From 97938110f419c34dde24b8bf000f83b67346b368 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Mon, 8 Jun 2026 18:49:18 +0300 Subject: [PATCH] refactor(rules): drop "now-" prefix from within field --- .../bitdefender_gz/av_console_lateral_movement.yml | 2 +- rules/antivirus/bitdefender_gz/av_policy_override.yml | 2 +- .../bitdefender_gz/malware_outbreak_multiple_hosts.yml | 2 +- .../multiple_malware_from_single_source.yml | 2 +- .../antivirus/bitdefender_gz/network_threat_detection.yml | 4 ++-- .../bitdefender_gz/ransomware_behavior_detection.yml | 2 +- .../antivirus/bitdefender_gz/usb_malware_propagation.yml | 2 +- .../advanced_threat_tactic_identification.yml | 2 +- .../deceptive-bytes/data_theft_attempt_indicators.yml | 2 +- .../deceptive-bytes/deception_token_access_patterns.yml | 2 +- .../deceptive-bytes/decoy_share_access_monitoring.yml | 2 +- .../deceptive-bytes/honey_table_query_detection.yml | 2 +- .../deceptive-bytes/ransomware_behavior_patterns.yml | 2 +- .../deceptive-bytes/zero_day_behavior_patterns.yml | 2 +- .../esmc-eset/advanced_heuristic_detection_triggers.yml | 2 +- rules/antivirus/esmc-eset/eset_console_abuse.yml | 2 +- rules/antivirus/esmc-eset/eset_quarantine_failures.yml | 2 +- rules/antivirus/kaspersky/data_exfiltration_attempts.yml | 2 +- .../antivirus/kaspersky/kaspersky_ransomware_behavior.yml | 2 +- rules/antivirus/kaspersky/lateral_movement_indicators.yml | 2 +- rules/antivirus/kaspersky/suspicious_network_activity.yml | 2 +- rules/cisco/asa/ips_signature_matches.yml | 2 +- rules/cisco/asa/multiple_failed_vpn_attempts.yml | 8 ++++---- rules/cisco/cs_switch/arp_poisoning_detection.yml | 2 +- rules/cisco/cs_switch/mac_address_spoofing.yml | 2 +- rules/cisco/firepower/c2_nonstandard_port.yml | 2 +- rules/cisco/meraki/meraki_vpn_brute_force.yml | 2 +- rules/cloud/aws/aws/aws_ecs_credential_theft.yml | 2 +- rules/cloud/aws/aws/aws_golden_saml_attack.yml | 6 +++--- rules/cloud/aws/aws/aws_securityhub_finding_evasion.yml | 2 +- rules/cloud/aws/aws/aws_ssm_sendcommand_abuse.yml | 2 +- rules/cloud/aws/aws/aws_sso_suspicious_activities.yml | 2 +- rules/cloud/aws/aws/cloudformation_stack_deletion.yml | 2 +- rules/cloud/aws/aws/console_login_impossible_travel.yml | 2 +- rules/cloud/aws/aws/cross_account_access_anomalies.yml | 2 +- rules/cloud/aws/aws/iam_backdoor_creation_attempts.yml | 2 +- rules/cloud/aws/aws/iam_privilege_escalation_paths.yml | 2 +- rules/cloud/aws/aws/lambda_privilege_escalation.yml | 2 +- rules/cloud/aws/aws/mass_resource_deletion.yml | 2 +- rules/cloud/aws/aws/route53_dns_hijacking.yml | 2 +- rules/cloud/aws/aws/s3_bulk_data_exfiltration.yml | 2 +- rules/cloud/aws/aws/secrets_manager_suspicious_access.yml | 4 ++-- rules/cloud/aws/aws/security_group_modifications.yml | 2 +- rules/cloud/aws/aws/ssm_session_abuse.yml | 2 +- rules/cloud/aws/aws/sts_token_abuse.yml | 2 +- rules/cloud/aws/aws/unusual_api_call_patterns.yml | 2 +- rules/cloud/aws/aws/vpc_flow_log_anomalies.yml | 2 +- .../credential_access_aws_iam_assume_role_brute_force.yml | 2 +- ...credential_access_root_console_failure_brute_force.yml | 2 +- rules/cloud/azure/aks_security_threats.yml | 2 +- rules/cloud/azure/app_registration_abuse.yml | 2 +- rules/cloud/azure/application_gateway_waf_alerts.yml | 2 +- rules/cloud/azure/azure_ad_password_spray.yml | 2 +- rules/cloud/azure/azure_bulk_role_changes.yml | 2 +- rules/cloud/azure/azure_kubernetes_secret_access.yml | 2 +- rules/cloud/azure/azure_laps_credential_dump.yml | 2 +- rules/cloud/azure/azure_ropc_authentication.yml | 2 +- rules/cloud/azure/key_vault_access_spikes.yml | 2 +- rules/cloud/azure/managed_identity_abuse.yml | 2 +- rules/cloud/azure/pim_role_activation_abuse.yml | 2 +- rules/cloud/google/gcp_bigquery_exfiltration.yml | 2 +- rules/cloud/google/gcp_custom_role_creation.yml | 2 +- rules/cloud/google/gcp_probable_password_guess.yml | 2 +- rules/cloud/google/gcp_secret_manager_access.yml | 2 +- rules/cloud/google/gcp_service_account_impersonation.yml | 2 +- .../cloud/google/service_account_key_creation_spikes.yml | 2 +- ...hentication_failures_(possible_brute_force_attack).yml | 2 +- rules/fortinet/fortinet/admin_account_compromise.yml | 2 +- rules/fortinet/fortinet/antivirus_outbreak_detection.yml | 2 +- rules/fortinet/fortinet/dlp_data_exfiltration.yml | 2 +- rules/fortinet/fortinet/fortigate_vpn_brute_force.yml | 2 +- rules/fortinet/fortinet/ips_critical_severity_events.yml | 2 +- .../fortinet/fortiweb/authentication_bypass_attempts.yml | 2 +- .../fortinet/fortiweb/file_upload_security_violations.yml | 2 +- rules/fortinet/fortiweb/fortiweb_sqli_detection.yml | 2 +- rules/fortinet/fortiweb/fortiweb_ssrf_detection.yml | 2 +- rules/fortinet/fortiweb/owasp_top10_violations.yml | 2 +- .../fortiweb/web_application_attacks_detection.yml | 2 +- rules/generic/generic/cross_source_lateral_movement.yml | 2 +- rules/github/action_secret_access.yml | 2 +- rules/github/codeowners_modification.yml | 2 +- rules/github/dependabot_config_poisoning.yml | 2 +- rules/github/mass_repository_cloning.yml | 2 +- rules/ibm/ibm_aix/aix_hmc_access.yml | 2 +- rules/ibm/ibm_aix/aix_nim_abuse.yml | 2 +- rules/ibm/ibm_as_400/as400_ifs_access.yml | 2 +- rules/ibm/ibm_as_400/as400_library_list_manipulation.yml | 2 +- rules/ibm/ibm_as_400/as400_remote_command.yml | 2 +- rules/ibm/ibm_as_400/as400_sql_injection.yml | 2 +- rules/json/json-input/deserialization_attacks.yml | 2 +- rules/json/json-input/graphql_abuse.yml | 2 +- rules/json/json-input/json_injection_attempts.yml | 2 +- rules/json/json-input/mass_assignment_attack.yml | 2 +- rules/json/json-input/nosql_injection_json.yml | 2 +- rules/json/json-input/prototype_pollution_attempts.yml | 2 +- rules/linux/bruteforce_attack.yml | 4 ++-- rules/linux/rhel_family/rhel_kernel_exploits.yml | 2 +- rules/macos/endpoint_security_bypass.yml | 2 +- rules/macos/macos_ransomware_indicators.yml | 2 +- rules/mikrotik/mikrotik_fw/dns_cache_poisoning.yml | 2 +- .../mikrotik_fw/routeros_brute_force_attempts.yml | 2 +- rules/mikrotik/mikrotik_fw/ssh_brute_force_attempts.yml | 2 +- rules/netflow/beaconing_behavior_detection.yml | 2 +- rules/netflow/data_exfiltration_indicators.yml | 2 +- rules/netflow/ddos_traffic_patterns.yml | 2 +- rules/netflow/netflow_cryptomining_traffic.yml | 2 +- rules/netflow/netflow_doh_detection.yml | 2 +- rules/netflow/netflow_icmp_tunnel.yml | 2 +- rules/netflow/netflow_internal_scanning.yml | 2 +- rules/netflow/netflow_lateral_movement_smb_rdp.yml | 4 ++-- rules/netflow/netflow_vpn_unusual_destinations.yml | 2 +- rules/netflow/port_scanning_patterns.yml | 2 +- rules/netflow/tor_usage_detection.yml | 2 +- rules/nids/suricata/base64_dns_queries.yml | 2 +- rules/nids/suricata/base64_encoded_user_agent.yml | 2 +- rules/nids/suricata/cobalt_strike_dns_beacon.yml | 2 +- rules/nids/suricata/cobalt_strike_malleable_c2.yml | 2 +- rules/nids/suricata/command_and_control_traffic.yml | 2 +- rules/nids/suricata/covert_channel_detection.yml | 2 +- rules/nids/suricata/data_exfiltration_patterns.yml | 2 +- rules/nids/suricata/ddos_attack_patterns.yml | 2 +- rules/nids/suricata/dns_tunneling_detection.yml | 2 +- rules/nids/suricata/exploit_attempt_detection.yml | 2 +- rules/nids/suricata/hacktool_user_agents.yml | 2 +- rules/nids/suricata/icmp_tunneling_detection.yml | 2 +- rules/nids/suricata/lateral_movement_indicators.yml | 2 +- rules/nids/suricata/malware_callbacks.yml | 2 +- rules/nids/suricata/nids_ssh_anomalies.yml | 2 +- rules/nids/suricata/nids_tls_certificate_anomalies.yml | 2 +- rules/nids/suricata/nkn_blockchain_c2.yml | 2 +- rules/nids/suricata/port_scan_detection.yml | 4 ++-- rules/nids/suricata/rclone_data_exfiltration.yml | 2 +- rules/nids/suricata/threat_intelligence_iocs.yml | 2 +- rules/nids/suricata/tunneling_detection.yml | 2 +- rules/office365/anti_phishing_policy_bypasses.yml | 2 +- rules/office365/azure_ad_integration_events.yml | 2 +- rules/office365/compliance_alert_patterns.yml | 2 +- rules/office365/conditional_access_bypasses.yml | 2 +- ...s_microsoft_365_potential_password_spraying_attack.yml | 2 +- rules/office365/ediscovery_abuse.yml | 2 +- rules/office365/exchange_admin_changes.yml | 2 +- rules/office365/external_sharing_violations.yml | 2 +- rules/office365/forms_sway_phishing.yml | 2 +- rules/office365/guest_user_invitation_spikes.yml | 2 +- rules/office365/information_barriers_violations.yml | 2 +- rules/office365/mail_flow_rule_changes.yml | 2 +- rules/office365/mass_email_deletion.yml | 4 ++-- rules/office365/mfa_fatigue_push_spam.yml | 2 +- rules/office365/multi_geo_data_violations.yml | 4 ++-- rules/office365/oauth_app_anomalies.yml | 2 +- rules/office365/onedrive_mass_file_access.yml | 6 +++--- .../possible_succesfull_password_guessing_o365.yml | 2 +- rules/office365/power_apps_data_leaks.yml | 6 +++--- rules/office365/power_automate_abuse.yml | 2 +- rules/office365/power_bi_data_export.yml | 2 +- rules/office365/safe_links_click_patterns.yml | 2 +- rules/office365/sharepoint_mass_downloads.yml | 2 +- rules/office365/teams_data_exfiltration.yml | 2 +- rules/office365/teams_external_user_abuse.yml | 2 +- rules/paloalto/pa_firewall/panos_admin_brute_force.yml | 2 +- rules/paloalto/pa_firewall/panos_dns_security_alerts.yml | 2 +- rules/paloalto/pa_firewall/panos_url_filtering_blocks.yml | 2 +- .../paloalto/pa_firewall/zero_day_exploit_prevention.yml | 2 +- rules/pfsense/dns_resolver_cache_poisoning.yml | 2 +- rules/pfsense/pfsense_admin_brute_force.yml | 2 +- rules/pfsense/snort_suricata_ids_alerts.yml | 2 +- .../sonicwall_firewall/anti_spyware_detection.yml | 2 +- rules/sonicwall/sonicwall_firewall/botnet_detection.yml | 2 +- .../sonicwall/sonicwall_firewall/capture_atp_verdicts.yml | 2 +- .../sonicwall_firewall/encrypted_threats_detection.yml | 2 +- .../sonicwall_firewall/gateway_antivirus_detection.yml | 2 +- .../sonicwall_firewall/intrusion_prevention_alert.yml | 2 +- .../sonicwall_firewall/sonicwall_admin_auth_failures.yml | 2 +- .../sonicwall_firewall/sonicwall_vpn_failures.yml | 2 +- .../sophos/sophos_central/behavioral_analysis_alerts.yml | 2 +- .../sophos/sophos_central/exploit_prevention_triggers.yml | 2 +- .../sophos_central/managed_threat_response_alerts.yml | 2 +- .../sophos_central_possible_brute_force_attack.yml | 2 +- .../sophos_central_potential_password_spraying_attack.yml | 2 +- .../advanced_threat_protection_alerts.yml | 2 +- .../sophos_password_guessing_on_administrator_account.yml | 2 +- .../sophos_xg_firewall/sophos_xg_ips_signatures.yml | 2 +- .../sophos_xg_firewall/sophos_xg_vpn_auth_failures.yml | 2 +- .../high_severity_suricata_alerts_were_detected.yml | 2 +- .../medium_severity_suricata_alerts_were_detected.yml | 2 +- rules/syslog/cef/syslog_source_impersonation.yml | 2 +- rules/syslog/cef/user_agent_anomalies.yml | 2 +- rules/vmware/vmware-esxi/vcenter_server_attacks.yml | 2 +- rules/vmware/vmware-esxi/vmware_tools_vulnerabilities.yml | 2 +- rules/vmware/vmware-esxi/vsphere_api_abuse.yml | 2 +- rules/windows/adfs_authentication_anomalies.yml | 2 +- rules/windows/asrep_roasting_detection.yml | 2 +- rules/windows/golden_ticket_detection.yml | 2 +- rules/windows/kerberoasting_detection.yml | 2 +- rules/windows/ntds_extraction_attempts.yml | 2 +- rules/windows/ransom_multiple_file_deletion.yml | 2 +- rules/windows/ransom_note_creation.yml | 2 +- rules/windows/ransom_unusual_file_extension.yml | 2 +- rules/windows/silver_ticket_detection.yml | 2 +- 199 files changed, 215 insertions(+), 215 deletions(-) diff --git a/rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml b/rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml index d00e35ab2..89dd478d0 100644 --- a/rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml +++ b/rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.hostId operator: filter_term value: '{{.log.hostId}}' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.eventType diff --git a/rules/antivirus/bitdefender_gz/av_policy_override.yml