From c588b9f0626c62fc9e762bce98bb36b6324e59a9 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 6 Mar 2025 14:11:59 +0530 Subject: [PATCH 1/4] Deprecation Notice to Cloud Defend Rules --- .../cloud_defend/container_workload_protection.toml | 4 ++-- ...credential_access_aws_creds_search_inside_a_container.toml | 4 ++-- ...ection_sensitive_files_compression_inside_a_container.toml | 4 ++-- ...sensitive_keys_or_passwords_search_inside_a_container.toml | 4 ++-- ..._ld_preload_shared_object_modified_inside_a_container.toml | 4 ++-- ...y_suspicious_network_tool_launched_inside_a_container.toml | 4 ++-- ...ntainer_management_binary_launched_inside_a_container.toml | 4 ++-- ...ion_file_made_executable_via_chmod_inside_a_container.toml | 4 ++-- .../cloud_defend/execution_interactive_exec_to_container.toml | 4 ++-- ...ion_interactive_shell_spawned_from_inside_a_container.toml | 4 ++-- ...cution_netcat_listener_established_inside_a_container.toml | 4 ++-- ..._access_ssh_connection_established_inside_a_container.toml | 4 ++-- ...eral_movement_ssh_process_launched_inside_a_container.toml | 4 ++-- ...e_ssh_authorized_keys_modification_inside_a_container.toml | 4 ++-- ...lation_debugfs_launched_inside_a_privileged_container.toml | 4 ++-- ...calation_mount_launched_inside_a_privileged_container.toml | 4 ++-- ..._container_escape_via_modified_notify_on_release_file.toml | 4 ++-- ...tial_container_escape_via_modified_release_agent_file.toml | 4 ++-- 18 files changed, 36 insertions(+), 36 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 49f40294031..2c65f166054 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/05" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend.alerts-*"] language = "kuery" license = "Elastic License v2" max_signals = 10000 -name = "Container Workload Protection" +name = "Deprecated - Container Workload Protection" risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index 8decdf2c8eb..47247858bd0 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/28" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "AWS Credentials Searched For Inside A Container" +name = "Deprecated - AWS Credentials Searched For Inside A Container" references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] risk_score = 47 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 0bf131a2b29..d4f57df12cb 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Sensitive Files Compression Inside A Container" +name = "Deprecated - Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 95c5a9deda7..730a1d24a48 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Sensitive Keys Or Passwords Searched For Inside A Container" +name = "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container" references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 72025efeb6a..0c21dc77d4d 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/06" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" +name = "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container" references = [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index c035f87d8fb..d1306d6c61e 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Suspicious Network Tool Launched Inside A Container" +name = "Deprecated - Suspicious Network Tool Launched Inside A Container" risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 422574e94a0..0c4c85e0149 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic Licence v2" -name = "Container Management Utility Run Inside A Container" +name = "Deprecated - Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 41c110968dd..827ca1f5ac7 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "File Made Executable via Chmod Inside A Container" +name = "Deprecated - File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 3915ee5583e..eae193150e6 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Interactive Exec Command Launched Against A Running Container" +name = "Deprecated - Interactive Exec Command Launched Against A Running Container" references = [ "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/", diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 7a20535cd5f..a85ced1d648 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Suspicious Interactive Shell Spawned From Inside A Container" +name = "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container" risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 070fe900c3d..83efa291aec 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Netcat Listener Established Inside A Container" +name = "Deprecated - Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index ed47d7a84ee..64b5d48c183 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "SSH Connection Established Inside A Running Container" +name = "Deprecated - SSH Connection Established Inside A Running Container" references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", ] diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 0d38bc0944f..a01aea37f6e 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "SSH Process Launched From Inside A Container" +name = "Deprecated - SSH Process Launched From Inside A Container" references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index d97607dc184..bc604397f35 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "SSH Authorized Keys File Modified Inside a Container" +name = "Deprecated - SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index 9bdbcf452cb..645f7249a6e 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "File System Debugger Launched Inside a Privileged Container" +name = "Deprecated - File System Debugger Launched Inside a Privileged Container" references = [ "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml index 911794bc3eb..efb8d38e7e3 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Mount Launched Inside a Privileged Container" +name = "Deprecated - Mount Launched Inside a Privileged Container" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", ] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index c498b546826..c04ad863321 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Potential Container Escape via Modified notify_on_release File" +name = "Deprecated - Potential Container Escape via Modified notify_on_release File" references = [ "https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/", "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/", diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 9f6a95ed845..1c91460d593 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Potential Container Escape via Modified release_agent File" +name = "Deprecated - Potential Container Escape via Modified release_agent File" references = [ "https://blog.aquasec.com/threat-alert-container-escape", "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/", From 15d64d4fcf67fba769e075b4345cc5e9d7622f3a Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 6 Mar 2025 14:24:56 +0530 Subject: [PATCH 2/4] Udpate names in investigation guide --- .../cloud_defend/container_workload_protection.toml | 2 +- .../credential_access_aws_creds_search_inside_a_container.toml | 2 +- ...llection_sensitive_files_compression_inside_a_container.toml | 2 +- ...s_sensitive_keys_or_passwords_search_inside_a_container.toml | 2 +- ...on_ld_preload_shared_object_modified_inside_a_container.toml | 2 +- ...ery_suspicious_network_tool_launched_inside_a_container.toml | 2 +- ...container_management_binary_launched_inside_a_container.toml | 2 +- ...ution_file_made_executable_via_chmod_inside_a_container.toml | 2 +- .../cloud_defend/execution_interactive_exec_to_container.toml | 2 +- ...ution_interactive_shell_spawned_from_inside_a_container.toml | 2 +- ...xecution_netcat_listener_established_inside_a_container.toml | 2 +- ...al_access_ssh_connection_established_inside_a_container.toml | 2 +- ...ateral_movement_ssh_process_launched_inside_a_container.toml | 2 +- ...nce_ssh_authorized_keys_modification_inside_a_container.toml | 2 +- ...calation_debugfs_launched_inside_a_privileged_container.toml | 2 +- ...escalation_mount_launched_inside_a_privileged_container.toml | 2 +- ...al_container_escape_via_modified_notify_on_release_file.toml | 2 +- ...ential_container_escape_via_modified_release_agent_file.toml | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 2c65f166054..106b088fc74 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -42,7 +42,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Container Workload Protection +### Investigating Deprecated - Container Workload Protection Container Workload Protection is crucial for securing containerized environments by monitoring and defending against threats. Adversaries may exploit vulnerabilities in container orchestration or escape isolation to access host systems. The detection rule leverages alerts from cloud defense modules, focusing on suspicious activities within container domains, enabling timely triage and investigation of potential security incidents. diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index 47247858bd0..73bee423542 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -45,7 +45,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS Credentials Searched For Inside A Container +### Investigating Deprecated - AWS Credentials Searched For Inside A Container Containers often house applications that interact with AWS services, necessitating the storage of AWS credentials. Adversaries may exploit this by using search utilities to locate these credentials, potentially leading to unauthorized access. The detection rule identifies suspicious use of search tools within containers, flagging attempts to locate AWS credentials by monitoring specific process names and arguments, thus helping to prevent credential theft and subsequent attacks. diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index d4f57df12cb..ea72a65439e 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -70,7 +70,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Sensitive Files Compression Inside A Container +### Investigating Deprecated - Sensitive Files Compression Inside A Container Containers are lightweight, portable environments used to run applications consistently across different systems. Adversaries may exploit compression utilities within containers to gather and exfiltrate sensitive files, such as credentials and configuration files. The detection rule identifies suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts. diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 730a1d24a48..baeaba84dea 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -52,7 +52,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Sensitive Keys Or Passwords Searched For Inside A Container +### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container Containers encapsulate applications, providing isolated environments. Adversaries may exploit search utilities like grep or find to locate sensitive credentials within containers, potentially leading to unauthorized access or container escape. The detection rule identifies suspicious searches for private keys or passwords, flagging potential credential access attempts by monitoring process activities and arguments. diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 0c21dc77d4d..8d583b6bbd4 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -39,7 +39,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container +### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container The dynamic linker in Linux loads necessary libraries for programs at runtime, with the `ld.so.preload` file specifying libraries to load first. Adversaries exploit this by redirecting it to malicious libraries, gaining unauthorized access and evading detection. The detection rule identifies suspicious modifications to this file within containers, signaling potential hijacking attempts. diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index d1306d6c61e..80dc1ecc1b8 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -54,7 +54,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Network Tool Launched Inside A Container +### Investigating Deprecated - Suspicious Network Tool Launched Inside A Container Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries exploit network tools within containers for reconnaissance or lateral movement, leveraging utilities like `nc` or `nmap` to map networks or intercept traffic. The detection rule identifies these tools' execution by monitoring process starts and arguments, flagging potential misuse for further investigation. diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 0c4c85e0149..8dd04b196ab 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -48,7 +48,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Container Management Utility Run Inside A Container +### Investigating Deprecated - Container Management Utility Run Inside A Container Container management utilities like Docker and Kubernetes are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types. diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 827ca1f5ac7..374238b1809 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -44,7 +44,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating File Made Executable via Chmod Inside A Container +### Investigating Deprecated - File Made Executable via Chmod Inside A Container Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers. diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index eae193150e6..9c2a6e1b372 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -64,7 +64,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Interactive Exec Command Launched Against A Running Container +### Investigating Deprecated - Interactive Exec Command Launched Against A Running Container In containerized environments, the 'exec' command is used to run processes inside a running container, often for debugging or administrative tasks. Adversaries may exploit this to gain shell access, potentially leading to further compromise or container escape. The detection rule identifies such activities by monitoring for interactive 'exec' sessions, focusing on initial processes within containers, and flagging high-risk interactions. diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index a85ced1d648..e1fccd467f6 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -53,7 +53,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Interactive Shell Spawned From Inside A Container +### Investigating Deprecated - Suspicious Interactive Shell Spawned From Inside A Container Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries may exploit containers by spawning interactive shells to execute unauthorized commands, potentially leading to container escape and host compromise. The detection rule identifies such threats by monitoring for shell processes initiated within containers, focusing on specific process actions and arguments indicative of interactive sessions. diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 83efa291aec..109fb8ab363 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -58,7 +58,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Netcat Listener Established Inside A Container +### Investigating Deprecated - Netcat Listener Established Inside A Container Netcat is a versatile networking tool used for reading and writing data across network connections, often employed for legitimate purposes like debugging and network diagnostics. However, adversaries can exploit Netcat to establish unauthorized backdoors or exfiltrate data from containers. The detection rule identifies suspicious Netcat activity by monitoring process events within containers, focusing on specific arguments that indicate a listening state, which is a common trait of malicious use. This proactive detection helps mitigate potential threats by flagging unusual network behavior indicative of compromise. diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index 64b5d48c183..4c996b6c2ae 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -58,7 +58,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SSH Connection Established Inside A Running Container +### Investigating Deprecated - SSH Connection Established Inside A Running Container SSH (Secure Shell) is a protocol used to securely access and manage systems remotely. In containerized environments, running an SSH daemon is generally discouraged due to security risks. Adversaries may exploit SSH to gain unauthorized access or maintain persistence within a compromised container. The detection rule identifies SSH connections initiated within containers by monitoring for SSH daemon processes that start new sessions, indicating potential unauthorized access attempts. This rule is crucial for identifying and mitigating threats related to initial access and lateral movement within containerized environments. diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index a01aea37f6e..24db422d938 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -53,7 +53,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SSH Process Launched From Inside A Container +### Investigating Deprecated - SSH Process Launched From Inside A Container SSH (Secure Shell) is a protocol used for secure remote access and management of systems. Within container environments, SSH usage is atypical and can signal potential security risks. Adversaries may exploit SSH to move laterally between containers or escape to the host system. The detection rule identifies SSH processes initiated within containers, flagging potential unauthorized access or persistence attempts by monitoring process events and container identifiers. diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index bc604397f35..3b2bb66f6ec 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -42,7 +42,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SSH Authorized Keys File Modified Inside a Container +### Investigating Deprecated - SSH Authorized Keys File Modified Inside a Container In containerized environments, SSH keys facilitate secure access, but adversaries can exploit this by altering the authorized_keys file to gain unauthorized access. This detection rule identifies suspicious changes to SSH configuration files within containers, signaling potential persistence tactics. By monitoring file modifications, it helps detect unauthorized SSH usage, a common indicator of compromise. diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index 645f7249a6e..f17ded3330a 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -48,7 +48,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating File System Debugger Launched Inside a Privileged Container +### Investigating Deprecated - File System Debugger Launched Inside a Privileged Container DebugFS is a Linux utility for direct file system manipulation, often used for debugging. In a privileged container, which has extensive access to the host, adversaries can exploit DebugFS to access sensitive host files, potentially leading to privilege escalation or container escape. The detection rule identifies suspicious DebugFS usage by monitoring process initiation with specific arguments in privileged containers, flagging potential misuse. diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml index efb8d38e7e3..b9fbbe2ff24 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -46,7 +46,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Mount Launched Inside a Privileged Container +### Investigating Deprecated - Mount Launched Inside a Privileged Container In containerized environments, the `mount` utility is crucial for attaching file systems to the system's directory tree. When executed within a privileged container, which has extensive host capabilities, it can be exploited by adversaries to access sensitive host files, potentially leading to privilege escalation or container escapes. The detection rule identifies such misuse by monitoring the execution of `mount` in privileged containers, flagging potential security threats for further investigation. diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index c04ad863321..977f257c554 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -47,7 +47,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Potential Container Escape via Modified notify_on_release File +### Investigating Deprecated - Potential Container Escape via Modified notify_on_release File In containerized environments, the `notify_on_release` file in cgroups can trigger host-level commands when a cgroup becomes empty. Adversaries exploit this by modifying the file from privileged containers, potentially executing unauthorized commands on the host. The detection rule monitors changes to `notify_on_release` files, flagging suspicious modifications indicative of privilege escalation attempts. diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 1c91460d593..0757bb35e97 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -46,7 +46,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Potential Container Escape via Modified release_agent File +### Investigating Deprecated - Potential Container Escape via Modified release_agent File In containerized environments, the release_agent file in CGroup directories can execute scripts upon process termination. Adversaries exploit this by modifying the file from privileged containers, potentially escalating privileges or escaping to the host. The detection rule monitors changes to the release_agent file, flagging unauthorized modifications indicative of such exploits. From efc14d928a042cf53136d24d8e487902999d84c8 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:58:54 -0500 Subject: [PATCH 3/4] Adding deprecation note under Setup field --- .../cloud_defend/container_workload_protection.toml | 4 +++- ...edential_access_aws_creds_search_inside_a_container.toml | 6 +++++- ...tion_sensitive_files_compression_inside_a_container.toml | 6 +++++- ...nsitive_keys_or_passwords_search_inside_a_container.toml | 6 +++++- ...d_preload_shared_object_modified_inside_a_container.toml | 6 +++++- ...suspicious_network_tool_launched_inside_a_container.toml | 6 +++++- ...ainer_management_binary_launched_inside_a_container.toml | 6 +++++- ...n_file_made_executable_via_chmod_inside_a_container.toml | 6 +++++- .../execution_interactive_exec_to_container.toml | 6 +++++- ...n_interactive_shell_spawned_from_inside_a_container.toml | 6 +++++- ...tion_netcat_listener_established_inside_a_container.toml | 6 +++++- ...ccess_ssh_connection_established_inside_a_container.toml | 6 +++++- ...al_movement_ssh_process_launched_inside_a_container.toml | 6 +++++- ...ssh_authorized_keys_modification_inside_a_container.toml | 6 +++++- ...tion_debugfs_launched_inside_a_privileged_container.toml | 6 +++++- ...lation_mount_launched_inside_a_privileged_container.toml | 6 +++++- ...ontainer_escape_via_modified_notify_on_release_file.toml | 6 +++++- ...al_container_escape_via_modified_release_agent_file.toml | 6 +++++- 18 files changed, 88 insertions(+), 18 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 106b088fc74..c43c663f092 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -20,7 +20,9 @@ name = "Deprecated - Container Workload Protection" risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" -setup = """## Setup +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 version of the Elastic Stack due to the deprecation of the Defend For Containers integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index 73bee423542..962719fc1f6 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -40,7 +40,11 @@ process where event.module == "cloud_defend" and (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index ea72a65439e..ef3297e2831 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -65,7 +65,11 @@ and process.args: ( "/etc/shadow", "/etc/gshadow") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index baeaba84dea..0a1a6b0d77e 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -47,7 +47,11 @@ or and process.args : ("*id_rsa*", "*id_dsa*") )) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 8d583b6bbd4..ee2373adfbe 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -34,7 +34,11 @@ type = "eql" query = ''' file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index 80dc1ecc1b8..ad44da93b51 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -49,7 +49,11 @@ process where container.id: "*" and event.type== "start" and (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) ) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 8dd04b196ab..094241f2eb0 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -43,7 +43,11 @@ query = ''' process where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 374238b1809..0488bbf50bf 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -39,7 +39,11 @@ file where container.id: "*" and event.type in ("change", "creation") and (process.name : "chmod" or process.args : "chmod") and process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 9c2a6e1b372..4e7a870746e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -59,7 +59,11 @@ process.entry_leader.same_as_process== true and /* interactive process */ process.interactive == true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index e1fccd467f6..cccb71f9293 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -48,7 +48,11 @@ event.action in ("fork", "exec") and process.args: "*/*sh" ) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 109fb8ab363..1f61a08ea64 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -53,7 +53,11 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or process.args:("-*l*", "--listen", "-*p*", "--source-port") ) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index 4c996b6c2ae..5d303ab5ee2 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -53,7 +53,11 @@ process.entry_leader.entry_meta.type: "sshd" and /* interactive process*/ process.interactive== true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 24db422d938..d8c3752bb62 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -48,7 +48,11 @@ process where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and process.name: ("sshd", "ssh", "autossh") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 3b2bb66f6ec..ca4f95312ed 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -37,7 +37,11 @@ query = ''' file where container.id:"*" and event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index f17ded3330a..e55a4294315 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -43,7 +43,11 @@ process where event.module == "cloud_defend" and process.args : "/dev/sd*" and not process.args == "-R" and container.security_context.privileged == true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml index b9fbbe2ff24..f63d302437f 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -41,7 +41,11 @@ query = ''' process where event.module == "cloud_defend" and event.type== "start" and (process.name== "mount" or process.args== "mount") and container.security_context.privileged == true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index 977f257c554..cf73f4b2251 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -42,7 +42,11 @@ query = ''' file where event.module == "cloud_defend" and event.action == "open" and event.type == "change" and file.name : "notify_on_release" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 0757bb35e97..814ae42138d 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -41,7 +41,11 @@ query = ''' file where event.module == "cloud_defend" and event.action == "open" and event.type == "change" and file.name : "release_agent" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. From 64d9c6628ec88c46bf3b06273c09909109996ed4 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 6 Mar 2025 17:11:22 -0500 Subject: [PATCH 4/4] reverting back to setup field name --- .../cloud_defend/container_workload_protection.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index c43c663f092..9842cd1f148 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -20,9 +20,9 @@ name = "Deprecated - Container Workload Protection" risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" -note = """## Setup +setup = """## Setup -This rule was deprecated in the 8.18 and 9.0 version of the Elastic Stack due to the deprecation of the Defend For Containers integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.