nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/promotions/crowdstrike_external_alerts.toml

@@ -0,0 +1,112 @@
+[metadata]
+creation_date = "2025/07/31"
+integration = ["crowdstrike"]
+maturity = "production"
+promotion = true
+updated_date = "2025/10/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each CrowdStrike alert written to the configured indices. Enabling this rule allows you
+to immediately begin investigating CrowdStrike alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-crowdstrike.alert-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "CrowdStrike External Alerts"
+note = """## Triage and analysis
+
+### Investigating CrowdStrike External Alerts
+
+CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers real-time threat detection and response capabilities. The rule captures security alerts generated by Falcon and enables analysts to investigate threats rapidly based on behavioral indicators and threat intelligence.
+
+### Possible investigation steps
+
+- Review the associated process, file path, and command line to determine whether the activity is legitimate or suspicious.
+- Investigate the user account and host involved in the alert to validate whether the activity was authorized.
+- Cross-reference the alert with CrowdStrike Falcon console for additional context, including process tree, behavioral tags, and threat intelligence matches.
+- Check for any related alerts from the same host, user, or file hash to identify whether this is part of a larger attack chain.
+- Consult the Crowdstrike investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Alerts involving known and trusted software tools (e.g., remote administration tools) may be false positives. Confirm intent before excluding.
+- Security assessments or penetration testing activities might mimic real threats. Validate the activity with responsible teams.
+- Scheduled jobs, IT scripts, or automation tools may trigger alerts if they behave similarly to malicious code.
+- Review alerts based on detection confidence levels and behavioral scoring to filter out low-confidence or known-benign triggers.
+
+### Response and remediation
+
+- Isolate affected endpoints to prevent lateral movement if malicious behavior is confirmed.
+- Quarantine any identified malicious files and block related hashes or domains.
+- Investigate how the threat entered the environment and close any exploited vulnerabilities.
+- Reset credentials for compromised user accounts or escalate to incident response.
+- Review CrowdStrike Falcon policies and detections to fine-tune future alerting and response coverage.
+- Document the findings and update detection logic or exceptions accordingly.
+"""
+references = ["https://docs.elastic.co/en/integrations/crowdstrike"]
+risk_score = 47
+rule_id = "aeebe561-c338-4118-9924-8cb4e478aa58"
+rule_name_override = "crowdstrike.alert.name"
+setup = """## Setup
+
+### CrowdStrike Alert Integration
+This rule is designed to capture alert events generated by the CrowdStrike integration and promote them as Elastic detection alerts.
+
+To capture CrowdStrike alerts, install and configure the CrowdStrike integration to ingest alert events into the `logs-crowdstrike.alert-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:crowdstrike.alert to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: Crowdstrike",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: crowdstrike.alert
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "crowdstrike.alert.incident.score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

nldcsc_elastic_rules/rules/promotions/elastic_security_external_alerts.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2025/07/31"
+integration = ["elastic_security"]
+maturity = "production"
+promotion = true
+updated_date = "2025/10/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each Elastic Security alert written to the configured indices. Enabling this rule allows
+you to immediately begin investigating Elastic Security alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-elastic_security.alert-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Elastic Security External Alerts"
+note = """## Triage and analysis
+
+### Investigating Elastic Security External Alerts
+
+The Elastic Security integration facilitates transferring security alert data from another Elasticsearch instance to your own, enabling threats to be investigated in a centralized manner.
+
+### Possible investigation steps
+
+- Correlate the alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
+- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
+- Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats.
+- Analyze any files or processes flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
+- Consult the Elastic Security investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Alerts triggered by routine software updates or patches can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance activities.
+- Legitimate administrative tools or scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening.
+- Frequent alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the Elastic Security configuration.
+- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
+- User behavior that is consistent with their role but triggers alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.
+
+### Response and remediation
+
+- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
+- Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
+- Remove or quarantine any malicious files or processes identified by the Elastic Security alert to neutralize the threat.
+- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
+- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
+- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
+- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
+"""
+references = ["https://docs.elastic.co/en/integrations/elastic_security"]
+risk_score = 47
+rule_id = "720fc1aa-e195-4a1d-81d8-04edfe5313ed"
+rule_name_override = "kibana.alert.rule.name"
+setup = """## Setup
+
+### Elastic Security Alert Integration
+This rule is designed to capture alert events generated by the Elastic Security integration and promote them as Elastic detection alerts.
+
+To capture Elastic Security alerts, install and configure the Elastic Security integration to ingest alert events into the `logs-elastic_security.alert-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:elastic_security.alert to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: Elastic Security",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: elastic_security.alert
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

