forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paththreat_intel_module_match.toml
181 lines (156 loc) · 6.74 KB
/
threat_intel_module_match.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
[metadata]
creation_date = "2021/04/21"
maturity = "production"
updated_date = "2021/09/13"
[rule]
author = ["Elastic"]
description = """
This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.
"""
from = "now-10m"
index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
interval = "9m"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel Filebeat Module Indicator Match"
note = """## Triage and Analysis
### Investigating Threat Intel Indicator Matches
Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file
hash with an entry of a file hash stored within the Threat Intel Filebeat module. Other examples of matches can occur on
an IP address, registry path, URL and imphash.
The matches will be based on the incoming feed data so it's important to validate the data and review the results by
investigating the associated activity to determine if it requires further investigation.
If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation
- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation
#### Possible investigation steps:
- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
and viewing the source of that activity.
- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
These kinds of questions can help understand if the activity is related to legitimate behavior.
- Consider the user and their role within the company, is this something related to their job or work function?
### False Positive Analysis
- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
may have hosted malware observed in a Dridex campaign six months ago, but it's possible that IP has been remediated and
no longer represents any threat.
- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
way into indicator lists creating the potential for false positives.
- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules
### Response and Remediation
- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further
post-compromise behavior.
- One example of a response if a machine matched a command and control IP address would be to add an entry to a network
device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,
review current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement
"""
references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
risk_score = 99
rule_id = "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9"
severity = "critical"
tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring"]
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
threat_index = [ "filebeat-*"]
threat_indicator_path = ""
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d" and event.module:threatintel and
(threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or
threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)
'''
query = """
file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*
"""
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.module"
[rule.threat_filters.meta.params]
query = "threatintel"
[rule.threat_filters.query.match_phrase]
"event.module" = "threatintel"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.md5"
type = "mapping"
value = "threatintel.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha1"
type = "mapping"
value = "threatintel.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha256"
type = "mapping"
value = "threatintel.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.pe.imphash"
type = "mapping"
value = "threatintel.indicator.file.pe.imphash"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.ip"
type = "mapping"
value = "threatintel.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.ip"
type = "mapping"
value = "threatintel.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.full"
type = "mapping"
value = "threatintel.indicator.url.full"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threatintel.indicator.registry.path"