Rapid7 Threat Command CVEs Correlation

  1[metadata]
  2creation_date = "2024/05/29"
  3integration = ["ti_rapid7_threat_command"]
  4maturity = "production"
  5updated_date = "2025/03/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against
 11vulnerabilities that were found in the customer environment.
 12"""
 13from = "now-35m"
 14index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
 15interval = "30m"
 16language = "kuery"
 17license = "Elastic License v2"
 18max_signals = 1000
 19name = "Rapid7 Threat Command CVEs Correlation"
 20note = """## Triage and analysis
 21
 22### Investigating Rapid7 Threat Command CVEs Correlation
 23
 24Rapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations.
 25
 26The matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.
 27
 28If a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched.
 29
 30- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation
 31- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation
 32- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation
 33
 34Additional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior.
 35
 36- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity.
 37- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.
 38- Consider the user and their role within the company: is this something related to their job or work function?
 39"""
 40references = [
 41    "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
 42    "https://docs.elastic.co/integrations/ti_rapid7_threat_command",
 43]
 44risk_score = 99
 45rule_id = "3a657da0-1df2-11ef-a327-f661ea17fbcc"
 46setup = """
 47## Setup
 48
 49This rule needs threat intelligence indicators to work.
 50Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),
 51the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),
 52or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).
 53
 54More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 55
 56### Additional notes
 57
 58For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 59"""
 60severity = "critical"
 61tags = [
 62    "OS: Windows",
 63    "Data Source: Elastic Endgame",
 64    "Data Source: Windows",
 65    "Data Source: Network",
 66    "Data Source: Rapid7 Threat Command",
 67    "Rule Type: Threat Match",
 68    "Resources: Investigation Guide",
 69    "Use Case: Vulnerability",
 70    "Use Case: Asset Visibility",
 71    "Use Case: Continuous Monitoring",
 72]
 73threat_index = ["logs-ti_rapid7_threat_command_latest.vulnerability"]
 74threat_indicator_path = "rapid7.tc.vulnerability"
 75threat_language = "kuery"
 76timestamp_override = "event.ingested"
 77type = "threat_match"
 78
 79query = '''
 80vulnerability.id : *
 81'''
 82
 83
 84
 85threat_query = '''
 86@timestamp >= "now-30d/d" and vulnerability.id : * and event.module: ti_rapid7_threat_command
 87'''
 88
 89
 90[[rule.filters]]
 91
 92[rule.filters."$state"]
 93store = "appState"
 94[rule.filters.meta]
 95disabled = false
 96key = "rapid7.tc.vulnerability.id"
 97negate = true
 98type = "exists"
 99[rule.filters.query.exists]
100field = "rapid7.tc.vulnerability.id"
101[[rule.threat_mapping]]
102
103[[rule.threat_mapping.entries]]
104field = "vulnerability.id"
105type = "mapping"
106value = "vulnerability.id"