b/rules/antivirus/bitdefender_gz/av_policy_override.yml index 62c62da1b..2cf57889c 100644 --- a/rules/antivirus/bitdefender_gz/av_policy_override.yml +++ b/rules/antivirus/bitdefender_gz/av_policy_override.yml @@ -36,7 +36,7 @@ afterEvents: - field: log.hostId operator: filter_term value: '{{.log.hostId}}' - within: now-1h + within: 1h count: 3 groupBy: - lastEvent.log.eventType diff --git a/rules/antivirus/bitdefender_gz/malware_outbreak_multiple_hosts.yml b/rules/antivirus/bitdefender_gz/malware_outbreak_multiple_hosts.yml index 2690509bf..aa26c5e52 100644 --- a/rules/antivirus/bitdefender_gz/malware_outbreak_multiple_hosts.yml +++ b/rules/antivirus/bitdefender_gz/malware_outbreak_multiple_hosts.yml @@ -41,7 +41,7 @@ afterEvents: - field: log.eventType operator: filter_term value: "AntiMalware" - within: now-2h + within: 2h count: 10 groupBy: - lastEvent.log.signatureID diff --git a/rules/antivirus/bitdefender_gz/multiple_malware_from_single_source.yml b/rules/antivirus/bitdefender_gz/multiple_malware_from_single_source.yml index a6e6e74da..9467a0d00 100644 --- a/rules/antivirus/bitdefender_gz/multiple_malware_from_single_source.yml +++ b/rules/antivirus/bitdefender_gz/multiple_malware_from_single_source.yml @@ -47,7 +47,7 @@ afterEvents: - field: log.eventType operator: filter_term value: "AntiMalware" - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.hostId diff --git a/rules/antivirus/bitdefender_gz/network_threat_detection.yml b/rules/antivirus/bitdefender_gz/network_threat_detection.yml index 3dd61bcdf..77deba300 100644 --- a/rules/antivirus/bitdefender_gz/network_threat_detection.yml +++ b/rules/antivirus/bitdefender_gz/network_threat_detection.yml @@ -39,7 +39,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-2h + within: 2h count: 5 or: - indexPattern: v11-log-antivirus-bitdefender-gz-* @@ -50,7 +50,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'network-sandboxing' - within: now-4h + within: 4h count: 3 groupBy: - lastEvent.log.hostId diff --git a/rules/antivirus/bitdefender_gz/ransomware_behavior_detection.yml b/rules/antivirus/bitdefender_gz/ransomware_behavior_detection.yml index 98b2f3abb..08fcc0a89 100644 --- a/rules/antivirus/bitdefender_gz/ransomware_behavior_detection.yml +++ b/rules/antivirus/bitdefender_gz/ransomware_behavior_detection.yml @@ -37,7 +37,7 @@ afterEvents: - field: log.hostId operator: filter_term value: '{{.log.hostId}}' - within: now-10m + within: 10m count: 5 groupBy: - lastEvent.log.hostId diff --git a/rules/antivirus/bitdefender_gz/usb_malware_propagation.yml b/rules/antivirus/bitdefender_gz/usb_malware_propagation.yml index 4a541b842..2b0c131e3 100644 --- a/rules/antivirus/bitdefender_gz/usb_malware_propagation.yml +++ b/rules/antivirus/bitdefender_gz/usb_malware_propagation.yml @@ -36,7 +36,7 @@ afterEvents: - field: log.hostId operator: filter_term value: '{{.log.hostId}}' - within: now-30m + within: 30m count: 5 groupBy: - lastEvent.log.eventType diff --git a/rules/antivirus/deceptive-bytes/advanced_threat_tactic_identification.yml b/rules/antivirus/deceptive-bytes/advanced_threat_tactic_identification.yml index 9bf889c95..981c1d205 100644 --- a/rules/antivirus/deceptive-bytes/advanced_threat_tactic_identification.yml +++ b/rules/antivirus/deceptive-bytes/advanced_threat_tactic_identification.yml @@ -43,7 +43,7 @@ afterEvents: - field: log.tacticName operator: filter_term value: '{{.log.tacticName}}' - within: now-15m + within: 15m count: 3 groupBy: - lastEvent.log.tacticName diff --git a/rules/antivirus/deceptive-bytes/data_theft_attempt_indicators.yml b/rules/antivirus/deceptive-bytes/data_theft_attempt_indicators.yml index 0666465e7..135e8de27 100644 --- a/rules/antivirus/deceptive-bytes/data_theft_attempt_indicators.yml +++ b/rules/antivirus/deceptive-bytes/data_theft_attempt_indicators.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.event_type operator: filter_term value: 'decoy_accessed' - within: now-2h + within: 2h count: 3 groupBy: - lastEvent.log.decoy_file diff --git a/rules/antivirus/deceptive-bytes/deception_token_access_patterns.yml b/rules/antivirus/deceptive-bytes/deception_token_access_patterns.yml index bd30bf129..6bfb2d5ef 100644 --- a/rules/antivirus/deceptive-bytes/deception_token_access_patterns.yml +++ b/rules/antivirus/deceptive-bytes/deception_token_access_patterns.yml @@ -40,7 +40,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'token_access' - within: now-1h + within: 1h count: 3 groupBy: - lastEvent.log.tokenId diff --git a/rules/antivirus/deceptive-bytes/decoy_share_access_monitoring.yml b/rules/antivirus/deceptive-bytes/decoy_share_access_monitoring.yml index beefe4961..57fb87eb2 100644 --- a/rules/antivirus/deceptive-bytes/decoy_share_access_monitoring.yml +++ b/rules/antivirus/deceptive-bytes/decoy_share_access_monitoring.yml @@ -37,7 +37,7 @@ afterEvents: - field: log.resourceType operator: filter_term value: 'network_share' - within: now-30m + within: 30m count: 3 deduplicateBy: - adversary.ip diff --git a/rules/antivirus/deceptive-bytes/honey_table_query_detection.yml b/rules/antivirus/deceptive-bytes/honey_table_query_detection.yml index 6e52fb653..c2e7d0403 100644 --- a/rules/antivirus/deceptive-bytes/honey_table_query_detection.yml +++ b/rules/antivirus/deceptive-bytes/honey_table_query_detection.yml @@ -36,7 +36,7 @@ afterEvents: - field: log.eventType operator: filter_term value: decoy_access - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.tableName diff --git a/rules/antivirus/deceptive-bytes/ransomware_behavior_patterns.yml b/rules/antivirus/deceptive-bytes/ransomware_behavior_patterns.yml index 9ec7d4f49..01ccabb37 100644 --- a/rules/antivirus/deceptive-bytes/ransomware_behavior_patterns.yml +++ b/rules/antivirus/deceptive-bytes/ransomware_behavior_patterns.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.source_ip operator: filter_term value: '{{.log.source_ip}}' - within: now-15m + within: 15m count: 10 groupBy: - lastEvent.log.hostname diff --git a/rules/antivirus/deceptive-bytes/zero_day_behavior_patterns.yml b/rules/antivirus/deceptive-bytes/zero_day_behavior_patterns.yml index c0f321612..2c7feb007 100644 --- a/rules/antivirus/deceptive-bytes/zero_day_behavior_patterns.yml +++ b/rules/antivirus/deceptive-bytes/zero_day_behavior_patterns.yml @@ -46,7 +46,7 @@ afterEvents: - field: log.processName operator: filter_term value: '{{.log.processName}}' - within: now-30m + within: 30m count: 2 groupBy: - lastEvent.log.exploitTechnique diff --git a/rules/antivirus/esmc-eset/advanced_heuristic_detection_triggers.yml b/rules/antivirus/esmc-eset/advanced_heuristic_detection_triggers.yml index d2644981d..38fdc2c67 100644 --- a/rules/antivirus/esmc-eset/advanced_heuristic_detection_triggers.yml +++ b/rules/antivirus/esmc-eset/advanced_heuristic_detection_triggers.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.headHostname operator: filter_term value: '{{.log.headHostname}}' - within: now-30m + within: 30m count: 3 groupBy: - lastEvent.log.headHostname diff --git a/rules/antivirus/esmc-eset/eset_console_abuse.yml b/rules/antivirus/esmc-eset/eset_console_abuse.yml index ee4c1867e..102896e41 100644 --- a/rules/antivirus/esmc-eset/eset_console_abuse.yml +++ b/rules/antivirus/esmc-eset/eset_console_abuse.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.headHostname operator: filter_term value: '{{.log.headHostname}}' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.headHostname diff --git a/rules/antivirus/esmc-eset/eset_quarantine_failures.yml b/rules/antivirus/esmc-eset/eset_quarantine_failures.yml index 0a90fd4f4..11dc8b439 100644 --- a/rules/antivirus/esmc-eset/eset_quarantine_failures.yml +++ b/rules/antivirus/esmc-eset/eset_quarantine_failures.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.headHostname operator: filter_term value: '{{.log.headHostname}}' - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.headHostname diff --git a/rules/antivirus/kaspersky/data_exfiltration_attempts.yml b/rules/antivirus/kaspersky/data_exfiltration_attempts.yml index 1dc83d8f7..906328c90 100644 --- a/rules/antivirus/kaspersky/data_exfiltration_attempts.yml +++ b/rules/antivirus/kaspersky/data_exfiltration_attempts.yml @@ -45,7 +45,7 @@ afterEvents: - field: log.cat operator: filter_term value: NetworkThreat - within: now-30m + within: 30m count: 5 groupBy: - origin.ip diff --git a/rules/antivirus/kaspersky/kaspersky_ransomware_behavior.yml b/rules/antivirus/kaspersky/kaspersky_ransomware_behavior.yml index e17ec7ce8..c23b4a878 100644 --- a/rules/antivirus/kaspersky/kaspersky_ransomware_behavior.yml +++ b/rules/antivirus/kaspersky/kaspersky_ransomware_behavior.yml @@ -36,5 +36,5 @@ afterEvents: - field: log.src operator: filter_term value: '{{.log.src}}' - within: now-10m + within: 10m count: 3 diff --git a/rules/antivirus/kaspersky/lateral_movement_indicators.yml b/rules/antivirus/kaspersky/lateral_movement_indicators.yml index 302374d98..6a143ad55 100644 --- a/rules/antivirus/kaspersky/lateral_movement_indicators.yml +++ b/rules/antivirus/kaspersky/lateral_movement_indicators.yml @@ -41,5 +41,5 @@ afterEvents: - field: log.src operator: filter_term value: '{{.log.src}}' - within: now-2h + within: 2h count: 3 diff --git a/rules/antivirus/kaspersky/suspicious_network_activity.yml b/rules/antivirus/kaspersky/suspicious_network_activity.yml index 286f3edad..dcdad092f 100644 --- a/rules/antivirus/kaspersky/suspicious_network_activity.yml +++ b/rules/antivirus/kaspersky/suspicious_network_activity.yml @@ -46,7 +46,7 @@ afterEvents: - field: log.dstIP operator: filter_term value: '{{.log.dstIP}}' - within: now-30m + within: 30m count: 5 groupBy: - target.ip diff --git a/rules/cisco/asa/ips_signature_matches.yml b/rules/cisco/asa/ips_signature_matches.yml index a6c2ad5b0..e4ed5586a 100644 --- a/rules/cisco/asa/ips_signature_matches.yml +++ b/rules/cisco/asa/ips_signature_matches.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/cisco/asa/multiple_failed_vpn_attempts.yml b/rules/cisco/asa/multiple_failed_vpn_attempts.yml index 11a61091c..0da2846bb 100644 --- a/rules/cisco/asa/multiple_failed_vpn_attempts.yml +++ b/rules/cisco/asa/multiple_failed_vpn_attempts.yml @@ -40,7 +40,7 @@ afterEvents: - field: log.messageId operator: filter_term value: '113015' - within: now-15m + within: 15m count: 10 or: - indexPattern: v11-log-firewall-cisco-asa-* @@ -51,7 +51,7 @@ afterEvents: - field: log.messageId operator: filter_term value: '113021' - within: now-15m + within: 15m count: 10 - indexPattern: v11-log-firewall-cisco-asa-* with: @@ -61,7 +61,7 @@ afterEvents: - field: log.messageId operator: filter_term value: '109034' - within: now-15m + within: 15m count: 10 - indexPattern: v11-log-firewall-cisco-asa-* with: @@ -71,7 +71,7 @@ afterEvents: - field: log.messageId operator: filter_term value: '611102' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/cisco/cs_switch/arp_poisoning_detection.yml b/rules/cisco/cs_switch/arp_poisoning_detection.yml index b4cc5275b..04dd22d21 100644 --- a/rules/cisco/cs_switch/arp_poisoning_detection.yml +++ b/rules/cisco/cs_switch/arp_poisoning_detection.yml @@ -36,7 +36,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 5 groupBy: - adversary.ip diff --git a/rules/cisco/cs_switch/mac_address_spoofing.yml b/rules/cisco/cs_switch/mac_address_spoofing.yml index e2c5734bc..a887668ad 100644 --- a/rules/cisco/cs_switch/mac_address_spoofing.yml +++ b/rules/cisco/cs_switch/mac_address_spoofing.yml @@ -36,7 +36,7 @@ afterEvents: - field: origin.mac operator: filter_term value: '{{.origin.mac}}' - within: now-10m + within: 10m count: 3 groupBy: - adversary.mac diff --git a/rules/cisco/firepower/c2_nonstandard_port.yml b/rules/cisco/firepower/c2_nonstandard_port.yml index 113d2e4fa..c2a311f29 100644 --- a/rules/cisco/firepower/c2_nonstandard_port.yml +++ b/rules/cisco/firepower/c2_nonstandard_port.yml @@ -40,7 +40,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-1h + within: 1h count: 5 groupBy: - adversary.ip diff --git a/rules/cisco/meraki/meraki_vpn_brute_force.yml b/rules/cisco/meraki/meraki_vpn_brute_force.yml index 191cfd865..639d851fa 100644 --- a/rules/cisco/meraki/meraki_vpn_brute_force.yml +++ b/rules/cisco/meraki/meraki_vpn_brute_force.yml @@ -33,7 +33,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/cloud/aws/aws/aws_ecs_credential_theft.yml b/rules/cloud/aws/aws/aws_ecs_credential_theft.yml index 382b0a8d3..ec1265a9c 100644 --- a/rules/cloud/aws/aws/aws_ecs_credential_theft.yml +++ b/rules/cloud/aws/aws/aws_ecs_credential_theft.