[Rule Tuning] Update rules based on docs review (elastic#1778)

* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <[email protected]>

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2021/07/14"
+updated_date = "2022/02/16"
 min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.15.0"
 
@@ -13,7 +13,7 @@ indicate attempts to spoof events in order to masquerade actual activity to evad
 """
 false_positives = [
     """
-    This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
+    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
     necessary field, resulting in false positives.
     """,
 ]

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2021/07/14"
+updated_date = "2022/02/16"
 min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.15.0"
 
@@ -13,7 +13,7 @@ masquerade actual activity to evade detection.
 """
 false_positives = [
     """
-    This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
+    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
     necessary field, resulting in false positives.
     """,
 ]

rules/cross-platform/threat_intel_filebeat8x.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2022/02/10"
+updated_date = "2022/02/16"
 min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)."
 min_stack_version = "8.0"
 
@@ -35,18 +35,18 @@ If an indicator matches a local observation, the following enriched fields will
 
 #### Possible investigation steps:
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
-and viewing the source of that activity.
+and by viewing the source of that activity.
 - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
 These kinds of questions can help understand if the activity is related to legitimate behavior.
-- Consider the user and their role within the company, is this something related to their job or work function?
+- Consider the user and their role within the company: is this something related to their job or work function?
 
 ### False Positive Analysis
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
 be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
 intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
-may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and
+may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and
 no longer represents any threat.
-- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
+- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their
 way into indicator lists creating the potential for false positives.
 - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.
 

rules/cross-platform/threat_intel_fleet_integrations.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2022/01/26"
+updated_date = "2022/02/16"
 min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)."
 min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.
+This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations.
 """
 from = "now-65m"
 index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
@@ -35,18 +35,18 @@ If an indicator matches a local observation, the following enriched fields will
 
 #### Possible investigation steps:
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
-and viewing the source of that activity.
+and by viewing the source of that activity.
 - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
 These kinds of questions can help understand if the activity is related to legitimate behavior.
-- Consider the user and their role within the company, is this something related to their job or work function?
+- Consider the user and their role within the company: is this something related to their job or work function?
 
 ### False Positive Analysis
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
 be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
 intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
-may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and
+may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and
 no longer represents any threat.
-- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
+- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their
 way into indicator lists creating the potential for false positives.
 - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.
 

rules/integrations/azure/defense_evasion_suppression_rule_created.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/08/27"
 maturity = "production"
-updated_date = "2021/12/14"
+updated_date = "2022/02/16"
 integration = "azure"
 
 [rule]
 author = ["Austin Songer"]
 description = """
 Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts
-previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly
+previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly
 configured, resulting in defense evasions and loss of security visibility.
 """
 false_positives = [

rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml

@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/02/16"
 integration = "gcp"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP).
-Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other
-destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in
-order to impact the flow of network traffic in their target's cloud environment.
+Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes
+define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
+destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the
+flow of network traffic in their target's cloud environment.
 """
 false_positives = [
     """

rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/13"
 integration = "o365"
 maturity = "production"
-updated_date = "2022/01/13"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ administrators can create bypass associations, allowing certain accounts to perf
 Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
 the account.
 """
-false_positives = ["Legitimate whitelisting of noisy accounts"]
+false_positives = ["Legitimate allowlisting of noisy accounts"]
 from = "now-30m"
 index = ["filebeat-*", "logs-o365*"]
 language = "kuery"

rules/windows/collection_posh_audio_capture.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -25,8 +25,8 @@ computer.
 #### Possible investigation steps:
 
 - Examine script content that triggered the detection. 
-- Investigate script execution chain (parent process tree)
-- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
 
 ### False Positive Analysis

rules/windows/collection_posh_keylogger.toml

@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts.
+Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts.
 Attackers use this technique to capture user input, looking for credentials and/or other valuable data.
 """
 from = "now-9m"
@@ -20,14 +20,14 @@ note = """## Triage and analysis.
 
 PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
 
-Attackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other
-valuable information as Credit Card data and confidential conversations.
+Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other
+valuable information as credit card data and confidential conversations.
 
 #### Possible investigation steps:
 
 - Examine script content that triggered the detection. 
-- Investigate script execution chain (parent process tree)
-- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
 
 ### False Positive Analysis

rules/windows/collection_posh_screen_grabber.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/10/19"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs
-(Remote Access Tools).
+Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote
+access tools (RATs).
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]

rules/windows/credential_access_kerberoasting_unusual_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2021/10/13"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ query = '''
 network where event.type == "start" and network.direction : ("outgoing", "egress") and
  destination.port == 88 and source.port >= 49152 and
  process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and
- /* insert False Positives here */
+ /* insert false positives here */
  not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
 '''
 

rules/windows/credential_access_posh_minidump.toml

@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or
 Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.
 """
-false_positives = ["Powershell Scripts that use this capability for troubleshooting."]
+false_positives = ["PowerShell scripts that use this capability for troubleshooting."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
@@ -27,8 +27,8 @@ information stored in the process memory.
 #### Possible investigation steps:
 
 - Examine script content that triggered the detection. 
-- Investigate script execution chain (parent process tree)
-- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
 
 ### False Positive Analysis

rules/windows/credential_access_suspicious_comsvcs_imageload.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/10/17"
-updated_date = "2021/10/17"
+updated_date = "2022/02/16"
 maturity = "production"
 
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a
-process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in
+process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in
 preparation for credential access.
 """
 from = "now-9m"

rules/windows/credential_access_suspicious_lsass_access_memdump.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/10/07"
 maturity = "production"
-updated_date = "2022/01/24"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
-the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.
+the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]

rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/14"
-updated_date = "2021/10/14"
+updated_date = "2022/02/16"
 maturity = "production"
 min_stack_version = "7.14.0"
 min_stack_comments = "Cardinality field not added to threshold rule type until 7.14."
@@ -9,7 +9,7 @@ min_stack_comments = "Cardinality field not added to threshold rule type until 7
 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed
+Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed
 by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and
 dump LSASS memory for credential access.
 """
@@ -20,7 +20,7 @@ license = "Elastic License v2"
 name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
 note = """## Config
 
-This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold
+This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
 rule cardinality feature."""
 references = [
     "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",

rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2021/12/25"
 maturity = "production"
-updated_date = "2021/12/31"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.
+Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow
+copy, including sensitive files that may contain credential information.
 """
-false_positives = ["Legitimate administrative activity related to shadow copies"]
+false_positives = ["Legitimate administrative activity related to shadow copies."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 
 language = "eql"

rules/windows/defense_evasion_posh_assembly_load.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use
-this method to load executables and DLLs without writing to the disk, bypassing security solutions.
+Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method
+to load executables and DLLs without writing to the disk, bypassing security solutions.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]

rules/windows/defense_evasion_posh_compressed.toml

@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/10/19"
+updated_date = "2022/02/16"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools
-heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.
+Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which 
+malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.
 """
-false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding"]
+false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"