nldcsc_elastic_rules/rules/promotions/endgame_adversary_behavior_detected.toml

@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in
+the rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Adversary Behavior - Detected - Elastic Endgame"
+risk_score = 47
+rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Adversary Behavior - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution designed to detect and prevent adversarial actions by monitoring system behaviors. Adversaries may exploit system vulnerabilities or execute unauthorized actions to compromise environments. This detection rule identifies suspicious behavior by analyzing alerts and specific event actions, flagging potential threats for further investigation. The rule's medium severity and risk score highlight its importance in maintaining security posture.
+
+### Possible investigation steps
+
+- Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the detected behavior.
+- Analyze the event.action and endgame.event_subtype_full fields to understand the specific behavior protection event that triggered the alert.
+- Correlate the alert with other recent alerts or logs from the same host or user to identify any patterns or additional suspicious activities.
+- Investigate the affected system for any signs of compromise or unauthorized changes, focusing on the timeframe around the alert.
+- Check for any known vulnerabilities or misconfigurations in the affected system that could have been exploited by the adversary.
+- Consult with the IT or security team to determine if any recent changes or updates could have triggered the alert as a false positive.
+
+### False positive analysis
+
+- Routine software updates or installations may trigger alerts due to behavior resembling adversarial actions. Users can create exceptions for known update processes to reduce false positives.
+- Legitimate administrative tasks, such as system configuration changes, might be flagged. Identifying and excluding these tasks from monitoring can help minimize unnecessary alerts.
+- Security tools or scripts that perform regular scans or maintenance can mimic adversary behavior. Whitelisting these tools in the detection rule settings can prevent them from being flagged.
+- Automated backup processes that access multiple files or systems simultaneously may be misinterpreted as suspicious. Users should ensure these processes are recognized and excluded from triggering alerts.
+- Custom applications with unique behaviors might be incorrectly identified as threats. Users should document and exclude these behaviors if they are verified as non-threatening.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent further unauthorized actions or potential lateral movement by the adversary.
+- Review the specific event.action and endgame.event_subtype_full fields to understand the nature of the detected behavior and identify any compromised accounts or processes.
+- Terminate any unauthorized processes or sessions identified during the investigation to halt adversary activities.
+- Apply security patches or updates to address any exploited vulnerabilities that may have been used by the adversary.
+- Conduct a thorough scan of the affected system and network to identify and remove any malicious artifacts or backdoors left by the adversary.
+- Restore affected systems from a known good backup if necessary, ensuring that the backup is free from compromise.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
+

nldcsc_elastic_rules/rules/promotions/endgame_malware_detected.toml

@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Malware - Detected - Elastic Endgame"
+risk_score = 99
+rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "critical"
+tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Malware - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution that provides endpoint protection by monitoring and analyzing system activities to detect malicious behavior. Adversaries may exploit this technology by attempting to bypass its detection capabilities or by executing malware that mimics legitimate processes. The detection rule identifies suspicious file classification events, flagging potential malware activities with a high-risk score, thus enabling swift investigation and response.
+
+### Possible investigation steps
+
+- Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the detected malware.
+- Examine the specific file classification event by checking the event.action or endgame.event_subtype_full fields to understand the nature of the suspicious file activity.
+- Analyze the endpoint's recent activity logs to identify any unusual behavior or patterns that coincide with the time of the alert.
+- Investigate the source and destination of the file involved in the alert to determine if it is part of a known legitimate process or if it has been flagged in previous incidents.
+- Check for any additional alerts or related events from the same endpoint or user to assess if this is part of a broader attack or isolated incident.
+- Consult threat intelligence sources to see if the file or behavior matches known malware signatures or tactics, techniques, and procedures (TTPs).
+
+### False positive analysis
+
+- Legitimate software updates or installations may trigger file classification events. Users can create exceptions for known update processes to prevent these from being flagged as malware.
+- System maintenance tasks, such as disk cleanup or defragmentation, might mimic suspicious file activities. Exclude these routine tasks by identifying their specific processes and adding them to the exception list.
+- Security tools or antivirus software performing scans can generate alerts. Identify these tools and configure the rule to ignore their activities to reduce false positives.
+- Custom scripts or automation tools used within the organization may be misclassified. Review these scripts and whitelist them if they are verified as safe and necessary for business operations.
+- Frequent alerts from specific directories known to store temporary or cache files can be excluded by specifying these directories in the rule settings.
+
+### Response and remediation
+
+- Isolate the affected endpoint immediately to prevent further spread of the detected malware across the network.
+- Terminate any suspicious processes identified by Elastic Endgame that are associated with the file classification event.
+- Quarantine the suspicious files flagged by the detection rule to prevent execution and further analysis.
+- Conduct a thorough scan of the isolated endpoint using updated antivirus and anti-malware tools to identify and remove any additional threats.
+- Restore the affected system from a known good backup if malware removal is not feasible or if system integrity is compromised.
+- Review and update endpoint protection policies to ensure they are configured to detect similar threats in the future.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+

