[7.13] [Detection Rules] Add 7.13 rules (#98975)

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json

@@ -16,7 +16,7 @@
   "license": "Elastic License v2",
   "name": "AWS CloudTrail Log Created",
   "note": "The AWS Filebeat module must be enabled to use this rule.",
-  "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+  "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success",
   "references": [
     "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
     "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
@@ -51,5 +51,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json

@@ -0,0 +1,64 @@
+{
+  "author": [
+    "Elastic",
+    "Gary Blackwell",
+    "Austin Songer"
+  ],
+  "description": "Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule.",
+  "false_positives": [
+    "An inbox rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+  ],
+  "from": "now-30m",
+  "index": [
+    "filebeat-*",
+    "logs-o365*"
+  ],
+  "language": "kuery",
+  "license": "Elastic License v2",
+  "name": "Microsoft 365 New Inbox Rule Created",
+  "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
+  "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success",
+  "references": [
+    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
+    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
+    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide"
+  ],
+  "risk_score": 21,
+  "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
+  "severity": "low",
+  "tags": [
+    "Elastic",
+    "Cloud",
+    "Microsoft 365",
+    "Continuous Monitoring",
+    "SecOps",
+    "Configuration Audit"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0009",
+        "name": "Collection",
+        "reference": "https://attack.mitre.org/tactics/TA0009/"
+      },
+      "technique": [
+        {
+          "id": "T1114",
+          "name": "Email Collection",
+          "reference": "https://attack.mitre.org/techniques/T1114/",
+          "subtechnique": [
+            {
+              "id": "T1114.003",
+              "name": "Email Forwarding Rule",
+              "reference": "https://attack.mitre.org/techniques/T1114/003/"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json

@@ -12,7 +12,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Connection to Commonly Abused Web Services",
-  "query": "network where network.protocol == \"dns\" and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"*.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.name :\n    (\n        \"MicrosoftEdgeCP.exe\",\n        \"MicrosoftEdge.exe\",\n        \"iexplore.exe\",\n        \"chrome.exe\",\n        \"msedge.exe\",\n        \"opera.exe\",\n        \"firefox.exe\",\n        \"Dropbox.exe\",\n        \"slack.exe\",\n        \"svchost.exe\",\n        \"thunderbird.exe\",\n        \"outlook.exe\",\n        \"OneDrive.exe\"\n    )\n",
+  "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n    )\n",
   "risk_score": 21,
   "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
   "severity": "low",
@@ -42,5 +42,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json

@@ -3,6 +3,9 @@
     "Elastic"
   ],
   "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
+  "false_positives": [
+    "Processes such as MS Office using IEproxy to render HTML content."
+  ],
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
@@ -12,7 +15,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Potential Command and Control via Internet Explorer",
-  "query": "sequence by host.id, process.entity_id with maxspan = 1s\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\"\n    )\n  ]\n",
+  "query": "sequence by host.id, user.id with maxspan = 5s\n  [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\",\n    \"*.sharepoint.com\",\n    \"*.office365.com\",\n    \"*.office.com\"\n    )\n  ]\n",
   "risk_score": 47,
   "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
   "severity": "medium",
@@ -41,5 +44,5 @@
     }
   ],
   "type": "eql",
-  "version": 2
+  "version": 3
 }