoc[]
 
 include::rule-details/connection-to-internal-network-via-telnet.asciidoc[]
 
+include::rule-details/creation-of-hidden-files-and-directories.asciidoc[]
+
 include::rule-details/credential-dumping-detected-elastic-endpoint.asciidoc[]
 
 include::rule-details/credential-dumping-prevented-elastic-endpoint.asciidoc[]
@@ -44,10 +132,14 @@ include::rule-details/delete-volume-usn-journal-with-fsutil.asciidoc[]
 
 include::rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc[]
 
+include::rule-details/deletion-of-bash-command-line-history.asciidoc[]
+
 include::rule-details/direct-outbound-smb-connection.asciidoc[]
 
 include::rule-details/disable-windows-firewall-rules-via-netsh.asciidoc[]
 
+include::rule-details/elastic-endpoint.asciidoc[]
+
 include::rule-details/encoding-or-decoding-files-via-certutil.asciidoc[]
 
 include::rule-details/enumeration-of-kernel-modules.asciidoc[]
@@ -58,6 +150,8 @@ include::rule-details/exploit-detected-elastic-endpoint.asciidoc[]
 
 include::rule-details/exploit-prevented-elastic-endpoint.asciidoc[]
 
+include::rule-details/external-alerts.asciidoc[]
+
 include::rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc[]
 
 include::rule-details/file-deletion-via-shred.asciidoc[]
@@ -102,6 +196,8 @@ include::rule-details/mknod-process-activity.asciidoc[]
 
 include::rule-details/modification-of-boot-configuration.asciidoc[]
 
+include::rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc[]
+
 include::rule-details/msbuild-making-network-connections.asciidoc[]
 
 include::rule-details/net-command-via-system-account.asciidoc[]
@@ -134,6 +230,8 @@ include::rule-details/permission-theft-prevented-elastic-endpoint.asciidoc[]
 
 include::rule-details/persistence-via-kernel-module-modification.asciidoc[]
 
+include::rule-details/possible-okta-dos-attack.asciidoc[]
+
 include::rule-details/potential-application-shimming-via-sdbinst.asciidoc[]
 
 include::rule-details/potential-dns-tunneling-via-iodine.asciidoc[]
@@ -174,6 +272,8 @@ include::rule-details/ransomware-detected-elastic-endpoint.asciidoc[]
 
 include::rule-details/ransomware-prevented-elastic-endpoint.asciidoc[]
 
+include::rule-details/rare-aws-error-code.asciidoc[]
+
 include::rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc[]
 
 include::rule-details/smtp-on-port-26-tcp.asciidoc[]
@@ -192,10 +292,14 @@ include::rule-details/setuid-bit-set-via-chmod.asciidoc[]
 
 include::rule-details/socat-process-activity.asciidoc[]
 
+include::rule-details/spike-in-aws-error-messages.asciidoc[]
+
 include::rule-details/strace-process-activity.asciidoc[]
 
 include::rule-details/sudoers-file-modification.asciidoc[]
 
+include::rule-details/suspicious-activity-reported-by-okta-user.asciidoc[]
+
 include::rule-details/suspicious-ms-office-child-process.asciidoc[]
 
 include::rule-details/suspicious-ms-outlook-child-process.asciidoc[]
@@ -212,10 +316,18 @@ include::rule-details/tcp-port-8000-activity-to-the-internet.asciidoc[]
 
 include::rule-details/telnet-port-activity.asciidoc[]
 
+include::rule-details/threat-detected-by-okta-threatinsight.asciidoc[]
+
 include::rule-details/tor-activity-to-the-internet.asciidoc[]
 
 include::rule-details/trusted-developer-application-usage.asciidoc[]
 
+include::rule-details/unusual-aws-command-for-a-user.asciidoc[]
+
+include::rule-details/unusual-city-for-an-aws-command.asciidoc[]
+
+include::rule-details/unusual-country-for-an-aws-command.asciidoc[]
+
 include::rule-details/unusual-dns-activity.asciidoc[]
 
 include::rule-details/unusual-linux-network-activity.asciidoc[]

diff --git a/...ns/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc b/...ns/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc
@@ -18,26 +18,29 @@ in an attempt to evade detection.
 
 *Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum signals per execution*: 100
+*Maximum alerts per execution*: 100
 
 *Tags*:
 
 * Elastic
 * Windows
 
-*Version*: 2 (<<adding-hidden-file-attribute-via-attrib-history, version history>>)
+*Version*: 3 (<<adding-hidden-file-attribute-via-attrib-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.7.0
+*Last modified ({stack} release)*: 7.9.0
 
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
 
 ==== Rule query
 
 
 [source,js]
 ----------------------------------
-event.action:"Process Create (rule: ProcessCreate)" and
+event.category:process and event.type:(start or process_started) and
 process.name:attrib.exe and process.args:+h
 ----------------------------------
 
@@ -67,6 +70,15 @@ process.name:attrib.exe and process.args:+h
 [[adding-hidden-file-attribute-via-attrib-history]]
 ==== Rule version history
 
+Version 3 (7.9.0 release)::
+Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.action:"Process Create (rule: ProcessCreate)" and
+process.name:attrib.exe and process.args:+h
+----------------------------------
+
 Version 2 (7.7.0 release)::
 Updated query, changed from:
 +

diff --git a/...ilt-rules/rule-details/administrator-privileges-assigned-to-okta-group.asciidoc b/...ilt-rules/rule-details/administrator-privileges-assigned-to-okta-group.asciidoc
@@ -0,0 +1,67 @@
+[[administrator-privileges-assigned-to-okta-group]]
+=== Administrator Privileges Assigned to Okta Group
+
+An adversary may attempt to assign administrator privileges to an Okta group in
+order to assign additional permissions to compromised user accounts.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://developer.okta.com/docs/reference/api/system-log/
+* https://developer.okta.com/docs/reference/api/event-types/
+
+*Tags*:
+
+* Elastic
+* Okta
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.9.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Consider adding exceptions to this rule to filter false positives if
+administrator privileges are regularly assigned to Okta groups in your
+organization.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:group.privilege.grant
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/siem/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc b/docs/siem/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc
@@ -18,29 +18,32 @@ run by Acrobat Reader when it starts.
 
 *Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum signals per execution*: 100
+*Maximum alerts per execution*: 100
 
 *Tags*:
 
 * Elastic
 * Windows
 
-*Version*: 2 (<<adobe-hijack-persistence-history, version history>>)
+*Version*: 3 (<<adobe-hijack-persistence-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.6.2
+*Last modified ({stack} release)*: 7.9.0
 
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
 
 ==== Rule query
 
 
 [source,js]
 ----------------------------------
-file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader
-DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat
-Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
-(rule: FileCreate)" and not process.name:msiexec.exe
+event.category:file and event.type:creation and file.path:("C:\Program
+Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" or
+"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe")
+and not process.name:msiexec.exe
 ----------------------------------
 
 ==== Threat mapping
@@ -59,6 +62,17 @@ Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
 [[adobe-hijack-persistence-history]]
 ==== Rule version history
 
+Version 3 (7.9.0 release)::
+Updated query, changed from:
++
+[source, js]
+----------------------------------
+file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader
+DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat
+Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
+(rule: FileCreate)" and not process.name:msiexec.exe
+----------------------------------
+
 Version 2 (7.6.2 release)::
 Updated query, changed from:
 +