nldcsc_elastic_rules/rules/promotions/endgame_malware_prevented.toml

@@ -0,0 +1,72 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Malware - Prevented - Elastic Endgame"
+risk_score = 73
+rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "high"
+tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Malware - Prevented - Elastic Endgame
+
+Elastic Endgame is a security solution designed to prevent malware by analyzing and classifying files in real-time. Adversaries may attempt to bypass such defenses by disguising malicious files to evade detection. The detection rule identifies prevention events where Elastic Endgame has successfully blocked a file classified as malware, focusing on alerts generated by file classification activities. This helps security analysts quickly respond to and investigate potential threats.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the event.kind is 'alert' and event.module is 'endgame', ensuring the alert is relevant to the Elastic Endgame prevention mechanism.
+- Examine the endgame.metadata.type field to verify it is 'prevention', indicating that the alert pertains to a successfully blocked malware attempt.
+- Investigate the event.action or endgame.event_subtype_full fields to understand the specific file classification event that triggered the alert.
+- Gather additional context by checking the file path, hash, and any associated metadata to identify the potentially malicious file and its origin.
+- Cross-reference the alert with other security logs and alerts to determine if there are related events or patterns that could indicate a broader attack campaign.
+- Assess the risk score and severity to prioritize the investigation and response efforts, considering the high severity and risk score of 73.
+- Utilize the Elastic Endgame interface or provided links for further information and context about the specific prevention event and any recommended remediation actions.
+
+### False positive analysis
+
+- Legitimate software updates or installations may trigger the rule if they involve file classification activities. To manage this, create exceptions for known and trusted software update processes.
+- Security tools or system processes that perform file scanning or classification might be flagged. Identify these processes and add them to an exception list to prevent unnecessary alerts.
+- Custom scripts or applications developed in-house that perform file operations similar to malware can be mistaken for threats. Review these scripts and whitelist them if they are verified as safe.
+- Frequent alerts from specific directories known to contain non-malicious files, such as temporary or backup folders, can be excluded by specifying these paths in the rule exceptions.
+- If certain file types are consistently misclassified as threats, consider adjusting the rule to exclude these file types after confirming they are not harmful.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent the spread of malware to other parts of the network. Disconnect the system from the network and any shared drives.
+- Verify the alert by cross-referencing the blocked file details with known malware signatures or threat intelligence sources to confirm the threat.
+- Remove the malicious file from the system using a trusted antivirus or endpoint protection tool. Ensure that the file is quarantined or deleted to prevent re-execution.
+- Conduct a thorough scan of the affected system and any connected devices to identify and remove any additional malicious files or remnants.
+- Restore any affected files or systems from a clean backup, ensuring that the backup is free from malware before restoration.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems may be compromised.
+- Review and update security policies and endpoint protection configurations to enhance detection and prevention capabilities against similar threats in the future."""
+