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'ecs.amazonaws.com' - within: now-30m + within: 30m count: 5 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/aws_golden_saml_attack.yml b/rules/cloud/aws/aws/aws_golden_saml_attack.yml index 72e7fbc73..ce0332159 100644 --- a/rules/cloud/aws/aws/aws_golden_saml_attack.yml +++ b/rules/cloud/aws/aws/aws_golden_saml_attack.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.userIdentityAccountId operator: filter_term value: '{{.log.userIdentityAccountId}}' - within: now-24h + within: 24h count: 1 or: - indexPattern: v11-log-aws-* @@ -42,14 +42,14 @@ afterEvents: - field: log.eventName operator: filter_term value: 'UpdateSAMLProvider' - within: now-24h + within: 24h count: 1 - indexPattern: v11-log-aws-* with: - field: log.eventName operator: filter_term value: 'CreateSAMLProvider' - within: now-24h + within: 24h count: 1 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/aws/aws_securityhub_finding_evasion.yml index e46543306..ff0058b4a 100644 --- a/rules/cloud/aws/aws/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws/aws/aws_securityhub_finding_evasion.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'securityhub.amazonaws.com' - within: now-30m + within: 30m count: 5 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/aws_ssm_sendcommand_abuse.yml b/rules/cloud/aws/aws/aws_ssm_sendcommand_abuse.yml index da076f8d4..a535f49b1 100644 --- a/rules/cloud/aws/aws/aws_ssm_sendcommand_abuse.yml +++ b/rules/cloud/aws/aws/aws_ssm_sendcommand_abuse.yml @@ -36,7 +36,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'ssm.amazonaws.com' - within: now-30m + within: 30m count: 5 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/aws_sso_suspicious_activities.yml b/rules/cloud/aws/aws/aws_sso_suspicious_activities.yml index 1910e0e1a..1b14a9625 100644 --- a/rules/cloud/aws/aws/aws_sso_suspicious_activities.yml +++ b/rules/cloud/aws/aws/aws_sso_suspicious_activities.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'sso.amazonaws.com' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/cloudformation_stack_deletion.yml b/rules/cloud/aws/aws/cloudformation_stack_deletion.yml index 33dc84440..e44a89e5d 100644 --- a/rules/cloud/aws/aws/cloudformation_stack_deletion.yml +++ b/rules/cloud/aws/aws/cloudformation_stack_deletion.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'cloudformation.amazonaws.com' - within: now-30m + within: 30m count: 5 groupBy: - lastEvent.log.userIdentityAccountId diff --git a/rules/cloud/aws/aws/console_login_impossible_travel.yml b/rules/cloud/aws/aws/console_login_impossible_travel.yml index 0080164fd..ffe6be2f8 100644 --- a/rules/cloud/aws/aws/console_login_impossible_travel.yml +++ b/rules/cloud/aws/aws/console_login_impossible_travel.yml @@ -41,7 +41,7 @@ afterEvents: - field: origin.geolocation.countryCode operator: must_not_term value: '{{.origin.geolocation.countryCode}}' - within: now-30m + within: 30m count: 1 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/cross_account_access_anomalies.yml b/rules/cloud/aws/aws/cross_account_access_anomalies.yml index d24f8bc2f..2443f165c 100644 --- a/rules/cloud/aws/aws/cross_account_access_anomalies.yml +++ b/rules/cloud/aws/aws/cross_account_access_anomalies.yml @@ -40,7 +40,7 @@ afterEvents: - field: log.eventName operator: filter_term value: 'AssumeRole' - within: now-15m + within: 15m count: 15 groupBy: - lastEvent.log.responseElementsAssumedRoleUserArn diff --git a/rules/cloud/aws/aws/iam_backdoor_creation_attempts.yml b/rules/cloud/aws/aws/iam_backdoor_creation_attempts.yml index abdb36b08..fd644e9f1 100644 --- a/rules/cloud/aws/aws/iam_backdoor_creation_attempts.yml +++ b/rules/cloud/aws/aws/iam_backdoor_creation_attempts.yml @@ -33,7 +33,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'iam.amazonaws.com' - within: now-30m + within: 30m count: 3 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/iam_privilege_escalation_paths.yml b/rules/cloud/aws/aws/iam_privilege_escalation_paths.yml index f52c89873..34d292ccc 100644 --- a/rules/cloud/aws/aws/iam_privilege_escalation_paths.yml +++ b/rules/cloud/aws/aws/iam_privilege_escalation_paths.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: iam.amazonaws.com - within: now-30m + within: 30m count: 3 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/lambda_privilege_escalation.yml b/rules/cloud/aws/aws/lambda_privilege_escalation.yml index 3f69b0fcf..d97e5ad77 100644 --- a/rules/cloud/aws/aws/lambda_privilege_escalation.yml +++ b/rules/cloud/aws/aws/lambda_privilege_escalation.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.eventName operator: filter_term value: AttachRolePolicy - within: now-1h + within: 1h count: 2 groupBy: - lastEvent.log.requestParameters.roleArn diff --git a/rules/cloud/aws/aws/mass_resource_deletion.yml b/rules/cloud/aws/aws/mass_resource_deletion.yml index 4b9a4068d..921fdb70e 100644 --- a/rules/cloud/aws/aws/mass_resource_deletion.yml +++ b/rules/cloud/aws/aws/mass_resource_deletion.yml @@ -32,7 +32,7 @@ afterEvents: - field: log.userIdentity.arn operator: filter_term value: '{{.log.userIdentity.arn}}' - within: now-10m + within: 10m count: 15 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/route53_dns_hijacking.yml b/rules/cloud/aws/aws/route53_dns_hijacking.yml index c3954daa7..722103fab 100644 --- a/rules/cloud/aws/aws/route53_dns_hijacking.yml +++ b/rules/cloud/aws/aws/route53_dns_hijacking.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.eventName operator: filter_term value: 'ChangeResourceRecordSets' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/s3_bulk_data_exfiltration.yml b/rules/cloud/aws/aws/s3_bulk_data_exfiltration.yml index ad3d42693..062b26f92 100644 --- a/rules/cloud/aws/aws/s3_bulk_data_exfiltration.yml +++ b/rules/cloud/aws/aws/s3_bulk_data_exfiltration.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventName operator: filter_term value: GetObject - within: now-15m + within: 15m count: 100 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/secrets_manager_suspicious_access.yml b/rules/cloud/aws/aws/secrets_manager_suspicious_access.yml index e538d2538..68c7d3da8 100644 --- a/rules/cloud/aws/aws/secrets_manager_suspicious_access.yml +++ b/rules/cloud/aws/aws/secrets_manager_suspicious_access.yml @@ -33,7 +33,7 @@ afterEvents: - field: log.eventName operator: filter_term value: GetSecretValue - within: now-10m + within: 10m count: 10 - indexPattern: v11-log-aws-* with: @@ -43,7 +43,7 @@ afterEvents: - field: log.eventName operator: filter_term value: BatchGetSecretValue - within: now-10m + within: 10m count: 5 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/security_group_modifications.yml b/rules/cloud/aws/aws/security_group_modifications.yml index 7850da9af..3ddb4b0af 100644 --- a/rules/cloud/aws/aws/security_group_modifications.yml +++ b/rules/cloud/aws/aws/security_group_modifications.yml @@ -45,7 +45,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: 'ec2.amazonaws.com' - within: now-30m + within: 30m count: 3 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/ssm_session_abuse.yml b/rules/cloud/aws/aws/ssm_session_abuse.yml index 406f9d7a0..9a2335888 100644 --- a/rules/cloud/aws/aws/ssm_session_abuse.yml +++ b/rules/cloud/aws/aws/ssm_session_abuse.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventSource operator: filter_term value: ssm.amazonaws.com - within: now-30m + within: 30m count: 5 groupBy: - adversary.user diff --git a/rules/cloud/aws/aws/sts_token_abuse.yml b/rules/cloud/aws/aws/sts_token_abuse.yml index b9a9827fc..f92b5b183 100644 --- a/rules/cloud/aws/aws/sts_token_abuse.yml +++ b/rules/cloud/aws/aws/sts_token_abuse.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.sourceIPAddress operator: filter_term value: '{{.log.sourceIPAddress}}' - within: now-15m + within: 15m count: 20 groupBy: - lastEvent.log.userIdentityArn diff --git a/rules/cloud/aws/aws/unusual_api_call_patterns.yml b/rules/cloud/aws/aws/unusual_api_call_patterns.yml index 21c87dc89..69dc52ac7 100644 --- a/rules/cloud/aws/aws/unusual_api_call_patterns.yml +++ b/rules/cloud/aws/aws/unusual_api_call_patterns.yml @@ -42,7 +42,7 @@ afterEvents: - field: log.eventName operator: filter_match value: 'Describe List Get Generate' - within: now-10m + within: 10m count: 50 groupBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/aws/vpc_flow_log_anomalies.yml b/rules/cloud/aws/aws/vpc_flow_log_anomalies.yml index 1c63f5b10..1749bec63 100644 --- a/rules/cloud/aws/aws/vpc_flow_log_anomalies.yml +++ b/rules/cloud/aws/aws/vpc_flow_log_anomalies.yml @@ -43,7 +43,7 @@ afterEvents: - field: log.eventName operator: filter_term value: 'DeleteFlowLogs' - within: now-24h + within: 24h count: 2 deduplicateBy: - lastEvent.log.sourceIPAddress diff --git a/rules/cloud/aws/credential_access_aws_iam_assume_role_brute_force.yml b/rules/cloud/aws/credential_access_aws_iam_assume_role_brute_force.yml index d6d3fe952..bfb7daafc 100644 --- a/rules/cloud/aws/credential_access_aws_iam_assume_role_brute_force.yml +++ b/rules/cloud/aws/credential_access_aws_iam_assume_role_brute_force.yml @@ -28,7 +28,7 @@ afterEvents: - field: origin.user operator: filter_term value: '{{.origin.user}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/cloud/aws/credential_access_root_console_failure_brute_force.yml b/rules/cloud/aws/credential_access_root_console_failure_brute_force.yml index 688f46773..b861ed7d5 100644 --- a/rules/cloud/aws/credential_access_root_console_failure_brute_force.yml +++ b/rules/cloud/aws/credential_access_root_console_failure_brute_force.yml @@ -26,7 +26,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/cloud/azure/aks_security_threats.yml b/rules/cloud/azure/aks_security_threats.yml index e731659e4..fbb41f16e 100644 --- a/rules/cloud/azure/aks_security_threats.yml +++ b/rules/cloud/azure/aks_security_threats.yml @@ -41,7 +41,7 @@ afterEvents: - field: log.operationName operator: filter_match value: 'Container' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.operationName diff --git a/rules/cloud/azure/app_registration_abuse.yml b/rules/cloud/azure/app_registration_abuse.yml index de3b53e79..9c46b8d54 100644 --- a/rules/cloud/azure/app_registration_abuse.yml +++ b/rules/cloud/azure/app_registration_abuse.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.categoryValue operator: filter_term value: Administrative - within: now-1h + within: 1h count: 3 groupBy: - lastEvent.log.operationName diff --git a/rules/cloud/azure/application_gateway_waf_alerts.yml b/rules/cloud/azure/application_gateway_waf_alerts.yml index 9166ce018..74b7b33a9 100644 --- a/rules/cloud/azure/application_gateway_waf_alerts.yml +++ b/rules/cloud/azure/application_gateway_waf_alerts.