Threat Intel Filebeat Module (v7.x) Indicator Match

  1[metadata]
  2creation_date = "2021/04/21"
  3deprecation_date = "2022/01/12"
  4maturity = "deprecated"
  5updated_date = "2022/01/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or
 11network observations.
 12"""
 13from = "now-65m"
 14index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
 15interval = "1h"
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Threat Intel Filebeat Module (v7.x) Indicator Match"
 19note = """## Triage and Analysis
 20
 21### Investigating Threat Intel Indicator Matches
 22
 23Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file
 24hash with an entry of a file hash stored within the Threat Intel Filebeat module. Other examples of matches can occur on
 25an IP address, registry path, URL and imphash.
 26
 27The matches will be based on the incoming feed data so it's important to validate the data and review the results by
 28investigating the associated activity to determine if it requires further investigation.
 29
 30If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
 31
 32- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
 33- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation
 34- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation
 35
 36#### Possible investigation steps:
 37- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
 38and viewing the source of that activity.
 39- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
 40These kinds of questions can help understand if the activity is related to legitimate behavior.
 41- Consider the user and their role within the company, is this something related to their job or work function?
 42
 43### False Positive Analysis
 44- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
 45be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
 46intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
 47may have hosted malware observed in a Dridex campaign six months ago, but it's possible that IP has been remediated and
 48no longer represents any threat.
 49- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
 50way into indicator lists creating the potential for false positives.
 51- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules
 52
 53### Response and Remediation
 54- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further
 55post-compromise behavior.
 56- One example of a response if a machine matched a command and control IP address would be to add an entry to a network
 57device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
 58- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,
 59review current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement
 60"""
 61references = ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
 62risk_score = 99
 63rule_id = "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9"
 64severity = "critical"
 65tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring"]
 66threat_index = ["filebeat-*"]
 67threat_indicator_path = "threatintel.indicator"
 68threat_language = "kuery"
 69threat_query = """
 70@timestamp >= "now-30d" and event.module:threatintel and (threatintel.indicator.file.hash.*:* or
 71threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or threatintel.indicator.registry.path:* or
 72threatintel.indicator.url.full:*)
 73"""
 74timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 75timeline_title = "Generic Threat Match Timeline"
 76type = "threat_match"
 77
 78query = '''
 79file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*
 80'''
 81
 82
 83[[rule.threat_filters]]
 84
 85[rule.threat_filters."$state"]
 86store = "appState"
 87[rule.threat_filters.meta]
 88negate = false
 89disabled = false
 90type = "phrase"
 91key = "event.module"
 92[rule.threat_filters.meta.params]
 93query = "threatintel"
 94[rule.threat_filters.query.match_phrase]
 95"event.module" = "threatintel"
 96[[rule.threat_filters]]
 97
 98[rule.threat_filters."$state"]
 99store = "appState"
100[rule.threat_filters.meta]
101negate = false
102disabled = false
103type = "phrase"
104key = "event.category"
105[rule.threat_filters.meta.params]
106query = "threat"
107[rule.threat_filters.query.match_phrase]
108"event.category" = "threat"
109[[rule.threat_filters]]
110
111[rule.threat_filters."$state"]
112store = "appState"
113[rule.threat_filters.meta]
114negate = false
115disabled = false
116type = "phrase"
117key = "event.kind"
118[rule.threat_filters.meta.params]
119query = "enrichment"
120[rule.threat_filters.query.match_phrase]
121"event.kind" = "enrichment"
122[[rule.threat_filters]]
123
124[rule.threat_filters."$state"]
125store = "appState"
126[rule.threat_filters.meta]
127negate = false
128disabled = false
129type = "phrase"
130key = "event.type"
131[rule.threat_filters.meta.params]
132query = "indicator"
133[rule.threat_filters.query.match_phrase]
134"event.type" = "indicator"
135[[rule.threat_mapping]]
136
137[[rule.threat_mapping.entries]]
138value = "threatintel.indicator.file.hash.md5"
139field = "file.hash.md5"
140type = "mapping"
141
142[[rule.threat_mapping]]
143
144[[rule.threat_mapping.entries]]
145value = "threatintel.indicator.file.hash.sha1"
146field = "file.hash.sha1"
147type = "mapping"
148
149[[rule.threat_mapping]]
150
151[[rule.threat_mapping.entries]]
152value = "threatintel.indicator.file.hash.sha256"
153field = "file.hash.sha256"
154type = "mapping"
155
156[[rule.threat_mapping]]
157
158[[rule.threat_mapping.entries]]
159value = "threatintel.indicator.file.pe.imphash"
160field = "file.pe.imphash"
161type = "mapping"
162
163[[rule.threat_mapping]]
164
165[[rule.threat_mapping.entries]]
166value = "threatintel.indicator.ip"
167field = "source.ip"
168type = "mapping"
169
170[[rule.threat_mapping]]
171
172[[rule.threat_mapping.entries]]
173value = "threatintel.indicator.ip"
174field = "destination.ip"
175type = "mapping"
176
177[[rule.threat_mapping]]
178
179[[rule.threat_mapping.entries]]
180value = "threatintel.indicator.url.full"
181field = "url.full"
182type = "mapping"
183
184[[rule.threat_mapping]]
185
186[[rule.threat_mapping.entries]]
187value = "threatintel.indicator.registry.path"
188field = "registry.path"
189type = "mapping"