nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
+in the rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Credential Manipulation - Prevented - Elastic Endgame"
+risk_score = 47
+rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Credential Manipulation - Prevented - Elastic Endgame
+
+Elastic Endgame is a security solution that prevents unauthorized credential manipulation, a tactic often used by adversaries to escalate privileges by altering access tokens. Attackers exploit this to gain elevated access within a system. The detection rule identifies such attempts by monitoring alerts for token manipulation events, leveraging Elastic Endgame's prevention capabilities to thwart these threats effectively.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's prevention capabilities.
+- Examine the event.action and endgame.event_subtype_full fields to identify the specific type of token manipulation event that was prevented.
+- Investigate the source and destination of the alert by analyzing associated IP addresses, user accounts, and hostnames to determine if the attempt was internal or external.
+- Check for any related alerts or logs around the same timeframe to identify potential patterns or coordinated attempts at credential manipulation.
+- Assess the impacted system's current security posture and review recent changes or anomalies in user behavior that might have led to the attempted manipulation.
+- Consult the MITRE ATT&CK framework for additional context on Access Token Manipulation (T1134) to understand potential adversary techniques and improve defensive measures.
+
+### False positive analysis
+
+- Routine administrative tasks involving legitimate token manipulation can trigger alerts. Review the context of the event to determine if it aligns with expected administrative activities.
+- Automated scripts or software updates that modify access tokens as part of their normal operation may cause false positives. Identify these processes and consider adding them to an exception list if they are verified as non-threatening.
+- Security tools or monitoring solutions that interact with access tokens for legitimate purposes might be flagged. Validate these tools and exclude them from the rule if they are confirmed to be safe.
+- User behavior that involves frequent token changes, such as developers testing applications, can lead to false positives. Monitor these activities and create exceptions for known users or groups performing these tasks regularly.
+- Ensure that the rule is not overly broad by refining the query to focus on specific actions or contexts that are more indicative of malicious behavior, reducing the likelihood of false positives.
+
+### Response and remediation
+
+- Immediately isolate the affected system to prevent further unauthorized access or lateral movement within the network.
+- Revoke and reset any potentially compromised credentials associated with the affected system to mitigate unauthorized access.
+- Conduct a thorough review of access logs and token usage to identify any unauthorized access or privilege escalation attempts.
+- Restore the affected system from a known good backup to ensure the integrity of the system and its credentials.
+- Implement additional monitoring on the affected system and related accounts to detect any further suspicious activity.
+- Escalate the incident to the security operations team for a detailed investigation and to assess the potential impact on other systems.
+- Review and update access control policies to ensure that only necessary permissions are granted, reducing the risk of privilege escalation."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1134"
+name = "Access Token Manipulation"
+reference = "https://attack.mitre.org/techniques/T1134/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Permission Theft - Detected - Elastic Endgame"
+risk_score = 73
+rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "high"
+tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Permission Theft - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution that monitors and detects unauthorized access attempts, focusing on privilege escalation tactics like access token manipulation. Adversaries exploit this by stealing or forging tokens to gain elevated permissions. The detection rule identifies suspicious token-related events, flagging high-risk activities indicative of permission theft, thus enabling timely threat response.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's detection capabilities.
+- Examine the event.action and endgame.event_subtype_full fields for token_protection_event to identify the specific token manipulation activity that triggered the alert.
+- Investigate the source and destination user accounts involved in the alert to determine if there are any unauthorized access attempts or privilege escalations.
+- Check for any recent changes or anomalies in the permissions or roles associated with the affected accounts to assess potential impact.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign.
+- Consult the MITRE ATT&CK framework for additional context on the Access Token Manipulation technique (T1134) to understand potential adversary behaviors and mitigation strategies.
+
+### False positive analysis
+
+- Routine administrative tasks involving token management can trigger alerts. Review and document these tasks to create exceptions for known safe activities.
+- Automated scripts or services that frequently access tokens for legitimate purposes may be flagged. Identify these scripts and whitelist them to prevent unnecessary alerts.
+- Software updates or installations that require elevated permissions might be detected as suspicious. Monitor these events and adjust detection rules to accommodate regular update schedules.
+- Internal security tools that perform token manipulation for testing or monitoring purposes can cause false positives. Ensure these tools are recognized and excluded from detection rules.
+- User behavior analytics might misinterpret legitimate user actions as threats. Regularly update user profiles and behavior baselines to minimize false alerts.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
+- Revoke any compromised or suspicious access tokens identified in the alert to prevent further misuse of elevated permissions.
+- Conduct a thorough review of recent account activities associated with the compromised tokens to identify any unauthorized actions or changes.
+- Reset passwords and enforce multi-factor authentication for accounts involved in the incident to enhance security and prevent future unauthorized access.
+- Restore any altered or deleted data from backups, ensuring that the restored data is free from any malicious modifications.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been affected.
+- Implement enhanced monitoring and logging for token-related activities to detect and respond to similar threats more effectively in the future."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1134"
+name = "Access Token Manipulation"
+reference = "https://attack.mitre.org/techniques/T1134/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Permission Theft - Prevented - Elastic Endgame"
+risk_score = 47
+rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Permission Theft - Prevented - Elastic Endgame
+
+Elastic Endgame is a security solution that prevents unauthorized access by monitoring and blocking attempts to manipulate access tokens, a common privilege escalation tactic. Adversaries exploit token manipulation to gain elevated permissions without detection. The detection rule identifies and alerts on prevention events related to token protection, leveraging specific event types and actions to flag suspicious activities, thus mitigating potential threats.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the event.kind is 'alert' and event.module is 'endgame', ensuring the alert is relevant to Elastic Endgame's token protection.
+- Examine the event.action and endgame.event_subtype_full fields to determine if the alert was triggered by a 'token_protection_event', which indicates an attempt to manipulate access tokens.
+- Investigate the source and destination of the alert by analyzing associated IP addresses, user accounts, and hostnames to identify potential unauthorized access attempts.
+- Check the endgame.metadata.type field to verify that the event type is 'prevention', confirming that the attempted permission theft was successfully blocked.
+- Correlate the alert with other recent alerts or logs to identify patterns or repeated attempts that might indicate a persistent threat actor.
+- Assess the risk score and severity level to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
+
+### False positive analysis
+
+- Routine administrative tasks involving legitimate token manipulation may trigger alerts. Review the context of the event to determine if it aligns with expected administrative activities.
+- Scheduled scripts or automated processes that require token access might be flagged. Identify these processes and consider creating exceptions for known, safe operations.
+- Software updates or installations that involve token changes can generate alerts. Verify the source and purpose of the update to ensure it is authorized, and exclude these events if they are part of regular maintenance.
+- Security tools or monitoring solutions that interact with tokens for legitimate purposes may cause false positives. Cross-reference with known tool activities and whitelist these actions if they are verified as non-threatening.
+- User behavior analytics might misinterpret legitimate user actions as suspicious. Analyze user activity patterns and adjust the detection thresholds or rules to better align with normal user behavior.
+
+### Response and remediation
+
+- Immediately isolate the affected system to prevent further unauthorized access or privilege escalation attempts.
+- Revoke any potentially compromised access tokens and force re-authentication for affected accounts to ensure that only legitimate users regain access.
+- Conduct a thorough review of recent access logs and token usage to identify any unauthorized access or actions taken by the adversary.
+- Apply patches or updates to the affected systems and applications to address any vulnerabilities that may have been exploited for token manipulation.
+- Implement enhanced monitoring on the affected systems to detect any further attempts at access token manipulation or privilege escalation.
+- Notify the security team and relevant stakeholders about the incident, providing details of the threat and actions taken, and escalate to higher management if the threat level increases.
+- Review and update access control policies and token management practices to prevent similar incidents in the future, ensuring that only necessary permissions are granted and regularly audited."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1134"
+name = "Access Token Manipulation"
+reference = "https://attack.mitre.org/techniques/T1134/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml

@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Process Injection - Detected - Elastic Endgame"
+risk_score = 73
+rule_id = "80c52164-c82a-402c-9964-852533d58be1"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "high"
+tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Process Injection - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution that monitors and detects suspicious activities like process injection, a technique often used by adversaries to execute malicious code within the address space of another process, thereby evading detection. This detection rule identifies such threats by analyzing alerts and specific event actions related to kernel shellcode, indicating potential privilege escalation attempts. By leveraging MITRE ATT&CK frameworks, it effectively flags high-risk activities, aiding analysts in mitigating threats.
+
+### Possible investigation steps
+
+- Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the detected process injection.
+- Examine the specific event.action and endgame.event_subtype_full fields to confirm the presence of kernel_shellcode_event, which indicates potential malicious activity.