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 5 groupBy: - lastEvent.log.ruleId diff --git a/rules/cloud/azure/azure_ad_password_spray.yml b/rules/cloud/azure/azure_ad_password_spray.yml index 974b1a731..ae2170e08 100644 --- a/rules/cloud/azure/azure_ad_password_spray.yml +++ b/rules/cloud/azure/azure_ad_password_spray.yml @@ -40,7 +40,7 @@ afterEvents: - field: log.properties.status.errorCode operator: filter_match value: '5005' - within: now-15m + within: 15m count: 15 groupBy: - lastEvent.log.operationName diff --git a/rules/cloud/azure/azure_bulk_role_changes.yml b/rules/cloud/azure/azure_bulk_role_changes.yml index 30cd78ac3..9ab8cc4ed 100644 --- a/rules/cloud/azure/azure_bulk_role_changes.yml +++ b/rules/cloud/azure/azure_bulk_role_changes.yml @@ -32,7 +32,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 10 groupBy: - adversary.ip diff --git a/rules/cloud/azure/azure_kubernetes_secret_access.yml b/rules/cloud/azure/azure_kubernetes_secret_access.yml index 5ddd8a8ff..0c80809b8 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_access.yml @@ -33,7 +33,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 5 groupBy: - lastEvent.log.resourceId diff --git a/rules/cloud/azure/azure_laps_credential_dump.yml b/rules/cloud/azure/azure_laps_credential_dump.yml index 53611ce84..54ddc823a 100644 --- a/rules/cloud/azure/azure_laps_credential_dump.yml +++ b/rules/cloud/azure/azure_laps_credential_dump.yml @@ -32,7 +32,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 3 groupBy: - adversary.ip diff --git a/rules/cloud/azure/azure_ropc_authentication.yml b/rules/cloud/azure/azure_ropc_authentication.yml index 585571321..5c0efef20 100644 --- a/rules/cloud/azure/azure_ropc_authentication.yml +++ b/rules/cloud/azure/azure_ropc_authentication.yml @@ -32,7 +32,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 5 groupBy: - adversary.ip diff --git a/rules/cloud/azure/key_vault_access_spikes.yml b/rules/cloud/azure/key_vault_access_spikes.yml index 342011b4d..aa3e0ae88 100644 --- a/rules/cloud/azure/key_vault_access_spikes.yml +++ b/rules/cloud/azure/key_vault_access_spikes.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.category operator: filter_term value: 'AuditEvent' - within: now-10m + within: 10m count: 20 groupBy: - lastEvent.log.resourceId diff --git a/rules/cloud/azure/managed_identity_abuse.yml b/rules/cloud/azure/managed_identity_abuse.yml index 0bc08d811..f63865cb8 100644 --- a/rules/cloud/azure/managed_identity_abuse.yml +++ b/rules/cloud/azure/managed_identity_abuse.yml @@ -36,7 +36,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.operationName diff --git a/rules/cloud/azure/pim_role_activation_abuse.yml b/rules/cloud/azure/pim_role_activation_abuse.yml index 9fbba9d64..5a2155db0 100644 --- a/rules/cloud/azure/pim_role_activation_abuse.yml +++ b/rules/cloud/azure/pim_role_activation_abuse.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.categoryValue operator: filter_term value: Administrative - within: now-4h + within: 4h count: 3 groupBy: - lastEvent.log.operationName diff --git a/rules/cloud/google/gcp_bigquery_exfiltration.yml b/rules/cloud/google/gcp_bigquery_exfiltration.yml index b41d5b181..b61406607 100644 --- a/rules/cloud/google/gcp_bigquery_exfiltration.yml +++ b/rules/cloud/google/gcp_bigquery_exfiltration.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.protoPayload.serviceName operator: filter_term value: bigquery.googleapis.com - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.protoPayload.methodName diff --git a/rules/cloud/google/gcp_custom_role_creation.yml b/rules/cloud/google/gcp_custom_role_creation.yml index a6886f634..75792363c 100644 --- a/rules/cloud/google/gcp_custom_role_creation.yml +++ b/rules/cloud/google/gcp_custom_role_creation.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.protoPayload.authenticationInfo.principalEmail operator: filter_term value: '{{.log.protoPayload.authenticationInfo.principalEmail}}' - within: now-1h + within: 1h count: 2 groupBy: - lastEvent.log.protoPayload.methodName diff --git a/rules/cloud/google/gcp_probable_password_guess.yml b/rules/cloud/google/gcp_probable_password_guess.yml index a900ae913..b83075d98 100644 --- a/rules/cloud/google/gcp_probable_password_guess.yml +++ b/rules/cloud/google/gcp_probable_password_guess.yml @@ -31,7 +31,7 @@ afterEvents: - field: log.protoPayload.authenticationInfo.principalEmail operator: filter_term value: "{{.log.protoPayload.authenticationInfo.principalEmail}}" - within: now-5m + within: 5m count: 5 groupBy: - adversary.ip diff --git a/rules/cloud/google/gcp_secret_manager_access.yml b/rules/cloud/google/gcp_secret_manager_access.yml index 3238288fa..409e23164 100644 --- a/rules/cloud/google/gcp_secret_manager_access.yml +++ b/rules/cloud/google/gcp_secret_manager_access.yml @@ -37,7 +37,7 @@ afterEvents: - field: log.protoPayload.methodName operator: filter_term value: AccessSecretVersion - within: now-15m + within: 15m count: 5 groupBy: - lastEvent.log.protoPayload.methodName diff --git a/rules/cloud/google/gcp_service_account_impersonation.yml b/rules/cloud/google/gcp_service_account_impersonation.yml index b54b29272..3ba35f6e7 100644 --- a/rules/cloud/google/gcp_service_account_impersonation.yml +++ b/rules/cloud/google/gcp_service_account_impersonation.yml @@ -37,7 +37,7 @@ afterEvents: - field: log.protoPayload.authenticationInfo.principalEmail operator: filter_term value: '{{.log.protoPayload.authenticationInfo.principalEmail}}' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.protoPayload.methodName diff --git a/rules/cloud/google/service_account_key_creation_spikes.yml b/rules/cloud/google/service_account_key_creation_spikes.yml index 9ba697853..2ab571783 100644 --- a/rules/cloud/google/service_account_key_creation_spikes.yml +++ b/rules/cloud/google/service_account_key_creation_spikes.yml @@ -33,7 +33,7 @@ afterEvents: - field: log.protoPayload.authenticationInfo.principalEmail operator: filter_term value: '{{.log.protoPayload.authenticationInfo.principalEmail}}' - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.protoPayload.authenticationInfo.principalEmail diff --git a/rules/crowdstrike/multiple_authentication_failures_(possible_brute_force_attack).yml b/rules/crowdstrike/multiple_authentication_failures_(possible_brute_force_attack).yml index 52f78b97b..1c7ab31cf 100644 --- a/rules/crowdstrike/multiple_authentication_failures_(possible_brute_force_attack).yml +++ b/rules/crowdstrike/multiple_authentication_failures_(possible_brute_force_attack).yml @@ -17,7 +17,7 @@ where: > exists("origin.ip") afterEvents: - indexPattern: v11-log-crowdstrike-* - within: now-15m + within: 15m count: 5 with: - field: origin.ip diff --git a/rules/fortinet/fortinet/admin_account_compromise.yml b/rules/fortinet/fortinet/admin_account_compromise.yml index 2f971a974..23628f707 100644 --- a/rules/fortinet/fortinet/admin_account_compromise.yml +++ b/rules/fortinet/fortinet/admin_account_compromise.yml @@ -43,7 +43,7 @@ afterEvents: - field: log.user operator: filter_term value: '{{.log.user}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/fortinet/fortinet/antivirus_outbreak_detection.yml b/rules/fortinet/fortinet/antivirus_outbreak_detection.yml index 6481f711d..7e5d7a8ea 100644 --- a/rules/fortinet/fortinet/antivirus_outbreak_detection.yml +++ b/rules/fortinet/fortinet/antivirus_outbreak_detection.yml @@ -42,7 +42,7 @@ afterEvents: - field: action operator: filter_term value: blocked - within: now-1h + within: 1h count: 5 groupBy: - adversary.ip diff --git a/rules/fortinet/fortinet/dlp_data_exfiltration.yml b/rules/fortinet/fortinet/dlp_data_exfiltration.yml index de5c31f22..730da1f23 100644 --- a/rules/fortinet/fortinet/dlp_data_exfiltration.yml +++ b/rules/fortinet/fortinet/dlp_data_exfiltration.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.subtype operator: filter_term value: 'dlp' - within: now-1h + within: 1h count: 3 groupBy: - lastEvent.log.dlp_profile diff --git a/rules/fortinet/fortinet/fortigate_vpn_brute_force.yml b/rules/fortinet/fortinet/fortigate_vpn_brute_force.yml index 4421e8daa..42ffef343 100644 --- a/rules/fortinet/fortinet/fortigate_vpn_brute_force.yml +++ b/rules/fortinet/fortinet/fortigate_vpn_brute_force.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/fortinet/fortinet/ips_critical_severity_events.yml b/rules/fortinet/fortinet/ips_critical_severity_events.yml index bbe837f9c..0c49f005d 100644 --- a/rules/fortinet/fortinet/ips_critical_severity_events.yml +++ b/rules/fortinet/fortinet/ips_critical_severity_events.yml @@ -31,7 +31,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/fortinet/fortiweb/authentication_bypass_attempts.yml b/rules/fortinet/fortiweb/authentication_bypass_attempts.yml index 3b2db44b2..2e039b6a8 100644 --- a/rules/fortinet/fortiweb/authentication_bypass_attempts.yml +++ b/rules/fortinet/fortiweb/authentication_bypass_attempts.yml @@ -44,7 +44,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/fortinet/fortiweb/file_upload_security_violations.yml b/rules/fortinet/fortiweb/file_upload_security_violations.yml index 1917e99dc..27bb24c24 100644 --- a/rules/fortinet/fortiweb/file_upload_security_violations.yml +++ b/rules/fortinet/fortiweb/file_upload_security_violations.yml @@ -43,7 +43,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 3 groupBy: - adversary.ip diff --git a/rules/fortinet/fortiweb/fortiweb_sqli_detection.yml b/rules/fortinet/fortiweb/fortiweb_sqli_detection.yml index 69744d2d9..c82e9d137 100644 --- a/rules/fortinet/fortiweb/fortiweb_sqli_detection.yml +++ b/rules/fortinet/fortiweb/fortiweb_sqli_detection.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/fortinet/fortiweb/fortiweb_ssrf_detection.yml b/rules/fortinet/fortiweb/fortiweb_ssrf_detection.yml index e72e2bfae..2dfe9b15d 100644 --- a/rules/fortinet/fortiweb/fortiweb_ssrf_detection.yml +++ b/rules/fortinet/fortiweb/fortiweb_ssrf_detection.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/fortinet/fortiweb/owasp_top10_violations.yml b/rules/fortinet/fortiweb/owasp_top10_violations.yml index 28e7f94c2..d48a85d47 100644 --- a/rules/fortinet/fortiweb/owasp_top10_violations.yml +++ b/rules/fortinet/fortiweb/owasp_top10_violations.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/fortinet/fortiweb/web_application_attacks_detection.yml b/rules/fortinet/fortiweb/web_application_attacks_detection.yml index e166d6e80..d5b42f86c 100644 --- a/rules/fortinet/fortiweb/web_application_attacks_detection.yml +++ b/rules/fortinet/fortiweb/web_application_attacks_detection.yml @@ -50,7 +50,7 @@ afterEvents: - field: action operator: filter_term value: 'deny' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/generic/generic/cross_source_lateral_movement.yml b/rules/generic/generic/cross_source_lateral_movement.yml index 9778631bf..01968405c 100644 --- a/rules/generic/generic/cross_source_lateral_movement.yml +++ b/rules/generic/generic/cross_source_lateral_movement.yml @@ -50,7 +50,7 @@ afterEvents: - field: log.message operator: filter_match value: 'remote login OR authenticated OR session opened' - within: now-30m + within: 30m count: 5 groupBy: - adversary.ip diff --git a/rules/github/action_secret_access.yml b/rules/github/action_secret_access.yml index dfad4cc62..bcfeb4fb2 100644 --- a/rules/github/action_secret_access.yml +++ b/rules/github/action_secret_access.yml @@ -37,7 +37,7 @@ afterEvents: - field: log.action operator: filter_match value: secret - within: now-1h + within: 1h count: 3 groupBy: - lastEvent.log.action diff --git a/rules/github/codeowners_modification.yml b/rules/github/codeowners_modification.yml index 6e5346744..fcf6526d8 100644 --- a/rules/github/codeowners_modification.yml +++ b/rules/github/codeowners_modification.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.senderLogin operator: filter_term value: '{{.log.senderLogin}}' - within: now-24h + within: 24h count: 2 groupBy: - lastEvent.log.repositoryName diff --git a/rules/github/dependabot_config_poisoning.yml b/rules/github/dependabot_config_poisoning.yml index bfd8d955e..969c8528f 100644 --- a/rules/github/dependabot_config_poisoning.yml +++ b/rules/github/dependabot_config_poisoning.