From 3523509bd6b6545ffaaa2d07bff5f630e501b2ee Mon Sep 17 00:00:00 2001
From: eric-forte-elastic
 <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Sat, 18 May 2024 13:32:28 +0000
Subject: [PATCH] Sync rules from Elastic Security

---
 custom_rules/etc/version.lock.json            | 15 +++-
 ...mmand_and_control_dac_demo_dev_rule_1.toml | 75 +++++++++++++++++++
 ...mmand_and_control_dac_demo_dev_rule_2.toml | 69 +++++++++++++++++
 3 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml
 create mode 100644 custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml

diff --git a/custom_rules/etc/version.lock.json b/custom_rules/etc/version.lock.json
index 9e26dfeeb6e..5b5120b4da1 100644
--- a/custom_rules/etc/version.lock.json
+++ b/custom_rules/etc/version.lock.json
@@ -1 +1,14 @@
-{}
\ No newline at end of file
+{
+  "794d2fc0-ecd0-4963-99da-fd587666b80d": {
+    "rule_name": "DAC Demo Dev Rule 1",
+    "sha256": "5e437732d012988436e8b9ed87b71d748d29ba7c1c847c06670824d6d9684518",
+    "type": "eql",
+    "version": 1
+  },
+  "e8e3af2a-11b8-4ab7-9ca1-c6db621ea89d": {
+    "rule_name": "DAC Demo Dev Rule 2",
+    "sha256": "e32fa9b058f94183eda08bb88473f9fe48661d06e83be3255e6aaae3b13f6ce2",
+    "type": "eql",
+    "version": 1
+  }
+}
\ No newline at end of file
diff --git a/custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml b/custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml
new file mode 100644
index 00000000000..189dd02f474
--- /dev/null
+++ b/custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml
@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2024/05/18"
+maturity = "production"
+updated_date = "2024/05/18"
+
+[rule]
+actions = []
+author = ["DAC User"]
+description = "Test Rule"
+enabled = true
+exceptions_list = []
+false_positives = []
+filters = []
+from = "now-540s"
+index = ["logs*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+max_signals = 100
+name = "DAC Demo Dev Rule 1"
+note = "Test Note"
+references = ["https://dac-reference.readthedocs.io/en/latest/"]
+risk_score = 47
+risk_score_mapping = []
+rule_id = "794d2fc0-ecd0-4963-99da-fd587666b80d"
+setup = "Test Setup"
+severity = "medium"
+severity_mapping = []
+tags = [
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+to = "now"
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and process.name == "updated"
+'''
+
+
+[[rule.related_integrations]]
+package = "endpoint"
+version = "^8.2.0"
+
+[[rule.required_fields]]
+ecs = true
+name = "host.os.type"
+type = "keyword"
+
+[[rule.required_fields]]
+ecs = true
+name = "process.name"
+type = "keyword"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+subtechnique = []
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.meta]
+from = "4m"
+kibana_siem_app_url = ""
+
diff --git a/custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml b/custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml
new file mode 100644
index 00000000000..36625347bda
--- /dev/null
+++ b/custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml
@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2024/05/18"
+maturity = "production"
+updated_date = "2024/05/18"
+
+[rule]
+actions = []
+author = ["DAC User"]
+description = "Test Rule"
+enabled = true
+exceptions_list = []
+false_positives = []
+from = "now-9m"
+index = ["logs*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+max_signals = 100
+name = "DAC Demo Dev Rule 2"
+note = "Test Note"
+references = ["https://dac-reference.readthedocs.io/en/latest/"]
+risk_score = 47
+risk_score_mapping = []
+rule_id = "e8e3af2a-11b8-4ab7-9ca1-c6db621ea89d"
+setup = "Test Setup"
+severity = "medium"
+severity_mapping = []
+tags = [
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+to = "now"
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and process.name == "updated"
+'''
+
+
+[[rule.related_integrations]]
+package = "endpoint"
+version = "^8.2.0"
+
+[[rule.required_fields]]
+ecs = true
+name = "host.os.type"
+type = "keyword"
+
+[[rule.required_fields]]
+ecs = true
+name = "process.name"
+type = "keyword"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+