+- Analyze the process tree and parent-child relationships of the affected process to identify any unusual or unauthorized processes that may have initiated the injection.
+- Check for any recent privilege escalation attempts or suspicious activities associated with the affected process by correlating with other alerts or logs in the system.
+- Investigate the source and destination IP addresses, if available, to determine if there is any external communication that could suggest a command and control connection.
+- Assess the risk and impact of the detected activity by considering the risk score and severity level, and prioritize response actions accordingly.
+- If necessary, isolate the affected system to prevent further malicious activity and begin remediation efforts based on the findings.
+
+### False positive analysis
+
+- Legitimate software updates or patches may trigger process injection alerts. Users can create exceptions for known update processes by identifying their unique process names or hashes.
+- Security tools or monitoring software that use process injection for legitimate purposes might be flagged. Users should whitelist these tools by specifying their process identifiers or paths.
+- Custom scripts or automation tasks that interact with system processes could be misidentified as threats. Users can exclude these scripts by defining their execution context or command-line arguments.
+- Debugging or development activities involving process manipulation might cause false positives. Users should consider excluding these activities during known development periods or within specific environments.
+- Virtualization or sandboxing solutions that mimic process injection techniques for isolation purposes may be detected. Users can create exceptions for these solutions by recognizing their specific signatures or behaviors.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent further spread of the malicious code. Disconnect it from the network and any shared resources.
+- Terminate the malicious process identified by the alert to stop the execution of injected code. Use process management tools to safely end the process.
+- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or remnants of the attack.
+- Review and analyze system logs and the specific event details from the alert to understand the scope of the intrusion and identify any other potentially compromised systems.
+- Apply security patches and updates to the operating system and all software applications on the affected system to close any vulnerabilities exploited by the attacker.
+- Restore the system from a known good backup taken before the incident occurred, ensuring that the backup is free from any malicious code.
+- Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed information about the attack and the steps taken for remediation."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in
+the rule.reference column for additional information.
+"""
+from = "now-1m"
+index = ["endgame-*"]
+interval = "2m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Process Injection - Prevented - Elastic Endgame"
+risk_score = 47
+rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Process Injection - Prevented - Elastic Endgame
+
+Elastic Endgame is a security solution that prevents malicious activities like process injection, a technique often used by adversaries to execute code within the address space of another process, enabling privilege escalation. This detection rule identifies attempts by monitoring alerts for specific kernel shellcode events, indicating potential injection attempts, and helps mitigate threats by leveraging prevention capabilities.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's prevention capabilities.
+- Examine the event.action and endgame.event_subtype_full fields for kernel_shellcode_event to identify the specific type of process injection attempt.
+- Investigate the source process and target process involved in the injection attempt to understand the context and potential impact on the system.
+- Check for any associated alerts or logs around the same timeframe to identify if this is part of a larger attack pattern or isolated incident.
+- Assess the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
+- Consult the MITRE ATT&CK framework for additional context on the T1055 Process Injection technique to understand common methods and potential mitigations.
+
+### False positive analysis
+
+- Legitimate software updates or installations may trigger kernel shellcode events. Users can create exceptions for known update processes by identifying their unique process identifiers or paths.
+- Security tools or monitoring software that perform deep system scans might mimic process injection behavior. Exclude these tools by specifying their executable names or hashes in the exception list.
+- Custom scripts or automation tools that interact with system processes could be flagged. Review these scripts and whitelist them if they are verified as safe and necessary for operations.
+- Development environments or debugging tools that inject code for testing purposes may cause alerts. Establish exceptions for these environments by defining rules based on the development tools' signatures or process names.
+- Virtualization software that uses process injection techniques for managing virtual machines can be mistakenly identified. Add these applications to the exclusion list by recognizing their specific process attributes.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
+- Terminate any suspicious processes identified by the alert, particularly those associated with the kernel shellcode event, to halt ongoing malicious actions.
+- Conduct a thorough analysis of the affected system to identify any additional indicators of compromise or secondary payloads that may have been deployed.
+- Restore the affected system from a known good backup to ensure any injected code or malicious modifications are removed.
+- Apply security patches and updates to the operating system and all installed software to close any vulnerabilities that may have been exploited.