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.senderLogin operator: filter_term value: '{{.log.senderLogin}}' - within: now-24h + within: 24h count: 2 groupBy: - lastEvent.log.repositoryName diff --git a/rules/github/mass_repository_cloning.yml b/rules/github/mass_repository_cloning.yml index efc797e1f..4b42d7080 100644 --- a/rules/github/mass_repository_cloning.yml +++ b/rules/github/mass_repository_cloning.yml @@ -40,7 +40,7 @@ afterEvents: - field: log.action operator: filter_match value: 'clone fetch' - within: now-30m + within: 30m count: 10 groupBy: - lastEvent.log.senderLogin diff --git a/rules/ibm/ibm_aix/aix_hmc_access.yml b/rules/ibm/ibm_aix/aix_hmc_access.yml index 3e2e71c94..d4614cf06 100644 --- a/rules/ibm/ibm_aix/aix_hmc_access.yml +++ b/rules/ibm/ibm_aix/aix_hmc_access.yml @@ -46,7 +46,7 @@ afterEvents: - field: origin.host operator: filter_term value: '{{.origin.host}}' - within: now-30m + within: 30m count: 3 groupBy: - adversary.host diff --git a/rules/ibm/ibm_aix/aix_nim_abuse.yml b/rules/ibm/ibm_aix/aix_nim_abuse.yml index eb7f3f626..9fec714d2 100644 --- a/rules/ibm/ibm_aix/aix_nim_abuse.yml +++ b/rules/ibm/ibm_aix/aix_nim_abuse.yml @@ -43,7 +43,7 @@ afterEvents: - field: origin.host operator: filter_term value: '{{.origin.host}}' - within: now-30m + within: 30m count: 3 groupBy: - adversary.host diff --git a/rules/ibm/ibm_as_400/as400_ifs_access.yml b/rules/ibm/ibm_as_400/as400_ifs_access.yml index 7889fabe8..e77e8908c 100644 --- a/rules/ibm/ibm_as_400/as400_ifs_access.yml +++ b/rules/ibm/ibm_as_400/as400_ifs_access.yml @@ -47,7 +47,7 @@ afterEvents: - field: log.message operator: filter_match value: 'IFS OR CPYFRMSTMF OR CPYTOSTMF OR NetServer' - within: now-15m + within: 15m count: 10 groupBy: - adversary.host diff --git a/rules/ibm/ibm_as_400/as400_library_list_manipulation.yml b/rules/ibm/ibm_as_400/as400_library_list_manipulation.yml index 06d99f87d..502f56bed 100644 --- a/rules/ibm/ibm_as_400/as400_library_list_manipulation.yml +++ b/rules/ibm/ibm_as_400/as400_library_list_manipulation.yml @@ -43,7 +43,7 @@ afterEvents: - field: origin.user operator: filter_term value: '{{.origin.user}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.host diff --git a/rules/ibm/ibm_as_400/as400_remote_command.yml b/rules/ibm/ibm_as_400/as400_remote_command.yml index 1373d399b..4666f90d1 100644 --- a/rules/ibm/ibm_as_400/as400_remote_command.yml +++ b/rules/ibm/ibm_as_400/as400_remote_command.yml @@ -40,7 +40,7 @@ afterEvents: - field: origin.user operator: filter_term value: '{{.origin.user}}' - within: now-30m + within: 30m count: 3 groupBy: - adversary.host diff --git a/rules/ibm/ibm_as_400/as400_sql_injection.yml b/rules/ibm/ibm_as_400/as400_sql_injection.yml index 2f984cc6b..02845a385 100644 --- a/rules/ibm/ibm_as_400/as400_sql_injection.yml +++ b/rules/ibm/ibm_as_400/as400_sql_injection.yml @@ -45,7 +45,7 @@ afterEvents: - field: log.message operator: filter_match value: 'SQL error OR syntax error OR UNION SELECT OR DROP' - within: now-15m + within: 15m count: 5 groupBy: - adversary.host diff --git a/rules/json/json-input/deserialization_attacks.yml b/rules/json/json-input/deserialization_attacks.yml index ece44f7b3..dafc0111d 100644 --- a/rules/json/json-input/deserialization_attacks.yml +++ b/rules/json/json-input/deserialization_attacks.yml @@ -42,7 +42,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 3 groupBy: - adversary.ip diff --git a/rules/json/json-input/graphql_abuse.yml b/rules/json/json-input/graphql_abuse.yml index e62516f45..befd24681 100644 --- a/rules/json/json-input/graphql_abuse.yml +++ b/rules/json/json-input/graphql_abuse.yml @@ -37,7 +37,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/json/json-input/json_injection_attempts.yml b/rules/json/json-input/json_injection_attempts.yml index ada255cd3..e85aa80eb 100644 --- a/rules/json/json-input/json_injection_attempts.yml +++ b/rules/json/json-input/json_injection_attempts.yml @@ -38,7 +38,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 3 groupBy: - adversary.ip diff --git a/rules/json/json-input/mass_assignment_attack.yml b/rules/json/json-input/mass_assignment_attack.yml index f0a086cad..6df88526f 100644 --- a/rules/json/json-input/mass_assignment_attack.yml +++ b/rules/json/json-input/mass_assignment_attack.yml @@ -38,7 +38,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 3 groupBy: - adversary.ip diff --git a/rules/json/json-input/nosql_injection_json.yml b/rules/json/json-input/nosql_injection_json.yml index 34a7e55d7..cf21ddcd9 100644 --- a/rules/json/json-input/nosql_injection_json.yml +++ b/rules/json/json-input/nosql_injection_json.yml @@ -42,7 +42,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 3 groupBy: - adversary.ip diff --git a/rules/json/json-input/prototype_pollution_attempts.yml b/rules/json/json-input/prototype_pollution_attempts.yml index a72af1010..7f11f9d73 100644 --- a/rules/json/json-input/prototype_pollution_attempts.yml +++ b/rules/json/json-input/prototype_pollution_attempts.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 3 groupBy: - adversary.host diff --git a/rules/linux/bruteforce_attack.yml b/rules/linux/bruteforce_attack.yml index be2cf38c4..fafa9e0a9 100644 --- a/rules/linux/bruteforce_attack.yml +++ b/rules/linux/bruteforce_attack.yml @@ -28,7 +28,7 @@ afterEvents: - field: log.message operator: filter_match value: 'Failed password' - within: now-15m + within: 15m count: 10 or: - indexPattern: v11-log-linux-* @@ -42,7 +42,7 @@ afterEvents: - field: log.message operator: filter_match value: 'authentication failure' - within: now-15m + within: 15m count: 10 groupBy: - origin.ip diff --git a/rules/linux/rhel_family/rhel_kernel_exploits.yml b/rules/linux/rhel_family/rhel_kernel_exploits.yml index 92eaf4198..fbf2b23b5 100644 --- a/rules/linux/rhel_family/rhel_kernel_exploits.yml +++ b/rules/linux/rhel_family/rhel_kernel_exploits.yml @@ -33,7 +33,7 @@ afterEvents: - field: log.facility operator: filter_term value: 'kern' - within: now-5m + within: 5m count: 3 groupBy: - origin.host diff --git a/rules/macos/endpoint_security_bypass.yml b/rules/macos/endpoint_security_bypass.yml index cf6bfdbb1..29203fcfd 100644 --- a/rules/macos/endpoint_security_bypass.yml +++ b/rules/macos/endpoint_security_bypass.yml @@ -41,7 +41,7 @@ afterEvents: - field: system.hostname operator: filter_term value: '{{.system.hostname}}' - within: now-15m + within: 15m count: 2 groupBy: - lastEvent.log.process diff --git a/rules/macos/macos_ransomware_indicators.yml b/rules/macos/macos_ransomware_indicators.yml index 4c84fa4ed..9097ed7e8 100644 --- a/rules/macos/macos_ransomware_indicators.yml +++ b/rules/macos/macos_ransomware_indicators.yml @@ -33,7 +33,7 @@ afterEvents: - field: origin.host operator: filter_term value: '{{.origin.host}}' - within: now-10m + within: 10m count: 50 groupBy: - adversary.host diff --git a/rules/mikrotik/mikrotik_fw/dns_cache_poisoning.yml b/rules/mikrotik/mikrotik_fw/dns_cache_poisoning.yml index abcb1de7c..3e48460af 100644 --- a/rules/mikrotik/mikrotik_fw/dns_cache_poisoning.yml +++ b/rules/mikrotik/mikrotik_fw/dns_cache_poisoning.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.topics operator: filter_term value: 'dns' - within: now-5m + within: 5m count: 10 groupBy: - adversary.ip diff --git a/rules/mikrotik/mikrotik_fw/routeros_brute_force_attempts.yml b/rules/mikrotik/mikrotik_fw/routeros_brute_force_attempts.yml index e5b591ef2..3576bbe73 100644 --- a/rules/mikrotik/mikrotik_fw/routeros_brute_force_attempts.yml +++ b/rules/mikrotik/mikrotik_fw/routeros_brute_force_attempts.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.message operator: filter_match value: 'login failure' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/mikrotik/mikrotik_fw/ssh_brute_force_attempts.yml b/rules/mikrotik/mikrotik_fw/ssh_brute_force_attempts.yml index da92e158a..28eb4ac9a 100644 --- a/rules/mikrotik/mikrotik_fw/ssh_brute_force_attempts.yml +++ b/rules/mikrotik/mikrotik_fw/ssh_brute_force_attempts.yml @@ -39,7 +39,7 @@ afterEvents: - field: protocol operator: filter_term value: 'tcp' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/netflow/beaconing_behavior_detection.yml b/rules/netflow/beaconing_behavior_detection.yml index 0c01028d4..3f5f2ceb3 100644 --- a/rules/netflow/beaconing_behavior_detection.yml +++ b/rules/netflow/beaconing_behavior_detection.yml @@ -41,7 +41,7 @@ afterEvents: - field: dataType operator: filter_term value: netflow - within: now-1h + within: 1h count: 30 groupBy: - adversary.ip diff --git a/rules/netflow/data_exfiltration_indicators.yml b/rules/netflow/data_exfiltration_indicators.yml index 2649b90c4..f3d05530b 100644 --- a/rules/netflow/data_exfiltration_indicators.yml +++ b/rules/netflow/data_exfiltration_indicators.yml @@ -34,7 +34,7 @@ afterEvents: - field: dataType operator: filter_term value: netflow - within: now-1h + within: 1h count: 10 groupBy: - adversary.ip diff --git a/rules/netflow/ddos_traffic_patterns.yml b/rules/netflow/ddos_traffic_patterns.yml index 8c4504047..c44daaa73 100644 --- a/rules/netflow/ddos_traffic_patterns.yml +++ b/rules/netflow/ddos_traffic_patterns.yml @@ -34,7 +34,7 @@ afterEvents: - field: dataType operator: filter_term value: netflow - within: now-5m + within: 5m count: 100 groupBy: - target.ip diff --git a/rules/netflow/netflow_cryptomining_traffic.yml b/rules/netflow/netflow_cryptomining_traffic.yml index 5361818aa..46304ebea 100644 --- a/rules/netflow/netflow_cryptomining_traffic.yml +++ b/rules/netflow/netflow_cryptomining_traffic.yml @@ -37,7 +37,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 5 groupBy: - adversary.ip diff --git a/rules/netflow/netflow_doh_detection.yml b/rules/netflow/netflow_doh_detection.yml index f9b69d3f8..c67c20244 100644 --- a/rules/netflow/netflow_doh_detection.yml +++ b/rules/netflow/netflow_doh_detection.yml @@ -43,7 +43,7 @@ afterEvents: - field: target.port operator: filter_term value: '443' - within: now-1h + within: 1h count: 20 groupBy: - adversary.ip diff --git a/rules/netflow/netflow_icmp_tunnel.yml b/rules/netflow/netflow_icmp_tunnel.yml index 5193b05fb..c54b505da 100644 --- a/rules/netflow/netflow_icmp_tunnel.yml +++ b/rules/netflow/netflow_icmp_tunnel.yml @@ -37,7 +37,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-10m + within: 10m count: 20 groupBy: - adversary.ip diff --git a/rules/netflow/netflow_internal_scanning.yml b/rules/netflow/netflow_internal_scanning.yml index 0d6b69ea5..251ef1afc 100644 --- a/rules/netflow/netflow_internal_scanning.yml +++ b/rules/netflow/netflow_internal_scanning.yml @@ -36,7 +36,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-5m + within: 5m count: 30 deduplicateBy: - adversary.ip diff --git a/rules/netflow/netflow_lateral_movement_smb_rdp.yml b/rules/netflow/netflow_lateral_movement_smb_rdp.yml index cbbcca068..384629b2e 100644 --- a/rules/netflow/netflow_lateral_movement_smb_rdp.yml +++ b/rules/netflow/netflow_lateral_movement_smb_rdp.yml @@ -37,7 +37,7 @@ afterEvents: - field: target.port operator: filter_term value: '445' - within: now-10m + within: 10m count: 10 or: - indexPattern: v11-log-netflow-* @@ -48,7 +48,7 @@ afterEvents: - field: target.port operator: filter_term value: '3389' - within: now-10m + within: 10m count: 10 groupBy: - adversary.ip diff --git a/rules/netflow/netflow_vpn_unusual_destinations.yml b/rules/netflow/netflow_vpn_unusual_destinations.yml index 3c29bdd69..1e8297911 100644 --- a/rules/netflow/netflow_vpn_unusual_destinations.yml +++ b/rules/netflow/netflow_vpn_unusual_destinations.yml @@ -39,7 +39,7 @@ afterEvents: - field: target.port operator: filter_term value: '{{.target.port}}' - within: now-1h + within: 1h count: 3 groupBy: - adversary.ip diff --git a/rules/netflow/port_scanning_patterns.yml b/rules/netflow/port_scanning_patterns.yml index b48786055..25f50b1fb 100644 --- a/rules/netflow/port_scanning_patterns.yml +++ b/rules/netflow/port_scanning_patterns.yml @@ -39,7 +39,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-2m + within: 2m count: 25 deduplicateBy: - adversary.ip diff --git a/rules/netflow/tor_usage_detection.yml b/rules/netflow/tor_usage_detection.yml index 959891b45..1c084ad92 100644 --- a/rules/netflow/tor_usage_detection.yml +++ b/rules/netflow/tor_usage_detection.