Merge branch 'main' into hunting-dev-code-updates

elastic · Sep 19, 2024 · 7d51d56 · 7d51d56
2 parents 5ffb55f + 5e0fb4a
commit 7d51d56
Show file tree

Hide file tree

Showing 17 changed files with 58 additions and 53 deletions.
diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py
@@ -78,7 +78,8 @@ def validator(value):
                         'windows',
                         'sentinel_one_cloud_funnel',
                         'ti_rapid7_threat_command',
-                        'm365_defender']
+                        'm365_defender',
+                        'panw']
 NON_PUBLIC_FIELDS = {
     "related_integrations": (Version.parse('8.3.0'), None),
     "required_fields": (Version.parse('8.3.0'), None),

diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/08/02"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Accepted Default Telnet Port Connection"
@@ -35,6 +35,7 @@ tags = [
     "Tactic: Command and Control",
     "Tactic: Lateral Movement",
     "Tactic: Initial Access",
+    "Data Source: PAN-OS"
 ]
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"

diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/02"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
@@ -34,7 +34,7 @@ references = [
 risk_score = 47
 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
 severity = "medium"
-tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
+tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/06"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "lucene"
 license = "Elastic License v2"
 name = "Possible FIN7 DGA Command and Control Behavior"
@@ -30,7 +30,7 @@ references = [
 risk_score = 73
 rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
 severity = "high"
-tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
+tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -21,14 +21,14 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "IPSEC NAT Traversal Port Activity"
 risk_score = 21
 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
 severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMTP on Port 26/TCP"
@@ -29,7 +29,7 @@ references = [
 risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -23,15 +23,15 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RDP (Remote Desktop Protocol) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"

diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -21,15 +21,15 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "VNC (Virtual Network Computing) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 severity = "high"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -21,15 +21,15 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "VNC (Virtual Network Computing) to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 47
 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic"]
+integration = ["endpoint", "network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ theft, or other malicious activities. This rule proposes threshold logic to chec
 source host to 10 or more destination hosts on commonly used network services.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -28,6 +28,7 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
+    "Data Source: PAN-OS"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic"]
+integration = ["endpoint", "network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ exploitation of the targeted system or network. This rule proposes threshold log
 one source host to 20 or more destination ports.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -29,6 +29,7 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
+    "Data Source: PAN-OS"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic"]
+integration = ["endpoint", "network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ to data breaches or further malicious activities. This rule proposes threshold l
 from one source host to 10 or more destination ports using 2 or less packets per port.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"]
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -29,6 +29,7 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
+    "Data Source: PAN-OS"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -13,15 +13,15 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -13,15 +13,15 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
+tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 timestamp_override = "event.ingested"
 type = "query"