nldcsc_elastic_rules/rules/promotions/endgame_ransomware_detected.toml

@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Ransomware - Detected - Elastic Endgame"
+risk_score = 99
+rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
+setup = """## Setup
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "critical"
+tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Ransomware - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution designed to detect and respond to threats like ransomware by analyzing system events and behaviors. Adversaries exploit vulnerabilities to deploy ransomware, encrypting files and demanding payment. The detection rule identifies ransomware activity by monitoring specific alert types and event actions, flagging critical threats for immediate investigation.
+
+### Possible investigation steps
+
+- Review the alert details in Elastic Endgame by clicking the icon in the event.module column or the link in the rule.reference column to gather more context about the detected ransomware event.
+- Analyze the event.kind:alert and event.module:endgame fields to confirm the alert's origin and ensure it aligns with known ransomware activity.
+- Examine the event.action:ransomware_event and endgame.event_subtype_full:ransomware_event fields to identify the specific actions or behaviors that triggered the alert.
+- Investigate the affected systems and endpoints to determine the scope of the ransomware impact, focusing on any encrypted files or unusual system behaviors.
+- Check for any additional alerts or related events in the Elastic Endgame logs that might indicate lateral movement or further malicious activity associated with the ransomware.
+
+### False positive analysis
+
+- Routine backup operations can sometimes mimic ransomware behavior by accessing and modifying large numbers of files. Users should review backup schedules and processes to ensure they are not triggering alerts.
+- Legitimate software updates or installations may be flagged as ransomware events due to their file modification activities. Users can create exceptions for trusted software update processes to prevent false positives.
+- Automated file encryption tools used for legitimate purposes, such as data protection, might trigger ransomware alerts. Users should whitelist these tools if they are verified and necessary for business operations.
+- Security testing or penetration testing activities that simulate ransomware attacks can be mistaken for real threats. Ensure that these activities are coordinated with the security team and excluded from detection rules during testing periods.
+- Frequent alerts from specific non-critical systems or applications that are known to exhibit similar behaviors should be reviewed and, if deemed safe, added to an exception list to reduce noise.
+
+### Response and remediation
+
+- Isolate the affected systems immediately to prevent the spread of ransomware to other networked devices. Disconnect them from the network and any shared storage.
+- Identify and terminate any malicious processes associated with the ransomware event using endpoint detection and response tools.
+- Restore encrypted files from the most recent clean backup. Ensure backups are scanned for malware before restoration to avoid reinfection.
+- Conduct a thorough forensic analysis to determine the initial point of entry and the scope of the compromise. This will help in understanding how the ransomware was deployed.
+- Apply security patches to address any vulnerabilities exploited by the ransomware. Ensure all systems are updated to prevent similar attacks.
+- Enhance monitoring and detection capabilities by configuring alerts for similar event patterns and behaviors identified in the query fields.
+- Report the incident to relevant authorities and stakeholders as per organizational policy and legal requirements, ensuring compliance with any regulatory obligations."""
+

nldcsc_elastic_rules/rules/promotions/endgame_ransomware_prevented.toml

@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Ransomware - Prevented - Elastic Endgame"
+risk_score = 73
+rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "high"
+tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Ransomware - Prevented - Elastic Endgame
+
+Elastic Endgame is a security solution designed to prevent ransomware by monitoring and analyzing system events. Adversaries exploit vulnerabilities to deploy ransomware, encrypting files and demanding payment. The detection rule identifies ransomware activities by analyzing alerts and prevention events, focusing on specific actions and event types, thus enabling timely intervention and threat mitigation.
+
+### Possible investigation steps
+
+- Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the specific prevention event.
+- Examine the event.kind field to confirm that the alert is indeed an alert type and verify the event.module is set to endgame, ensuring the alert is generated by the Elastic Endgame module.
+- Check the endgame.metadata.type field to ensure it is marked as prevention, indicating that the ransomware activity was successfully blocked.
+- Investigate the event.action and endgame.event_subtype_full fields to identify the specific ransomware event that triggered the alert, which can provide insights into the type of ransomware activity that was attempted.
+- Correlate the alert with other security events and logs from the same timeframe to identify any related activities or anomalies that might indicate a broader attack attempt or compromise.
+- Assess the affected system(s) for any signs of compromise or residual malicious activity, ensuring that the ransomware prevention was comprehensive and no other threats remain.
+
+### False positive analysis
+
+- Routine software updates or installations may trigger alerts as they can mimic ransomware behavior. Users should review these events and create exceptions for trusted software update processes.
+- Backup operations that involve large-scale file modifications or encryptions might be misidentified as ransomware activities. Exclude known backup software and processes from triggering alerts.
+- Security testing tools or scripts designed to simulate ransomware for training or assessment purposes can cause false positives. Ensure these tools are whitelisted and their activities are documented.
+- Automated file encryption services used for legitimate purposes, such as data protection, may be flagged. Identify and exclude these services from the rule to prevent unnecessary alerts.
+- Frequent alerts from specific applications or processes that are known to be safe should be analyzed, and exceptions should be created to reduce noise and focus on genuine threats.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent further spread of the ransomware. Disconnect it from the network and any shared drives.
+- Use Elastic Endgame to identify and terminate any malicious processes associated with the ransomware event to halt encryption activities.
+- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to remove any remaining malicious files or components.
+- Restore encrypted files from the most recent clean backup to ensure data integrity and minimize data loss.
+- Review and update endpoint protection settings and policies in Elastic Endgame to enhance detection and prevention capabilities against similar ransomware threats.
+- Notify the IT security team and relevant stakeholders about the incident for awareness and further investigation into potential vulnerabilities exploited.
+- Document the incident details, including the response actions taken, to improve future incident response strategies and facilitate any necessary reporting or compliance requirements."""
+