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 5 groupBy: - adversary.ip diff --git a/rules/nids/suricata/base64_dns_queries.yml b/rules/nids/suricata/base64_dns_queries.yml index b70d07aae..a4819a7af 100644 --- a/rules/nids/suricata/base64_dns_queries.yml +++ b/rules/nids/suricata/base64_dns_queries.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'dns' - within: now-10m + within: 10m count: 5 groupBy: - adversary.ip diff --git a/rules/nids/suricata/base64_encoded_user_agent.yml b/rules/nids/suricata/base64_encoded_user_agent.yml index 6122132dd..60d6e220b 100644 --- a/rules/nids/suricata/base64_encoded_user_agent.yml +++ b/rules/nids/suricata/base64_encoded_user_agent.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'http' - within: now-30m + within: 30m count: 3 groupBy: - lastEvent.log.http.http_user_agent diff --git a/rules/nids/suricata/cobalt_strike_dns_beacon.yml b/rules/nids/suricata/cobalt_strike_dns_beacon.yml index b6fc46b77..98b226af5 100644 --- a/rules/nids/suricata/cobalt_strike_dns_beacon.yml +++ b/rules/nids/suricata/cobalt_strike_dns_beacon.yml @@ -45,7 +45,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'dns' - within: now-15m + within: 15m count: 3 groupBy: - lastEvent.log.dns.query diff --git a/rules/nids/suricata/cobalt_strike_malleable_c2.yml b/rules/nids/suricata/cobalt_strike_malleable_c2.yml index 01b080c64..f8cfde22a 100644 --- a/rules/nids/suricata/cobalt_strike_malleable_c2.yml +++ b/rules/nids/suricata/cobalt_strike_malleable_c2.yml @@ -51,7 +51,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'http' - within: now-30m + within: 30m count: 3 groupBy: - adversary.ip diff --git a/rules/nids/suricata/command_and_control_traffic.yml b/rules/nids/suricata/command_and_control_traffic.yml index 7f5569d2a..815b10e61 100644 --- a/rules/nids/suricata/command_and_control_traffic.yml +++ b/rules/nids/suricata/command_and_control_traffic.yml @@ -47,7 +47,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-1h + within: 1h count: 5 groupBy: - adversary.ip diff --git a/rules/nids/suricata/covert_channel_detection.yml b/rules/nids/suricata/covert_channel_detection.yml index ef93c7727..cee1fb230 100644 --- a/rules/nids/suricata/covert_channel_detection.yml +++ b/rules/nids/suricata/covert_channel_detection.yml @@ -42,7 +42,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 10 groupBy: - adversary.ip diff --git a/rules/nids/suricata/data_exfiltration_patterns.yml b/rules/nids/suricata/data_exfiltration_patterns.yml index 38495d48a..211d418ef 100644 --- a/rules/nids/suricata/data_exfiltration_patterns.yml +++ b/rules/nids/suricata/data_exfiltration_patterns.yml @@ -45,7 +45,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 10 groupBy: - adversary.ip diff --git a/rules/nids/suricata/ddos_attack_patterns.yml b/rules/nids/suricata/ddos_attack_patterns.yml index b995668b5..05612ee99 100644 --- a/rules/nids/suricata/ddos_attack_patterns.yml +++ b/rules/nids/suricata/ddos_attack_patterns.yml @@ -50,7 +50,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-5m + within: 5m count: 50 groupBy: - adversary.ip diff --git a/rules/nids/suricata/dns_tunneling_detection.yml b/rules/nids/suricata/dns_tunneling_detection.yml index e821dc252..6cd2af748 100644 --- a/rules/nids/suricata/dns_tunneling_detection.yml +++ b/rules/nids/suricata/dns_tunneling_detection.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.protocol operator: filter_term value: 'DNS' - within: now-5m + within: 5m count: 50 groupBy: - adversary.ip diff --git a/rules/nids/suricata/exploit_attempt_detection.yml b/rules/nids/suricata/exploit_attempt_detection.yml index 4759e3a8b..fdd52e9c8 100644 --- a/rules/nids/suricata/exploit_attempt_detection.yml +++ b/rules/nids/suricata/exploit_attempt_detection.yml @@ -38,7 +38,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - lastEvent.log.alert.signature diff --git a/rules/nids/suricata/hacktool_user_agents.yml b/rules/nids/suricata/hacktool_user_agents.yml index c1922159c..d289e5efc 100644 --- a/rules/nids/suricata/hacktool_user_agents.yml +++ b/rules/nids/suricata/hacktool_user_agents.yml @@ -79,7 +79,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'http' - within: now-15m + within: 15m count: 10 deduplicateBy: - adversary.ip diff --git a/rules/nids/suricata/icmp_tunneling_detection.yml b/rules/nids/suricata/icmp_tunneling_detection.yml index 88d1f1630..13328557b 100644 --- a/rules/nids/suricata/icmp_tunneling_detection.yml +++ b/rules/nids/suricata/icmp_tunneling_detection.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.protocol operator: filter_term value: 'ICMP' - within: now-10m + within: 10m count: 100 groupBy: - adversary.ip diff --git a/rules/nids/suricata/lateral_movement_indicators.yml b/rules/nids/suricata/lateral_movement_indicators.yml index 6d2939f63..89121f888 100644 --- a/rules/nids/suricata/lateral_movement_indicators.yml +++ b/rules/nids/suricata/lateral_movement_indicators.yml @@ -42,7 +42,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 10 groupBy: - adversary.ip diff --git a/rules/nids/suricata/malware_callbacks.yml b/rules/nids/suricata/malware_callbacks.yml index 2bb3498c6..563fefb62 100644 --- a/rules/nids/suricata/malware_callbacks.yml +++ b/rules/nids/suricata/malware_callbacks.yml @@ -36,7 +36,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 10 groupBy: - adversary.ip diff --git a/rules/nids/suricata/nids_ssh_anomalies.yml b/rules/nids/suricata/nids_ssh_anomalies.yml index 9c4db0d72..932aad8bb 100644 --- a/rules/nids/suricata/nids_ssh_anomalies.yml +++ b/rules/nids/suricata/nids_ssh_anomalies.yml @@ -38,7 +38,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/nids/suricata/nids_tls_certificate_anomalies.yml b/rules/nids/suricata/nids_tls_certificate_anomalies.yml index 9f4a37872..ced8d9fbe 100644 --- a/rules/nids/suricata/nids_tls_certificate_anomalies.yml +++ b/rules/nids/suricata/nids_tls_certificate_anomalies.yml @@ -39,7 +39,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-1h + within: 1h count: 10 groupBy: - adversary.ip diff --git a/rules/nids/suricata/nkn_blockchain_c2.yml b/rules/nids/suricata/nkn_blockchain_c2.yml index 94c963280..15e315047 100644 --- a/rules/nids/suricata/nkn_blockchain_c2.yml +++ b/rules/nids/suricata/nkn_blockchain_c2.yml @@ -43,7 +43,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'dns' - within: now-15m + within: 15m count: 3 groupBy: - lastEvent.log.dns.query diff --git a/rules/nids/suricata/port_scan_detection.yml b/rules/nids/suricata/port_scan_detection.yml index 5bf7142c3..7ea413157 100644 --- a/rules/nids/suricata/port_scan_detection.yml +++ b/rules/nids/suricata/port_scan_detection.yml @@ -48,7 +48,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 50 - indexPattern: v11-log-suricata-* with: @@ -58,7 +58,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-10m + within: 10m count: 20 deduplicateBy: - adversary.ip diff --git a/rules/nids/suricata/rclone_data_exfiltration.yml b/rules/nids/suricata/rclone_data_exfiltration.yml index a1c9563e2..cfd15c130 100644 --- a/rules/nids/suricata/rclone_data_exfiltration.yml +++ b/rules/nids/suricata/rclone_data_exfiltration.yml @@ -42,7 +42,7 @@ afterEvents: - field: log.eventType operator: filter_term value: 'http' - within: now-30m + within: 30m count: 3 groupBy: - adversary.ip diff --git a/rules/nids/suricata/threat_intelligence_iocs.yml b/rules/nids/suricata/threat_intelligence_iocs.yml index a8aa69f1a..8c7dd365d 100644 --- a/rules/nids/suricata/threat_intelligence_iocs.yml +++ b/rules/nids/suricata/threat_intelligence_iocs.yml @@ -37,7 +37,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 3 groupBy: - lastEvent.log.threat_type diff --git a/rules/nids/suricata/tunneling_detection.yml b/rules/nids/suricata/tunneling_detection.yml index fe68ce77c..4dd48db4f 100644 --- a/rules/nids/suricata/tunneling_detection.yml +++ b/rules/nids/suricata/tunneling_detection.yml @@ -49,7 +49,7 @@ afterEvents: - field: target.port operator: filter_term value: '{{.target.port}}' - within: now-30m + within: 30m count: 5 groupBy: - adversary.ip diff --git a/rules/office365/anti_phishing_policy_bypasses.yml b/rules/office365/anti_phishing_policy_bypasses.yml index 4e2fdb8a5..f0d808347 100644 --- a/rules/office365/anti_phishing_policy_bypasses.yml +++ b/rules/office365/anti_phishing_policy_bypasses.yml @@ -36,7 +36,7 @@ afterEvents: - field: log.Operation operator: filter_match value: 'AntiPhish' - within: now-4h + within: 4h count: 2 groupBy: - lastEvent.log.Operation diff --git a/rules/office365/azure_ad_integration_events.yml b/rules/office365/azure_ad_integration_events.yml index 29d7c2203..144d697e3 100644 --- a/rules/office365/azure_ad_integration_events.yml +++ b/rules/office365/azure_ad_integration_events.yml @@ -41,7 +41,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'AzureActiveDirectory' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/office365/compliance_alert_patterns.yml b/rules/office365/compliance_alert_patterns.yml index f9df01671..c07f15f6c 100644 --- a/rules/office365/compliance_alert_patterns.yml +++ b/rules/office365/compliance_alert_patterns.yml @@ -50,7 +50,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'SecurityComplianceCenter' - within: now-2h + within: 2h count: 5 groupBy: - lastEvent.action diff --git a/rules/office365/conditional_access_bypasses.yml b/rules/office365/conditional_access_bypasses.yml index 675816280..32361fbfc 100644 --- a/rules/office365/conditional_access_bypasses.yml +++ b/rules/office365/conditional_access_bypasses.yml @@ -38,7 +38,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 5 groupBy: - adversary.ip diff --git a/rules/office365/credential_access_microsoft_365_potential_password_spraying_attack.yml b/rules/office365/credential_access_microsoft_365_potential_password_spraying_attack.yml index 7cd310228..3b3f95226 100644 --- a/rules/office365/credential_access_microsoft_365_potential_password_spraying_attack.yml +++ b/rules/office365/credential_access_microsoft_365_potential_password_spraying_attack.yml @@ -23,7 +23,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-60s + within: 60s count: 5 groupBy: - adversary.ip diff --git a/rules/office365/ediscovery_abuse.yml b/rules/office365/ediscovery_abuse.yml index aebb8dfde..1a68c129a 100644 --- a/rules/office365/ediscovery_abuse.yml +++ b/rules/office365/ediscovery_abuse.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.user operator: filter_term value: '{{.origin.user}}' - within: now-1h + within: 1h count: 5 groupBy: - adversary.user diff --git a/rules/office365/exchange_admin_changes.yml b/rules/office365/exchange_admin_changes.yml index 3db46e1f2..dec7289db 100644 --- a/rules/office365/exchange_admin_changes.yml +++ b/rules/office365/exchange_admin_changes.yml @@ -33,7 +33,7 @@ afterEvents: - field: origin.user operator: filter_term value: '{{.origin.user}}' - within: now-1h + within: 1h count: 10 groupBy: - lastEvent.action diff --git a/rules/office365/external_sharing_violations.yml b/rules/office365/external_sharing_violations.yml index 46b0a0158..ce573c5f9 100644 --- a/rules/office365/external_sharing_violations.yml +++ b/rules/office365/external_sharing_violations.yml @@ -48,7 +48,7 @@ afterEvents: - field: origin.user operator: filter_term value: '{{.origin.user}}' - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.ObjectId diff --git a/rules/office365/forms_sway_phishing.yml b/rules/office365/forms_sway_phishing.yml index edc0bbd49..cc5c1fdd4 100644 --- a/rules/office365/forms_sway_phishing.yml +++ b/rules/office365/forms_sway_phishing.yml @@ -42,7 +42,7 @@ afterEvents: - field: action operator: filter_match value: 'Form' - within: now-1h + within: 1h count: 3 groupBy: - adversary.user diff --git a/rules/office365/guest_user_invitation_spikes.yml b/rules/office365/guest_user_invitation_spikes.yml index dce4572d8..ef33de6cd 100644 --- a/rules/office365/guest_user_invitation_spikes.yml +++ b/rules/office365/guest_user_invitation_spikes.yml @@ -42,7 +42,7 @@ afterEvents: - field: action operator: filter_term value: 'Invite external user' - within: now-1h + within: 1h count: 10 groupBy: - adversary.user diff --git a/rules/office365/information_barriers_violations.yml b/rules/office365/information_barriers_violations.yml index 445d65d26..c3b08e6ca 100644 --- a/rules/office365/information_barriers_violations.yml +++ b/rules/office365/information_barriers_violations.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.PolicyType operator: filter_term value: 'InformationBarrier' - within: now-12h + within: 12h count: 3 groupBy: - lastEvent.log.TargetUser diff --git a/rules/office365/mail_flow_rule_changes.yml b/rules/office365/mail_flow_rule_changes.yml index 3aa648fab..e989b55d4 100644 --- a/rules/office365/mail_flow_rule_changes.yml +++ b/rules/office365/mail_flow_rule_changes.yml @@ -36,7 +36,7 @@ afterEvents: - field: action operator: filter_match value: 'TransportRule' - within: now-1h + within: 1h count: 3 groupBy: - lastEvent.action diff --git a/rules/office365/mass_email_deletion.yml b/rules/office365/mass_email_deletion.yml index aa73b7ab8..d0012f8fb 100644 --- a/rules/office365/mass_email_deletion.yml +++ b/rules/office365/mass_email_deletion.yml @@ -35,7 +35,7 @@ afterEvents: - field: action operator: filter_term value: 'HardDelete' - within: now-15m + within: 15m count: 100 or: - indexPattern: v11-log-o365-* @@ -46,7 +46,7 @@ afterEvents: - field: action operator: filter_term value: 'SoftDelete' - within: now-15m + within: 15m count: 100 groupBy: - adversary.user diff --git a/rules/office365/mfa_fatigue_push_spam.yml b/rules/office365/mfa_fatigue_push_spam.yml index 475c8cc86..9a6956fad 100644 --- a/rules/office365/mfa_fatigue_push_spam.yml +++ b/rules/office365/mfa_fatigue_push_spam.yml @@ -40,7 +40,7 @@ afterEvents: - field: log.LogonError operator: filter_match value: 'Mfa' - within: now-15m + within: 15m count: 5 groupBy: - adversary.ip diff --git a/rules/office365/multi_geo_data_violations.yml b/rules/office365/multi_geo_data_violations.yml index 336a737e6..a37bf8440 100644 --- a/rules/office365/multi_geo_data_violations.yml +++ b/rules/office365/multi_geo_data_violations.yml @@ -40,7 +40,7 @@ afterEvents: - field: action operator: filter_term value: 'SiteGeoMoveScheduled' - within: now-24h + within: 24h count: 3 or: - indexPattern: v11-log-o365-* @@ -51,7 +51,7 @@ afterEvents: - field: action operator: filter_term value: 'AllowedDataLocationAdded' - within: now-24h + within: 24h count: 2 groupBy: - adversary.ip diff --git a/rules/office365/oauth_app_anomalies.yml b/rules/office365/oauth_app_anomalies.yml index 10ec5a0ad..3bf3637fb 100644 --- a/rules/office365/oauth_app_anomalies.yml +++ b/rules/office365/oauth_app_anomalies.yml @@ -35,7 +35,7 @@ afterEvents: - field: action operator: filter_term value: 'Consent to application' - within: now-1h + within: 1h count: 5 groupBy: - lastEvent.log.appAccessContextClientAppId diff --git a/rules/office365/onedrive_mass_file_access.yml b/rules/office365/onedrive_mass_file_access.yml index af4059a15..66274f77c 100644 --- a/rules/office365/onedrive_mass_file_access.yml +++ b/rules/office365/onedrive_mass_file_access.yml @@ -41,7 +41,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'OneDrive' - within: now-30m + within: 30m count: 67 or: - indexPattern: v11-log-o365-* @@ -55,7 +55,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'OneDrive' - within: now-30m + within: 30m count: 67 - indexPattern: v11-log-o365-* with: @@ -68,7 +68,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'OneDrive' - within: now-30m + within: 30m count: 67 deduplicateBy: - adversary.user diff --git a/rules/office365/possible_succesfull_password_guessing_o365.yml b/rules/office365/possible_succesfull_password_guessing_o365.yml index 32fe75470..a3318c61b 100644 --- a/rules/office365/possible_succesfull_password_guessing_o365.yml +++ b/rules/office365/possible_succesfull_password_guessing_o365.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.clientIP operator: filter_term value: "{{.log.clientIP}}" - within: now-1m + within: 1m count: 10 groupBy: - adversary.ip diff --git a/rules/office365/power_apps_data_leaks.yml b/rules/office365/power_apps_data_leaks.yml index 02cce74e5..048b8daeb 100644 --- a/rules/office365/power_apps_data_leaks.yml +++ b/rules/office365/power_apps_data_leaks.yml @@ -38,7 +38,7 @@ afterEvents: - field: action operator: filter_term value: 'CreateDataConnection' - within: now-12h + within: 12h count: 2 or: - indexPattern: v11-log-o365-* @@ -49,7 +49,7 @@ afterEvents: - field: action operator: filter_term value: 'UpdateDataConnection' - within: now-12h + within: 12h count: 2 - indexPattern: v11-log-o365-* with: @@ -59,7 +59,7 @@ afterEvents: - field: action operator: filter_term value: 'ExportData' - within: now-12h + within: 12h count: 3 groupBy: - adversary.ip diff --git a/rules/office365/power_automate_abuse.yml b/rules/office365/power_automate_abuse.yml index 10067dfc2..a872450c9 100644 --- a/rules/office365/power_automate_abuse.yml +++ b/rules/office365/power_automate_abuse.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'PowerAutomate' - within: now-6h + within: 6h count: 10 groupBy: - lastEvent.action diff --git a/rules/office365/power_bi_data_export.yml b/rules/office365/power_bi_data_export.yml index 9dda76cf9..336dce488 100644 --- a/rules/office365/power_bi_data_export.yml +++ b/rules/office365/power_bi_data_export.yml @@ -37,7 +37,7 @@ afterEvents: - field: action operator: filter_match value: 'Export' - within: now-30m + within: 30m count: 5 groupBy: - adversary.user diff --git a/rules/office365/safe_links_click_patterns.yml b/rules/office365/safe_links_click_patterns.yml index 01c1df0ba..78d86622a 100644 --- a/rules/office365/safe_links_click_patterns.yml +++ b/rules/office365/safe_links_click_patterns.yml @@ -34,7 +34,7 @@ afterEvents: - field: action operator: filter_term value: 'ClickedSafeLink' - within: now-30m + within: 30m count: 5 groupBy: - adversary.user diff --git a/rules/office365/sharepoint_mass_downloads.yml b/rules/office365/sharepoint_mass_downloads.yml index 882067137..4252d8f2f 100644 --- a/rules/office365/sharepoint_mass_downloads.yml +++ b/rules/office365/sharepoint_mass_downloads.yml @@ -36,7 +36,7 @@ afterEvents: - field: action operator: filter_term value: 'FileDownloaded' - within: now-30m + within: 30m count: 100 groupBy: - adversary.ip diff --git a/rules/office365/teams_data_exfiltration.yml b/rules/office365/teams_data_exfiltration.yml index 95fccb238..818e77308 100644 --- a/rules/office365/teams_data_exfiltration.yml +++ b/rules/office365/teams_data_exfiltration.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.Workload operator: filter_term value: 'MicrosoftTeams' - within: now-1h + within: 1h count: 20 groupBy: - lastEvent.log.appAccessContextClientAppId diff --git a/rules/office365/teams_external_user_abuse.yml b/rules/office365/teams_external_user_abuse.yml index 5a943c273..300b9adff 100644 --- a/rules/office365/teams_external_user_abuse.yml +++ b/rules/office365/teams_external_user_abuse.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.Parameters operator: filter_match value: '#EXT#' - within: now-1h + within: 1h count: 5 groupBy: - adversary.ip diff --git a/rules/paloalto/pa_firewall/panos_admin_brute_force.yml b/rules/paloalto/pa_firewall/panos_admin_brute_force.yml index b1d606f1e..e395bc50e 100644 --- a/rules/paloalto/pa_firewall/panos_admin_brute_force.yml +++ b/rules/paloalto/pa_firewall/panos_admin_brute_force.yml @@ -36,7 +36,7 @@ afterEvents: - field: log.pa_type operator: filter_term value: 'SYSTEM' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/paloalto/pa_firewall/panos_dns_security_alerts.yml b/rules/paloalto/pa_firewall/panos_dns_security_alerts.yml index 4270f177e..f48a242aa 100644 --- a/rules/paloalto/pa_firewall/panos_dns_security_alerts.yml +++ b/rules/paloalto/pa_firewall/panos_dns_security_alerts.yml @@ -39,7 +39,7 @@ afterEvents: - field: log.pa_subtype operator: filter_term value: 'dns' - within: now-30m + within: 30m count: 3 groupBy: - adversary.ip diff --git a/rules/paloalto/pa_firewall/panos_url_filtering_blocks.yml b/rules/paloalto/pa_firewall/panos_url_filtering_blocks.yml index cdad2ee8b..ec9b867ff 100644 --- a/rules/paloalto/pa_firewall/panos_url_filtering_blocks.yml +++ b/rules/paloalto/pa_firewall/panos_url_filtering_blocks.yml @@ -38,7 +38,7 @@ afterEvents: - field: log.pa_subtype operator: filter_term value: 'url' - within: now-30m + within: 30m count: 5 groupBy: - adversary.ip diff --git a/rules/paloalto/pa_firewall/zero_day_exploit_prevention.yml b/rules/paloalto/pa_firewall/zero_day_exploit_prevention.yml index e3959c3a3..0339ae464 100644 --- a/rules/paloalto/pa_firewall/zero_day_exploit_prevention.yml +++ b/rules/paloalto/pa_firewall/zero_day_exploit_prevention.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.pa_type operator: filter_term value: 'THREAT' - within: now-30m + within: 30m count: 2 groupBy: - adversary.ip diff --git a/rules/pfsense/dns_resolver_cache_poisoning.yml b/rules/pfsense/dns_resolver_cache_poisoning.yml index ac0e1e4cc..53e339204 100644 --- a/rules/pfsense/dns_resolver_cache_poisoning.yml +++ b/rules/pfsense/dns_resolver_cache_poisoning.yml @@ -30,7 +30,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-5m + within: 5m count: 10 groupBy: - lastEvent.log.query_name diff --git a/rules/pfsense/pfsense_admin_brute_force.yml b/rules/pfsense/pfsense_admin_brute_force.yml index e6d9b678e..0d0cda31d 100644 --- a/rules/pfsense/pfsense_admin_brute_force.yml +++ b/rules/pfsense/pfsense_admin_brute_force.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/pfsense/snort_suricata_ids_alerts.yml b/rules/pfsense/snort_suricata_ids_alerts.yml index 718898b3e..38307f527 100644 --- a/rules/pfsense/snort_suricata_ids_alerts.yml +++ b/rules/pfsense/snort_suricata_ids_alerts.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - lastEvent.log.eventType diff --git a/rules/sonicwall/sonicwall_firewall/anti_spyware_detection.yml b/rules/sonicwall/sonicwall_firewall/anti_spyware_detection.yml index d68b03be7..f0d6e5524 100644 --- a/rules/sonicwall/sonicwall_firewall/anti_spyware_detection.yml +++ b/rules/sonicwall/sonicwall_firewall/anti_spyware_detection.yml @@ -37,7 +37,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 3 deduplicateBy: - adversary.ip diff --git a/rules/sonicwall/sonicwall_firewall/botnet_detection.yml b/rules/sonicwall/sonicwall_firewall/botnet_detection.yml index dccfa4ef9..fdedd55ab 100644 --- a/rules/sonicwall/sonicwall_firewall/botnet_detection.yml +++ b/rules/sonicwall/sonicwall_firewall/botnet_detection.yml @@ -31,7 +31,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-2h + within: 2h count: 10 groupBy: - adversary.ip diff --git a/rules/sonicwall/sonicwall_firewall/capture_atp_verdicts.yml b/rules/sonicwall/sonicwall_firewall/capture_atp_verdicts.yml index 4d08688fe..d61d78fa8 100644 --- a/rules/sonicwall/sonicwall_firewall/capture_atp_verdicts.yml +++ b/rules/sonicwall/sonicwall_firewall/capture_atp_verdicts.yml @@ -30,7 +30,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 2 groupBy: - adversary.host diff --git a/rules/sonicwall/sonicwall_firewall/encrypted_threats_detection.yml b/rules/sonicwall/sonicwall_firewall/encrypted_threats_detection.yml index 5460e9ae7..80eac950f 100644 --- a/rules/sonicwall/sonicwall_firewall/encrypted_threats_detection.yml +++ b/rules/sonicwall/sonicwall_firewall/encrypted_threats_detection.