Skip to content

Instantly share code, notes, and snippets.

@ebeahan
Last active Nov 18, 2020
Embed
What would you like to do?

The file ecs-detections.ndjson contains example rules to detect ECS-compliance issues with your events.

The file can be imported into the Elastic detection engine's Import rule feature.

{"author":[],"actions":[],"created_at":"2020-11-11T21:13:53.113Z","updated_at":"2020-11-18T23:38:30.117Z","created_by":"3281728356","description":"Source and destination fields describe details about the source or destination of a packet/event.\n\nSource fields are usually populated in conjunction with destination fields, and vice versa destination fields are usually populated in conjunction with source fields.","enabled":true,"false_positives":[],"filters":[],"from":"now-360s","id":"e83e9a09-fe16-4e3c-b119-582e1d9f8b22","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"237ed735-ee63-435b-916b-41e7c0e2e932","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":21,"risk_score_mapping":[],"name":"ECS Check: source/destination fields not populated as pair","query":"(source.address: * and not destination.address: * ) or (destination.address: * and not source.address:*)","references":[],"meta":{"from":"1m","kibana_siem_app_url":"https://5d9ba43532064d6a9945fcb559054cc2.europe-west1.gcp.cloud.es.io:9243/app/security"},"severity":"low","severity_mapping":[],"updated_by":"3281728356","tags":["ECS"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":6,"exceptions_list":[]}
{"author":[],"actions":[],"created_at":"2020-11-09T18:00:13.322Z","updated_at":"2020-11-18T23:38:06.058Z","created_by":"3281728356","description":"This rule checks to make sure that the `ecs.category` field is populated with allowed values.","enabled":true,"false_positives":[],"filters":[],"from":"now-360s","id":"2a3b0ae9-51f2-4764-8e1c-ce65efb2bd15","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"35555fbc-b115-422e-aae7-6cae362dfa14","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":47,"risk_score_mapping":[],"name":"ECS Check: event.category contains disallowed value","query":"event.category:* and not event.category:authentication and not event.category:configuration and not event.category:database and not event.category:driver and not event.category:file and not event.category:host and not event.category:iam and not event.category:intrusion_detection and not event.category:malware and not event.category:network and not event.category:package and not event.category:process and not event.category:web","references":["https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-kind.html"],"meta":{"from":"1m"},"severity":"medium","severity_mapping":[],"updated_by":"3281728356","tags":["ECS","Categorization"],"to":"now","type":"query","threat":[],"throttle":"no_actions","note":"Investigate signal in Timeline.\nLook for agent.type and agent.verion\nRaise github issue in appropriate repo saying that event.category should be populated.\nNote that this field is an array, and that some beats may populate both an _allowed_ value as well as an additional value. This is OK and does not require remediation.\n\n**thanks**","version":17,"exceptions_list":[]}
{"author":[],"actions":[],"created_at":"2020-11-09T18:00:13.321Z","updated_at":"2020-11-18T23:37:53.999Z","created_by":"3281728356","description":"This rule checks to make sure that the `ecs.version` field is present/populated.","enabled":true,"false_positives":[],"filters":[],"from":"now-360s","id":"cadbfa43-c117-46b8-a634-90cf786876ae","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"694d4b77-cdf7-4c03-b4a3-7c7c3f4316fb","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":21,"risk_score_mapping":[],"name":"ECS Check: ecs.version field not present","query":"not ecs.version:*","references":["https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html"],"meta":{"from":"1m"},"severity":"low","severity_mapping":[],"updated_by":"3281728356","tags":["ECS"],"to":"now","type":"query","threat":[],"throttle":"no_actions","note":"Investigate signal in Timeline.\nLook for agent.type and agent.verion\nRaise github issue in appropriate repo saying that ecs.version should be populated.\n\n**thanks**","version":19,"exceptions_list":[]}
{"author":[],"actions":[],"created_at":"2020-11-13T17:23:20.356Z","updated_at":"2020-11-18T23:41:20.261Z","created_by":"3281728356","description":"`user_agent.original` is not properly broken down by the user_agent processor","enabled":true,"false_positives":[],"filters":[],"from":"now-360s","id":"52f82a52-939b-4b81-934d-122b4be73614","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"3b9716a1-7488-4c28-8028-56774bf6c605","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":21,"risk_score_mapping":[],"name":"ECS Check: user_agent breakdown not entirely populated","query":"user_agent.original: * and not (user_agent.device.name: * and user_agent.name: * and user_agent.original: * and user_agent.os.full: * and user_agent.os.name: * and user_agent.os.version: * and user_agent.version: *)","references":[],"meta":{"from":"1m","kibana_siem_app_url":"https://5d9ba43532064d6a9945fcb559054cc2.europe-west1.gcp.cloud.es.io:9243/app/security"},"severity":"low","severity_mapping":[],"updated_by":"3281728356","tags":["ECS"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":5,"exceptions_list":[]}
{"author":[],"actions":[],"created_at":"2020-11-18T22:20:45.633Z","updated_at":"2020-11-18T23:42:25.367Z","created_by":"3281728356","description":"Event populates event.category with \"process\", but doesn't populate all key \"process\" fields.","enabled":true,"false_positives":[],"filters":[],"from":"now-360s","id":"3901aa0f-e639-4a0b-ac18-1320504ecab6","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"39388df9-3960-412e-85d3-f20268ad187e","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":21,"risk_score_mapping":[],"name":"ECS Check: event.category: process but missing key \"process.*\" fields","query":"event.category: process and not (process.args: * and process.executable: * and process.name: * and process.pid: * and process.title: * and process.working_directory: *)","references":[],"meta":{"from":"1m","kibana_siem_app_url":"https://5d9ba43532064d6a9945fcb559054cc2.europe-west1.gcp.cloud.es.io:9243/app/security"},"severity":"low","severity_mapping":[],"updated_by":"3281728356","tags":["ECS"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":3,"exceptions_list":[]}
{"exported_count":5,"missing_rules":[],"missing_rules_count":0}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment