From b6d21b3ca72bd04b4d8c97b1304eac372d8e5a34 Mon Sep 17 00:00:00 2001 From: eric-forte-elastic Date: Sat, 18 May 2024 09:36:25 -0400 Subject: [PATCH] Remove Demo Rules --- custom_rules/etc/version.lock.json | 15 +--- ...mmand_and_control_dac_demo_dev_rule_1.toml | 75 ------------------- ...mmand_and_control_dac_demo_dev_rule_2.toml | 69 ----------------- 3 files changed, 1 insertion(+), 158 deletions(-) delete mode 100644 custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml delete mode 100644 custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml diff --git a/custom_rules/etc/version.lock.json b/custom_rules/etc/version.lock.json index 5b5120b4da1..9e26dfeeb6e 100644 --- a/custom_rules/etc/version.lock.json +++ b/custom_rules/etc/version.lock.json @@ -1,14 +1 @@ -{ - "794d2fc0-ecd0-4963-99da-fd587666b80d": { - "rule_name": "DAC Demo Dev Rule 1", - "sha256": "5e437732d012988436e8b9ed87b71d748d29ba7c1c847c06670824d6d9684518", - "type": "eql", - "version": 1 - }, - "e8e3af2a-11b8-4ab7-9ca1-c6db621ea89d": { - "rule_name": "DAC Demo Dev Rule 2", - "sha256": "e32fa9b058f94183eda08bb88473f9fe48661d06e83be3255e6aaae3b13f6ce2", - "type": "eql", - "version": 1 - } -} \ No newline at end of file +{} \ No newline at end of file diff --git a/custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml b/custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml deleted file mode 100644 index 189dd02f474..00000000000 --- a/custom_rules/rules/command_and_control_dac_demo_dev_rule_1.toml +++ /dev/null @@ -1,75 +0,0 @@ -[metadata] -creation_date = "2024/05/18" -maturity = "production" -updated_date = "2024/05/18" - -[rule] -actions = [] -author = ["DAC User"] -description = "Test Rule" -enabled = true -exceptions_list = [] -false_positives = [] -filters = [] -from = "now-540s" -index = ["logs*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -max_signals = 100 -name = "DAC Demo Dev Rule 1" -note = "Test Note" -references = ["https://dac-reference.readthedocs.io/en/latest/"] -risk_score = 47 -risk_score_mapping = [] -rule_id = "794d2fc0-ecd0-4963-99da-fd587666b80d" -setup = "Test Setup" -severity = "medium" -severity_mapping = [] -tags = [ - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" -to = "now" -type = "eql" - -query = ''' -process where host.os.type == "linux" and process.name == "updated" -''' - - -[[rule.related_integrations]] -package = "endpoint" -version = "^8.2.0" - -[[rule.required_fields]] -ecs = true -name = "host.os.type" -type = "keyword" - -[[rule.required_fields]] -ecs = true -name = "process.name" -type = "keyword" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" -subtechnique = [] - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[rule.meta] -from = "4m" -kibana_siem_app_url = "" - diff --git a/custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml b/custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml deleted file mode 100644 index 36625347bda..00000000000 --- a/custom_rules/rules/command_and_control_dac_demo_dev_rule_2.toml +++ /dev/null @@ -1,69 +0,0 @@ -[metadata] -creation_date = "2024/05/18" -maturity = "production" -updated_date = "2024/05/18" - -[rule] -actions = [] -author = ["DAC User"] -description = "Test Rule" -enabled = true -exceptions_list = [] -false_positives = [] -from = "now-9m" -index = ["logs*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -max_signals = 100 -name = "DAC Demo Dev Rule 2" -note = "Test Note" -references = ["https://dac-reference.readthedocs.io/en/latest/"] -risk_score = 47 -risk_score_mapping = [] -rule_id = "e8e3af2a-11b8-4ab7-9ca1-c6db621ea89d" -setup = "Test Setup" -severity = "medium" -severity_mapping = [] -tags = [ - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" -to = "now" -type = "eql" - -query = ''' -process where host.os.type == "linux" and process.name == "updated" -''' - - -[[rule.related_integrations]] -package = "endpoint" -version = "^8.2.0" - -[[rule.required_fields]] -ecs = true -name = "host.os.type" -type = "keyword" - -[[rule.required_fields]] -ecs = true -name = "process.name" -type = "keyword" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -