[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules #945
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brokensound77
added
Rule: Tuning
rw-access
approved these changes
Feb 12, 2021
brokensound77
commented
Feb 17, 2021
| @@ -394,3 +395,46 @@ def test_ecs_and_beats_opt_in_not_latest_only(self): | |||
| error_msg = f'{error_prefix} it is unnecessary to define the current latest ecs version if only ' \ | |||
| f'one version is specified: {latest_ecs}' | |||
| self.assertNotIn(latest_ecs, ecs_versions, error_msg) | |||
|
|
|||
|
|
|||
| class TestTuleTiming(unittest.TestCase): | |||
There was a problem hiding this comment.
@rw-access I added tests for this as well as to check that the longer lookback is defined as needed for consistency (especially since EQL sequence rules will not use the override).
There were ~50 rules which did not define the extended lookback that were targeting the endpoint index, so I updated those rules as well
There was a problem hiding this comment.
Do we need the longer look back if we've already set the timestamp override? I wouldn't want to be too conservative since it comes with a performance cost
There was a problem hiding this comment.
Well this definitely discovered an inconsistency that needed fixing
If the override gives back confidence to the default now-5m then I can update the test to only check eql-sequence rules to ensure the longer lookback. For all the rest, they should be consistent, whether it is the default or 4 min extended lookback.
What do you think @spong - is it worth converting the lookback back to the default now-5m for all rules which define the override or is there any reason to leave the extended lookback
There was a problem hiding this comment.
In our conversations with @MikePaquette and the endpoint folks, the outcome was to add the timestamp override and to not touch the lookbacks.
Was able to find this quote:
The timestamp override should eliminate the effects of ingestion pipeline delay causing missed alerts, which means for those rules, the additional look-back time would not offer any further benefit. I was voting for not changing the lookback time if we did the timestamp override.
There was a problem hiding this comment.
Ok, that sounds right. I think we should def be consistent with the rules that have the override defined, whether it is the default or 9m (whereas right now it wasn't fully enforced, hence the test).
I guess if it ever needed to fallback to @timestamp, that would be the only scenario where the extended lookback makes sense. Actually, would it make sense to add that to the override logic in Kibana? That if the override is defined, defer to the default lookback of now-5m?
I think I will leave the 9m lookback for all the rules with the override defined in this PR and if it is decided that stripping it out is worth the performance gain, we can do that in a future PR (for 7.12) or future release
…estamp-override # Conflicts: # rules/apm/apm_403_response_to_a_post.toml # rules/apm/apm_405_response_method_not_allowed.toml # rules/apm/apm_null_user_agent.toml # rules/apm/apm_sqlmap_user_agent.toml # rules/aws/collection_cloudtrail_logging_created.toml # rules/aws/credential_access_iam_user_addition_to_group.toml # rules/aws/credential_access_secretsmanager_getsecretvalue.toml # rules/aws/defense_evasion_cloudtrail_logging_deleted.toml # rules/aws/defense_evasion_cloudtrail_logging_suspended.toml # rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml # rules/aws/defense_evasion_config_service_rule_deletion.toml # rules/aws/defense_evasion_configuration_recorder_stopped.toml # rules/aws/defense_evasion_ec2_flow_log_deletion.toml # rules/aws/defense_evasion_ec2_network_acl_deletion.toml # rules/aws/defense_evasion_guardduty_detector_deletion.toml # rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml # rules/aws/defense_evasion_waf_acl_deletion.toml # rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml # rules/aws/exfiltration_ec2_snapshot_change_activity.toml # rules/aws/impact_cloudtrail_logging_updated.toml # rules/aws/impact_cloudwatch_log_group_deletion.toml # rules/aws/impact_cloudwatch_log_stream_deletion.toml # rules/aws/impact_ec2_disable_ebs_encryption.toml # rules/aws/impact_iam_deactivate_mfa_device.toml # rules/aws/impact_iam_group_deletion.toml # rules/aws/impact_rds_cluster_deletion.toml # rules/aws/impact_rds_instance_cluster_stoppage.toml # rules/aws/initial_access_console_login_root.toml # rules/aws/initial_access_password_recovery.toml # rules/aws/initial_access_via_system_manager.toml # rules/aws/persistence_ec2_network_acl_creation.toml # rules/aws/persistence_iam_group_creation.toml # rules/aws/persistence_rds_cluster_creation.toml # rules/aws/privilege_escalation_root_login_without_mfa.toml # rules/aws/privilege_escalation_updateassumerolepolicy.toml # rules/azure/collection_update_event_hub_auth_rule.toml # rules/azure/credential_access_key_vault_modified.toml # rules/azure/credential_access_storage_account_key_regenerated.toml # rules/azure/defense_evasion_azure_application_credential_modification.toml # rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml # rules/azure/defense_evasion_azure_service_principal_addition.toml # rules/azure/defense_evasion_event_hub_deletion.toml # rules/azure/defense_evasion_firewall_policy_deletion.toml # rules/azure/defense_evasion_network_watcher_deletion.toml # rules/azure/discovery_blob_container_access_mod.toml # rules/azure/execution_command_virtual_machine.toml # rules/azure/impact_azure_automation_runbook_deleted.toml # rules/azure/impact_resource_group_deletion.toml # rules/azure/initial_access_azure_active_directory_powershell_signin.toml # rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml # rules/azure/initial_access_external_guest_user_invite.toml # rules/azure/persistence_azure_automation_account_created.toml # rules/azure/persistence_azure_automation_runbook_created_or_modified.toml # rules/azure/persistence_azure_automation_webhook_created.toml # rules/azure/persistence_azure_conditional_access_policy_modified.toml # rules/azure/persistence_azure_pim_user_added_global_admin.toml # rules/azure/persistence_azure_privileged_identity_management_role_modified.toml # rules/azure/persistence_mfa_disabled_for_azure_user.toml # rules/azure/persistence_user_added_as_owner_for_azure_application.toml # rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml # rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml # rules/cross-platform/impact_hosts_file_modified.toml # rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml # rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml # rules/cross-platform/privilege_escalation_sudoers_file_mod.toml # rules/gcp/collection_gcp_pub_sub_subscription_creation.toml # rules/gcp/collection_gcp_pub_sub_topic_creation.toml # rules/gcp/defense_evasion_gcp_firewall_rule_created.toml # rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml # rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml # rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml # rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml # rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml # rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml # rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml # rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml # rules/gcp/exfiltration_gcp_logging_sink_modification.toml # rules/gcp/impact_gcp_iam_role_deletion.toml # rules/gcp/impact_gcp_service_account_deleted.toml # rules/gcp/impact_gcp_service_account_disabled.toml # rules/gcp/impact_gcp_storage_bucket_deleted.toml # rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml # rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml # rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml # rules/gcp/initial_access_gcp_iam_custom_role_creation.toml # rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml # rules/gcp/persistence_gcp_key_created_for_service_account.toml # rules/gcp/persistence_gcp_service_account_created.toml # rules/google-workspace/application_added_to_google_workspace_domain.toml # rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml # rules/google-workspace/google_workspace_admin_role_deletion.toml # rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml # rules/google-workspace/google_workspace_policy_modified.toml # rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml # rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml # rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml # rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml # rules/google-workspace/persistence_google_workspace_role_modified.toml # rules/linux/credential_access_tcpdump_activity.toml # rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml # rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml # rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml # rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml # rules/linux/defense_evasion_disable_selinux_attempt.toml # rules/linux/defense_evasion_file_deletion_via_shred.toml # rules/linux/defense_evasion_file_mod_writable_dir.toml # rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml # rules/linux/defense_evasion_hidden_file_dir_tmp.toml # rules/linux/defense_evasion_kernel_module_removal.toml # rules/linux/defense_evasion_log_files_deleted.toml # rules/linux/defense_evasion_timestomp_touch.toml # rules/linux/discovery_kernel_module_enumeration.toml # rules/linux/discovery_virtual_machine_fingerprinting.toml # rules/linux/discovery_whoami_commmand.toml # rules/linux/execution_perl_tty_shell.toml # rules/linux/execution_python_tty_shell.toml # rules/linux/linux_hping_activity.toml # rules/linux/linux_iodine_activity.toml # rules/linux/linux_mknod_activity.toml # rules/linux/linux_nmap_activity.toml # rules/linux/linux_nping_activity.toml # rules/linux/linux_process_started_in_temp_directory.toml # rules/linux/linux_socat_activity.toml # rules/linux/linux_strace_activity.toml # rules/linux/persistence_kernel_module_activity.toml # rules/linux/persistence_shell_activity_by_web_server.toml # rules/macos/credential_access_credentials_keychains.toml # rules/macos/credential_access_kerberosdump_kcc.toml # rules/macos/credential_access_promt_for_pwd_via_osascript.toml # rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml # rules/macos/lateral_movement_remote_ssh_login_enabled.toml # rules/macos/persistence_login_logout_hooks_defaults.toml # rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml # rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml # rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml # rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml # rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml # rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml # rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml # rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml # rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml # rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml # rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml # rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml # rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml # rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml # rules/network/command_and_control_cobalt_strike_beacon.toml # rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml # rules/network/command_and_control_dns_directly_to_the_internet.toml # rules/network/command_and_control_download_rar_powershell_from_internet.toml # rules/network/command_and_control_fin7_c2_behavior.toml # rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml # rules/network/command_and_control_halfbaked_beacon.toml # rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml # rules/network/command_and_control_nat_traversal_port_activity.toml # rules/network/command_and_control_port_26_activity.toml # rules/network/command_and_control_port_8000_activity_to_the_internet.toml # rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml # rules/network/command_and_control_proxy_port_activity_to_the_internet.toml # rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml # rules/network/command_and_control_smtp_to_the_internet.toml # rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml # rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml # rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml # rules/network/command_and_control_telnet_port_activity.toml # rules/network/command_and_control_tor_activity_to_the_internet.toml # rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml # rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml # rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml # rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml # rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml # rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml # rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml # rules/network/initial_access_unsecure_elasticsearch_node.toml # rules/okta/attempt_to_deactivate_okta_network_zone.toml # rules/okta/attempt_to_delete_okta_network_zone.toml # rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml # rules/okta/impact_attempt_to_revoke_okta_api_token.toml # rules/okta/impact_possible_okta_dos_attack.toml # rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml # rules/okta/okta_attempt_to_deactivate_okta_application.toml # rules/okta/okta_attempt_to_deactivate_okta_policy.toml # rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml # rules/okta/okta_attempt_to_delete_okta_application.toml # rules/okta/okta_attempt_to_delete_okta_policy.toml # rules/okta/okta_attempt_to_delete_okta_policy_rule.toml # rules/okta/okta_attempt_to_modify_okta_application.toml # rules/okta/okta_attempt_to_modify_okta_network_zone.toml # rules/okta/okta_attempt_to_modify_okta_policy.toml # rules/okta/okta_attempt_to_modify_okta_policy_rule.toml # rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml # rules/okta/okta_threat_detected_by_okta_threatinsight.toml # rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml # rules/okta/persistence_administrator_role_assigned_to_okta_user.toml # rules/okta/persistence_attempt_to_create_okta_api_token.toml # rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml # rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml # rules/promotions/elastic_endpoint.toml # rules/promotions/endpoint_adversary_behavior_detected.toml # rules/promotions/endpoint_cred_dumping_detected.toml # rules/promotions/endpoint_cred_dumping_prevented.toml # rules/promotions/endpoint_cred_manipulation_detected.toml # rules/promotions/endpoint_cred_manipulation_prevented.toml # rules/promotions/endpoint_exploit_detected.toml # rules/promotions/endpoint_exploit_prevented.toml # rules/promotions/endpoint_malware_detected.toml # rules/promotions/endpoint_malware_prevented.toml # rules/promotions/endpoint_permission_theft_detected.toml # rules/promotions/endpoint_permission_theft_prevented.toml # rules/promotions/endpoint_process_injection_detected.toml # rules/promotions/endpoint_process_injection_prevented.toml # rules/promotions/endpoint_ransomware_detected.toml # rules/promotions/endpoint_ransomware_prevented.toml # rules/promotions/external_alerts.toml # rules/windows/collection_email_powershell_exchange_mailbox.toml # rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml # rules/windows/collection_winrar_encryption.toml # rules/windows/command_and_control_common_webservices.toml # rules/windows/command_and_control_encrypted_channel_freesslcert.toml # rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml # rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml # rules/windows/command_and_control_sunburst_c2_activity_detected.toml # rules/windows/command_and_control_teamviewer_remote_file_copy.toml # rules/windows/credential_access_cmdline_dump_tool.toml # rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml # rules/windows/credential_access_credential_dumping_msbuild.toml # rules/windows/credential_access_domain_backup_dpapi_private_keys.toml # rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml # rules/windows/credential_access_iis_connectionstrings_dumping.toml # rules/windows/credential_access_kerberoasting_unusual_process.toml # rules/windows/credential_access_lsass_memdump_file_created.toml # rules/windows/credential_access_mimikatz_memssp_default_logs.toml # rules/windows/credential_access_mimikatz_powershell_module.toml # rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml # rules/windows/defense_evasion_clearing_windows_event_logs.toml # rules/windows/defense_evasion_code_injection_conhost.toml # rules/windows/defense_evasion_cve_2020_0601.toml # rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml # rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml # rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml # rules/windows/defense_evasion_dotnet_compiler_parent_process.toml # rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml # rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml # rules/windows/defense_evasion_execution_lolbas_wuauclt.toml # rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml # rules/windows/defense_evasion_execution_msbuild_started_by_script.toml # rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml # rules/windows/defense_evasion_execution_msbuild_started_renamed.toml # rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml # rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml # rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml # rules/windows/defense_evasion_hide_encoded_executable_registry.toml # rules/windows/defense_evasion_iis_httplogging_disabled.toml # rules/windows/defense_evasion_injection_msbuild.toml # rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml # rules/windows/defense_evasion_masquerading_renamed_autoit.toml # rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml # rules/windows/defense_evasion_masquerading_trusted_directory.toml # rules/windows/defense_evasion_modification_of_boot_config.toml # rules/windows/defense_evasion_port_forwarding_added_registry.toml # rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml # rules/windows/defense_evasion_sdelete_like_filename_rename.toml # rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml # rules/windows/defense_evasion_suspicious_managedcode_host_process.toml # rules/windows/defense_evasion_suspicious_zoom_child_process.toml # rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml # rules/windows/defense_evasion_unusual_dir_ads.toml # rules/windows/defense_evasion_unusual_system_vp_child_program.toml # rules/windows/defense_evasion_via_filter_manager.toml # rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml # rules/windows/discovery_adfind_command_activity.toml # rules/windows/discovery_admin_recon.toml # rules/windows/discovery_file_dir_discovery.toml # rules/windows/discovery_net_command_system_account.toml # rules/windows/discovery_net_view.toml # rules/windows/discovery_peripheral_device.toml # rules/windows/discovery_process_discovery_via_tasklist_command.toml # rules/windows/discovery_query_registry_via_reg.toml # rules/windows/discovery_remote_system_discovery_commands_windows.toml # rules/windows/discovery_security_software_wmic.toml # rules/windows/discovery_whoami_command_activity.toml # rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml # rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml # rules/windows/execution_command_shell_started_by_powershell.toml # rules/windows/execution_command_shell_started_by_svchost.toml # rules/windows/execution_command_shell_started_by_unusual_process.toml # rules/windows/execution_command_shell_via_rundll32.toml # rules/windows/execution_from_unusual_directory.toml # rules/windows/execution_from_unusual_path_cmdline.toml # rules/windows/execution_shared_modules_local_sxs_dll.toml # rules/windows/execution_suspicious_cmd_wmi.toml # rules/windows/execution_suspicious_image_load_wmi_ms_office.toml # rules/windows/execution_suspicious_pdf_reader.toml # rules/windows/execution_suspicious_powershell_imgload.toml # rules/windows/execution_suspicious_psexesvc.toml # rules/windows/execution_suspicious_short_program_name.toml # rules/windows/execution_via_compiled_html_file.toml # rules/windows/execution_via_hidden_shell_conhost.toml # rules/windows/execution_via_net_com_assemblies.toml # rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml # rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml # rules/windows/initial_access_script_executing_powershell.toml # rules/windows/initial_access_suspicious_ms_office_child_process.toml # rules/windows/initial_access_suspicious_ms_outlook_child_process.toml # rules/windows/initial_access_unusual_dns_service_children.toml # rules/windows/initial_access_unusual_dns_service_file_writes.toml # rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml # rules/windows/lateral_movement_dns_server_overflow.toml # rules/windows/lateral_movement_execution_from_tsclient_mup.toml # rules/windows/lateral_movement_local_service_commands.toml # rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml # rules/windows/lateral_movement_rdp_enabled_registry.toml # rules/windows/lateral_movement_rdp_tunnel_plink.toml # rules/windows/lateral_movement_remote_file_copy_hidden_share.toml # rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml # rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml # rules/windows/persistence_adobe_hijack_persistence.toml # rules/windows/persistence_appcertdlls_registry.toml # rules/windows/persistence_appinitdlls_registry.toml # rules/windows/persistence_evasion_registry_ifeo_injection.toml # rules/windows/persistence_gpo_schtask_service_creation.toml # rules/windows/persistence_local_scheduled_task_commands.toml # rules/windows/persistence_ms_office_addins_file.toml # rules/windows/persistence_ms_outlook_vba_template.toml # rules/windows/persistence_priv_escalation_via_accessibility_features.toml # rules/windows/persistence_registry_uncommon.toml # rules/windows/persistence_run_key_and_startup_broad.toml # rules/windows/persistence_services_registry.toml # rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml # rules/windows/persistence_startup_folder_scripts.toml # rules/windows/persistence_suspicious_com_hijack_registry.toml # rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml # rules/windows/persistence_suspicious_scheduled_task_runtime.toml # rules/windows/persistence_suspicious_service_created_registry.toml # rules/windows/persistence_system_shells_via_services.toml # rules/windows/persistence_user_account_creation.toml # rules/windows/persistence_via_application_shimming.toml # rules/windows/persistence_via_hidden_run_key_valuename.toml # rules/windows/persistence_via_lsa_security_support_provider_registry.toml # rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml # rules/windows/persistence_via_update_orchestrator_service_hijack.toml # rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml # rules/windows/privilege_escalation_named_pipe_impersonation.toml # rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml # rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml # rules/windows/privilege_escalation_rogue_windir_environment_var.toml # rules/windows/privilege_escalation_uac_bypass_com_clipup.toml # rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml # rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml # rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml # rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml # rules/windows/privilege_escalation_uac_bypass_event_viewer.toml # rules/windows/privilege_escalation_uac_bypass_mock_windir.toml # rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml # rules/windows/privilege_escalation_unusual_parentchild_relationship.toml # rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
rw-access
reviewed
Feb 18, 2021
| @@ -10,6 +10,7 @@ Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processe | |||
| adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can | |||
| be used to execute code and evade traditional parent/child processes spawned from MS Office products. | |||
| """ | |||
| from = "now-9m" | |||
There was a problem hiding this comment.
i thought we weren't doing both timestamp_override and from
There was a problem hiding this comment.
as long as we are consistent either way - so either strip them all or add to the ones that were missing
rw-access
approved these changes
Feb 18, 2021
bm11100
approved these changes
Feb 18, 2021
rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Outdated
Show resolved
Hide resolved
rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
Outdated
Show resolved
Hide resolved
bm11100
reviewed
Feb 18, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
related to https://github.com/elastic/security-team/issues/746
Summary
Set
timestamp_override = "event.ingested"for all KQL, Lucene, and non-sequence EQL rules to account for misses that would result from ingest delays exceeding the lookback time defined in the rule.