+- Monitor the network and systems for any signs of similar process injection attempts, using enhanced logging and alerting based on the identified threat indicators.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/sentinelone_alert_external_alerts.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2025/07/31"
+integration = ["sentinel_one"]
+maturity = "production"
+promotion = true
+updated_date = "2025/10/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each SentinelOne alert written to the configured indices. Enabling this rule allows you
+to immediately begin investigating SentinelOne alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-sentinel_one.alert-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "SentinelOne Alert External Alerts"
+note = """## Triage and analysis
+
+### Investigating SentinelOne Alert External Alerts
+
+SentinelOne is a cybersecurity platform that provides endpoint protection by detecting and responding to threats in real-time. The rule identifies such threats by monitoring specific alert events, enabling analysts to swiftly investigate and mitigate potential security incidents.
+
+### Possible investigation steps
+
+- Correlate the alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
+- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
+- Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats.
+- Analyze any files or processes flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
+- Consult the SentinelOne investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Alerts triggered by routine software updates or patches can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance activities.
+- Legitimate administrative tools or scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening.
+- Frequent alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the SentinelOne configuration.
+- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
+- User behavior that is consistent with their role but triggers alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.
+
+### Response and remediation
+
+- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
+- Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
+- Remove or quarantine any malicious files or processes identified by the SentinelOne alert to neutralize the threat.
+- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
+- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
+- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
+- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
+"""
+references = ["https://docs.elastic.co/en/integrations/sentinel_one"]
+risk_score = 47
+rule_id = "9b35422b-9102-45a9-8610-2e0c22281c55"
+rule_name_override = "rule.name"
+setup = """## Setup
+
+### SentinelOne Alert Integration
+This rule is designed to capture alert events generated by the SentinelOne integration and promote them as Elastic detection alerts.
+
+To capture SentinelOne alerts, install and configure the SentinelOne integration to ingest alert events into the `logs-sentinel_one.alert-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude datastream.dataset: sentinel_one.alert to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: SentinelOne",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: event and data_stream.dataset: sentinel_one.alert
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

nldcsc_elastic_rules/rules/promotions/sentinelone_threat_external_alerts.toml

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2025/08/04"
+integration = ["sentinel_one"]
+maturity = "production"
+promotion = true
+updated_date = "2025/10/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each SentinelOne threat written to the configured indices. Enabling this rule allows you
+to immediately begin investigating SentinelOne threat alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-sentinel_one.threat-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "SentinelOne Threat External Alerts"
+note = """## Triage and analysis
+
+### Investigating SentinelOne Threat External Alerts
+
+SentinelOne is a cybersecurity platform that provides endpoint protection by detecting and responding to threats in real-time. The rule identifies such threats by monitoring specific threat events, enabling analysts to swiftly investigate and mitigate potential security incidents.
+
+### Possible investigation steps
+
+- Correlate the threat alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
+- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
+- Investigate the source and destination IP addresses involved in the threat to assess if they are known to be malicious or associated with previous threats.
+- Analyze any files or processes flagged in the threat alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
+- Consult the SentinelOne investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Threats triggered by routine software updates or patches can be false positives. Review the context of the threat to determine if it aligns with scheduled maintenance activities.
+- Legitimate administrative tools or scripts may trigger threat alerts. Identify and whitelist these tools if they are verified as non-threatening.
+- Frequent threat alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the SentinelOne configuration.
+- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
+- User behavior that is consistent with their role but triggers threat alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.
+
+### Response and remediation
+
+- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
+- Analyze the specific threat alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
+- Remove or quarantine any malicious files or processes identified by the SentinelOne threat alert to neutralize the threat.
+- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
+- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
+- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
+- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
+"""
+references = ["https://docs.elastic.co/en/integrations/sentinel_one"]
+risk_score = 47
+rule_id = "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1"
+rule_name_override = "message"
+setup = """## Setup
+
+### SentinelOne Threat Integration
+This rule is designed to capture threat events generated by the SentinelOne integration and promote them as Elastic detection alerts.
+
+To capture SentinelOne threat alerts, install and configure the SentinelOne integration to ingest threat events into the `logs-sentinel_one.threat-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude datastream.dataset: sentinel_one.threat to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: SentinelOne",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: sentinel_one.threat
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "sentinel_one.threat.confidence_level"
+operator = "equals"
+severity = "medium"
+value = "suspicious"
+
+[[rule.severity_mapping]]
+field = "sentinel_one.threat.confidence_level"
+operator = "equals"
+severity = "high"
+value = "malicious"
+
+