Elastic security

Description

This is a collection of Elastic Security Detection rules for Zeek (aka Bro), based on the Filebeat Zeek module. Security Detection rules are used to detect suspicous behavior within your data. Every rule is checking for specific problematic behavior.

SIEM detection rules

The following SIEM detection rules are included.

MITRE BZAR Indicators for Execution:

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

MITRE BZAR Indicators for Persistence:

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Executable from Webdav:

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/ .

Publicly Accessible RDP Service:

Detects connections from routable IPs to an RDP listener – which is indicative of a publicly-accessible RDP service.

Remote Task Creation via ATSVC Named Pipe – Zeek:

Detects remote task creation via at.exe or API interacting with ATSVC named pipe.

Possible Impacket SecretDump Remote Activity – Zeek:

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Source

These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.

The translation was made with SIEGMA 

Tested versions 7.5
ECS compliant
Category ,
Tags ,

You must log in to submit a review.

Related downloads

A collection of rules based on the Sigma rules for Zeek based on the Filebeat Zeek module.

Cloudflare dashboards and ingest pipelines to visualize cloudflare logs

A collection of rules based on the Sigma rules for AWS based on the Filebeat AWS module and Elastic agent integration.

A Kibana Canvas dashboard example that visualizes suricata logs collected with Filebeat.

A collection of rules based on the Sigma detection rules for web server looks, e.g. apache, nginx or IIS.

A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.

These downloads could be also interesting for you

A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.

A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.

Kibana Dashboard example to visualize osquery performance

Cloudflare dashboards and ingest pipelines to visualize cloudflare logs

ACSC Advisory IOCs detection rules for Elastic SIEM

A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .