Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match
This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/11/24"
3deprecation_date = "2023/07/03"
4maturity = "deprecated"
5min_stack_comments = "Updating the rule for 8.5+ users before deprecation."
6min_stack_version = "8.5.0"
7updated_date = "2023/07/03"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or
13network observations. This rule was deprecated. See the Setup section for more information and alternative rules.
14"""
15from = "now-65m"
16index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
17interval = "1h"
18language = "kuery"
19license = "Elastic License v2"
20name = "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match"
21note = """## Triage and Analysis
22
23### Investigating Threat Intel Indicator Matches
24
25Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.
26
27The matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.
28
29If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
30
31- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
32- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation
33- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation
34
35#### Possible investigation steps
36
37- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.
38- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.
39- Consider the user and their role within the company: is this something related to their job or work function?
40
41### False Positive Analysis
42
43- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.
44- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.
45- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.
46
47### Response and Remediation
48
49- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.
50- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
51- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.
52
53## Setup
54
55This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:
56
57* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64
58* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca
59* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60
60* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3
61"""
62references = ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
63risk_score = 99
64rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43"
65severity = "critical"
66tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
67threat_index = ["filebeat-8*"]
68threat_indicator_path = "threat.indicator"
69threat_language = "kuery"
70threat_query = """
71@timestamp >= "now-30d/d" and event.module:threatintel and (threat.indicator.file.hash.*:* or
72threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or
73threat.indicator.url.full:*)
74"""
75timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
76timeline_title = "Generic Threat Match Timeline"
77type = "threat_match"
78
79query = '''
80file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*
81'''
82
83
84[[rule.threat_filters]]
85
86[rule.threat_filters."$state"]
87store = "appState"
88[rule.threat_filters.meta]
89disabled = false
90key = "event.module"
91negate = false
92type = "phrase"
93[rule.threat_filters.meta.params]
94query = "threatintel"
95[rule.threat_filters.query.match_phrase]
96"event.module" = "threatintel"
97[[rule.threat_filters]]
98
99[rule.threat_filters."$state"]
100store = "appState"
101[rule.threat_filters.meta]
102disabled = false
103key = "event.category"
104negate = false
105type = "phrase"
106[rule.threat_filters.meta.params]
107query = "threat"
108[rule.threat_filters.query.match_phrase]
109"event.category" = "threat"
110[[rule.threat_filters]]
111
112[rule.threat_filters."$state"]
113store = "appState"
114[rule.threat_filters.meta]
115disabled = false
116key = "event.kind"
117negate = false
118type = "phrase"
119[rule.threat_filters.meta.params]
120query = "enrichment"
121[rule.threat_filters.query.match_phrase]
122"event.kind" = "enrichment"
123[[rule.threat_filters]]
124
125[rule.threat_filters."$state"]
126store = "appState"
127[rule.threat_filters.meta]
128disabled = false
129key = "event.type"
130negate = false
131type = "phrase"
132[rule.threat_filters.meta.params]
133query = "indicator"
134[rule.threat_filters.query.match_phrase]
135"event.type" = "indicator"
136[[rule.threat_mapping]]
137
138[[rule.threat_mapping.entries]]
139field = "file.hash.md5"
140type = "mapping"
141value = "threat.indicator.file.hash.md5"
142
143[[rule.threat_mapping]]
144
145[[rule.threat_mapping.entries]]
146field = "file.hash.sha1"
147type = "mapping"
148value = "threat.indicator.file.hash.sha1"
149
150[[rule.threat_mapping]]
151
152[[rule.threat_mapping.entries]]
153field = "file.hash.sha256"
154type = "mapping"
155value = "threat.indicator.file.hash.sha256"
156
157[[rule.threat_mapping]]
158
159[[rule.threat_mapping.entries]]
160field = "file.pe.imphash"
161type = "mapping"
162value = "threat.indicator.file.pe.imphash"
163
164[[rule.threat_mapping]]
165
166[[rule.threat_mapping.entries]]
167field = "source.ip"
168type = "mapping"
169value = "threat.indicator.ip"
170
171[[rule.threat_mapping]]
172
173[[rule.threat_mapping.entries]]
174field = "destination.ip"
175type = "mapping"
176value = "threat.indicator.ip"
177
178[[rule.threat_mapping]]
179
180[[rule.threat_mapping.entries]]
181field = "url.full"
182type = "mapping"
183value = "threat.indicator.url.full"
184
185[[rule.threat_mapping]]
186
187[[rule.threat_mapping.entries]]
188field = "registry.path"
189type = "mapping"
190value = "threat.indicator.registry.path"
Triage and Analysis
Investigating Threat Intel Indicator Matches
Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.
The matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.
If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
threat.indicator.matched.atomic
- this identifies the atomic indicator that matched the local observationthreat.indicator.matched.field
- this identifies the indicator field that matched the local observationthreat.indicator.matched.type
- this identifies the indicator type that matched the local observation
Possible investigation steps
- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.
- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.
- Consider the user and their role within the company: is this something related to their job or work function?
False Positive Analysis
- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.
- Adversaries often use legitimate tools as network administrators such as
PsExec
orAdFind
; these tools often find their way into indicator lists creating the potential for false positives. - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.
Response and Remediation
- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.
- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.
Setup
This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:
- Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64
- Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca
- Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60
- Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3