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 3 groupBy: - adversary.ip diff --git a/rules/sonicwall/sonicwall_firewall/gateway_antivirus_detection.yml b/rules/sonicwall/sonicwall_firewall/gateway_antivirus_detection.yml index 2a92bbac6..96638b3df 100644 --- a/rules/sonicwall/sonicwall_firewall/gateway_antivirus_detection.yml +++ b/rules/sonicwall/sonicwall_firewall/gateway_antivirus_detection.yml @@ -37,7 +37,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 3 groupBy: - adversary.host diff --git a/rules/sonicwall/sonicwall_firewall/intrusion_prevention_alert.yml b/rules/sonicwall/sonicwall_firewall/intrusion_prevention_alert.yml index 6a5fd80c0..332538062 100644 --- a/rules/sonicwall/sonicwall_firewall/intrusion_prevention_alert.yml +++ b/rules/sonicwall/sonicwall_firewall/intrusion_prevention_alert.yml @@ -37,7 +37,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/sonicwall/sonicwall_firewall/sonicwall_admin_auth_failures.yml b/rules/sonicwall/sonicwall_firewall/sonicwall_admin_auth_failures.yml index 7e61e7287..837882ae0 100644 --- a/rules/sonicwall/sonicwall_firewall/sonicwall_admin_auth_failures.yml +++ b/rules/sonicwall/sonicwall_firewall/sonicwall_admin_auth_failures.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/sonicwall/sonicwall_firewall/sonicwall_vpn_failures.yml b/rules/sonicwall/sonicwall_firewall/sonicwall_vpn_failures.yml index 65b0f2a9e..3dc38d521 100644 --- a/rules/sonicwall/sonicwall_firewall/sonicwall_vpn_failures.yml +++ b/rules/sonicwall/sonicwall_firewall/sonicwall_vpn_failures.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/sophos/sophos_central/behavioral_analysis_alerts.yml b/rules/sophos/sophos_central/behavioral_analysis_alerts.yml index e727b4f82..6966d41de 100644 --- a/rules/sophos/sophos_central/behavioral_analysis_alerts.yml +++ b/rules/sophos/sophos_central/behavioral_analysis_alerts.yml @@ -34,7 +34,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 3 groupBy: - lastEvent.log.processPath diff --git a/rules/sophos/sophos_central/exploit_prevention_triggers.yml b/rules/sophos/sophos_central/exploit_prevention_triggers.yml index 645e95872..707041353 100644 --- a/rules/sophos/sophos_central/exploit_prevention_triggers.yml +++ b/rules/sophos/sophos_central/exploit_prevention_triggers.yml @@ -34,7 +34,7 @@ afterEvents: - field: log.endpointId operator: filter_term value: '{{.log.endpointId}}' - within: now-30m + within: 30m count: 2 groupBy: - lastEvent.log.name diff --git a/rules/sophos/sophos_central/managed_threat_response_alerts.yml b/rules/sophos/sophos_central/managed_threat_response_alerts.yml index 919073b87..244649dfe 100644 --- a/rules/sophos/sophos_central/managed_threat_response_alerts.yml +++ b/rules/sophos/sophos_central/managed_threat_response_alerts.yml @@ -35,7 +35,7 @@ afterEvents: - field: log.severity operator: filter_term value: 'critical' - within: now-1h + within: 1h count: 3 groupBy: - adversary.host diff --git a/rules/sophos/sophos_central/sophos_central_possible_brute_force_attack.yml b/rules/sophos/sophos_central/sophos_central_possible_brute_force_attack.yml index ee7dbfbd8..8aae4055e 100644 --- a/rules/sophos/sophos_central/sophos_central_possible_brute_force_attack.yml +++ b/rules/sophos/sophos_central/sophos_central_possible_brute_force_attack.yml @@ -26,7 +26,7 @@ afterEvents: - field: log.ip operator: filter_term value: "{{.log.ip}}" - within: now-5m + within: 5m count: 10 groupBy: - adversary.host diff --git a/rules/sophos/sophos_central/sophos_central_potential_password_spraying_attack.yml b/rules/sophos/sophos_central/sophos_central_potential_password_spraying_attack.yml index a11cafadb..bfabab056 100644 --- a/rules/sophos/sophos_central/sophos_central_potential_password_spraying_attack.yml +++ b/rules/sophos/sophos_central/sophos_central_potential_password_spraying_attack.yml @@ -26,7 +26,7 @@ afterEvents: - field: log.ip operator: filter_term value: "{{.log.ip}}" - within: now-1m + within: 1m count: 10 groupBy: - adversary.host diff --git a/rules/sophos/sophos_xg_firewall/advanced_threat_protection_alerts.yml b/rules/sophos/sophos_xg_firewall/advanced_threat_protection_alerts.yml index 951c8e03d..749795f9f 100644 --- a/rules/sophos/sophos_xg_firewall/advanced_threat_protection_alerts.yml +++ b/rules/sophos/sophos_xg_firewall/advanced_threat_protection_alerts.yml @@ -33,7 +33,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-30m + within: 30m count: 2 groupBy: - adversary.ip diff --git a/rules/sophos/sophos_xg_firewall/sophos_password_guessing_on_administrator_account.yml b/rules/sophos/sophos_xg_firewall/sophos_password_guessing_on_administrator_account.yml index 0fa2c401e..58ae4c048 100644 --- a/rules/sophos/sophos_xg_firewall/sophos_password_guessing_on_administrator_account.yml +++ b/rules/sophos/sophos_xg_firewall/sophos_password_guessing_on_administrator_account.yml @@ -29,7 +29,7 @@ afterEvents: - field: log.Id operator: filter_term value: '17913' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/sophos/sophos_xg_firewall/sophos_xg_ips_signatures.yml b/rules/sophos/sophos_xg_firewall/sophos_xg_ips_signatures.yml index df2ba8452..10e0be3af 100644 --- a/rules/sophos/sophos_xg_firewall/sophos_xg_ips_signatures.yml +++ b/rules/sophos/sophos_xg_firewall/sophos_xg_ips_signatures.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/sophos/sophos_xg_firewall/sophos_xg_vpn_auth_failures.yml b/rules/sophos/sophos_xg_firewall/sophos_xg_vpn_auth_failures.yml index e9aa1a1ae..4bc1bbc53 100644 --- a/rules/sophos/sophos_xg_firewall/sophos_xg_vpn_auth_failures.yml +++ b/rules/sophos/sophos_xg_firewall/sophos_xg_vpn_auth_failures.yml @@ -35,7 +35,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 10 groupBy: - adversary.ip diff --git a/rules/suricata/high_severity_suricata_alerts_were_detected.yml b/rules/suricata/high_severity_suricata_alerts_were_detected.yml index 34ca86761..66cdfc139 100644 --- a/rules/suricata/high_severity_suricata_alerts_were_detected.yml +++ b/rules/suricata/high_severity_suricata_alerts_were_detected.yml @@ -20,7 +20,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - adversary.ip diff --git a/rules/suricata/medium_severity_suricata_alerts_were_detected.yml b/rules/suricata/medium_severity_suricata_alerts_were_detected.yml index ba635814c..277e9c8cf 100644 --- a/rules/suricata/medium_severity_suricata_alerts_were_detected.yml +++ b/rules/suricata/medium_severity_suricata_alerts_were_detected.yml @@ -20,7 +20,7 @@ afterEvents: - field: target.ip operator: filter_term value: '{{.target.ip}}' - within: now-15m + within: 15m count: 5 deduplicateBy: - target.ip diff --git a/rules/syslog/cef/syslog_source_impersonation.yml b/rules/syslog/cef/syslog_source_impersonation.yml index 09a4ed11e..14991eccb 100644 --- a/rules/syslog/cef/syslog_source_impersonation.yml +++ b/rules/syslog/cef/syslog_source_impersonation.yml @@ -40,7 +40,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 5 groupBy: - lastEvent.log.deviceVendor diff --git a/rules/syslog/cef/user_agent_anomalies.yml b/rules/syslog/cef/user_agent_anomalies.yml index 9fb292bf2..da6a1509d 100644 --- a/rules/syslog/cef/user_agent_anomalies.yml +++ b/rules/syslog/cef/user_agent_anomalies.yml @@ -43,7 +43,7 @@ afterEvents: - field: origin.ip operator: filter_term value: '{{.origin.ip}}' - within: now-1h + within: 1h count: 10 groupBy: - lastEvent.log.requestClientApplication diff --git a/rules/vmware/vmware-esxi/vcenter_server_attacks.yml b/rules/vmware/vmware-esxi/vcenter_server_attacks.yml index 61fce9adc..c57f7437e 100644 --- a/rules/vmware/vmware-esxi/vcenter_server_attacks.yml +++ b/rules/vmware/vmware-esxi/vcenter_server_attacks.yml @@ -45,7 +45,7 @@ afterEvents: - field: origin.hostname operator: filter_term value: '{{.origin.hostname}}' - within: now-30m + within: 30m count: 5 groupBy: - adversary.host diff --git a/rules/vmware/vmware-esxi/vmware_tools_vulnerabilities.yml b/rules/vmware/vmware-esxi/vmware_tools_vulnerabilities.yml index bba758d4f..11428f501 100644 --- a/rules/vmware/vmware-esxi/vmware_tools_vulnerabilities.yml +++ b/rules/vmware/vmware-esxi/vmware_tools_vulnerabilities.yml @@ -38,7 +38,7 @@ afterEvents: - field: origin.hostname operator: filter_term value: '{{.origin.hostname}}' - within: now-15m + within: 15m count: 5 groupBy: - adversary.hostname diff --git a/rules/vmware/vmware-esxi/vsphere_api_abuse.yml b/rules/vmware/vmware-esxi/vsphere_api_abuse.yml index e29697988..cb25a9c1d 100644 --- a/rules/vmware/vmware-esxi/vsphere_api_abuse.yml +++ b/rules/vmware/vmware-esxi/vsphere_api_abuse.yml @@ -46,7 +46,7 @@ afterEvents: - field: origin.hostname operator: filter_term value: '{{.origin.hostname}}' - within: now-5m + within: 5m count: 10 groupBy: - lastEvent.log.eventInfo diff --git a/rules/windows/adfs_authentication_anomalies.yml b/rules/windows/adfs_authentication_anomalies.yml index f88701881..822ee3a08 100644 --- a/rules/windows/adfs_authentication_anomalies.yml +++ b/rules/windows/adfs_authentication_anomalies.yml @@ -31,7 +31,7 @@ afterEvents: - field: origin.ip.keyword operator: filter_term value: '{{.origin.ip}}' - within: now-10m + within: 10m count: 10 groupBy: - origin.ip diff --git a/rules/windows/asrep_roasting_detection.yml b/rules/windows/asrep_roasting_detection.yml index 300944e43..09eecd197 100644 --- a/rules/windows/asrep_roasting_detection.yml +++ b/rules/windows/asrep_roasting_detection.yml @@ -40,7 +40,7 @@ afterEvents: - field: origin.ip.keyword operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - origin.ip diff --git a/rules/windows/golden_ticket_detection.yml b/rules/windows/golden_ticket_detection.yml index e622c365d..9df408ff3 100644 --- a/rules/windows/golden_ticket_detection.yml +++ b/rules/windows/golden_ticket_detection.yml @@ -57,7 +57,7 @@ afterEvents: - field: origin.host operator: filter_term value: '{{.origin.host}}' - within: now-30m + within: 30m count: 3 groupBy: - origin.host diff --git a/rules/windows/kerberoasting_detection.yml b/rules/windows/kerberoasting_detection.yml index fb1068d58..eb2a0c2ab 100644 --- a/rules/windows/kerberoasting_detection.yml +++ b/rules/windows/kerberoasting_detection.yml @@ -44,7 +44,7 @@ afterEvents: - field: origin.ip.keyword operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 3 groupBy: - origin.ip diff --git a/rules/windows/ntds_extraction_attempts.yml b/rules/windows/ntds_extraction_attempts.yml index de393cbcc..a91ea5844 100644 --- a/rules/windows/ntds_extraction_attempts.yml +++ b/rules/windows/ntds_extraction_attempts.yml @@ -42,7 +42,7 @@ afterEvents: - field: origin.host operator: filter_term value: '{{.origin.host}}' - within: now-30m + within: 30m count: 2 groupBy: - origin.host diff --git a/rules/windows/ransom_multiple_file_deletion.yml b/rules/windows/ransom_multiple_file_deletion.yml index 51658cc67..2073ade06 100644 --- a/rules/windows/ransom_multiple_file_deletion.yml +++ b/rules/windows/ransom_multiple_file_deletion.yml @@ -33,7 +33,7 @@ afterEvents: - field: target.user.keyword operator: filter_term value: "{{.target.user}}" - within: now-5m + within: 5m count: 50 groupBy: - origin.ip diff --git a/rules/windows/ransom_note_creation.yml b/rules/windows/ransom_note_creation.yml index ae0ded458..a48fc220f 100644 --- a/rules/windows/ransom_note_creation.yml +++ b/rules/windows/ransom_note_creation.yml @@ -25,7 +25,7 @@ afterEvents: - field: log.EventDataFileName.keyword operator: filter_term value: '{{.log.EventDataFileName}}' - within: now-60s + within: 60s count: 5 groupBy: - origin.ip diff --git a/rules/windows/ransom_unusual_file_extension.yml b/rules/windows/ransom_unusual_file_extension.yml index e19a191c1..243e33436 100644 --- a/rules/windows/ransom_unusual_file_extension.yml +++ b/rules/windows/ransom_unusual_file_extension.yml @@ -25,7 +25,7 @@ afterEvents: - field: target.user.keyword operator: filter_term value: "{{.target.user}}" - within: now-5m + within: 5m count: 20 groupBy: - origin.ip diff --git a/rules/windows/silver_ticket_detection.yml b/rules/windows/silver_ticket_detection.yml index 143fdc8a1..8f4e87eb9 100644 --- a/rules/windows/silver_ticket_detection.yml +++ b/rules/windows/silver_ticket_detection.yml @@ -44,7 +44,7 @@ afterEvents: - field: origin.ip.keyword operator: filter_term value: '{{.origin.ip}}' - within: now-15m + within: 15m count: 5 groupBy: - origin.ip