From 67e9b8273766c9b7235eb8ecd4b15090456dd835 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:24:23 -0500
Subject: [PATCH] [New Rule] Endpoint Security Promotion Rules for Specific
 Events (#3533)

* new endpoint security rules for specific alerts

* updated risk scores

* fixed rule names and UUIDs

* changed logic to use message field for detection vs prevention

* reverting changes

* reverting changes

* reverting to old commit

* reverting to old commit

* reverting to old commit

* reverting to old commit

* changed naming to Elastic Defend

* updated rule dates and min-stacks

* linted; adjusted queries

* updated ransomware, memory sig or shellcode risk

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* updated promotion rule

* fixed typos in naming

* updated setup guides

* added intervals

* added MITRE

* added investigation guide for Memory Threat

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update defense_evasion_elastic_memory_threat_prevented.toml

* toml-lint

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 9fb2dea7aa144fedcd1122442ed699824f042439)
---
 .../endpoint/elastic_endpoint_security.toml   | 31 ++++++++++++++++---
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml
index 7353bf7fcc6..37be3ddc9b9 100644
--- a/rules/integrations/endpoint/elastic_endpoint_security.toml
+++ b/rules/integrations/endpoint/elastic_endpoint_security.toml
@@ -2,13 +2,15 @@
 creation_date = "2020/07/08"
 integration = ["endpoint"]
 maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
 promotion = true
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
+Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to
 immediately begin investigating your Endpoint alerts.
 """
 enabled = true
@@ -17,19 +19,38 @@ index = ["logs-endpoint.alerts-*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
-name = "Endpoint Security"
+name = "Endpoint Security (Elastic Defend)"
+
 risk_score = 47
 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
 rule_name_override = "message"
-setup = """## Setup
+setup = """
+## Setup
+
+### Elastic Defend Alerts
+If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.
+
+If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.
 
+Related rules:
+- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
+- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
+- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
+- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
+- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
+- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
+- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
+- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)
+
+### Additional notes
 This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
 **IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
 
 To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
 
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
+**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+"""
 severity = "medium"
 tags = ["Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"