custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml (451 lines of code) (raw):
---
name: rule_detection_event
fields:
# these fields are needed in the mapping so the maps page of the security app does not throw a bunch of errors
source:
fields:
geo:
fields: "*"
destination:
fields:
geo:
fields: "*"
base:
fields:
"@timestamp": {}
"message": {}
"Events": {}
process:
fields:
pid: {}
name: {}
executable: {}
entity_id: {}
command_line: {}
Ext:
fields:
ancestry: {}
api:
fields:
name: {}
summary: {}
behaviors: {}
parameters:
fields:
app_name: {}
content_name: {}
created_suspended: {}
token:
fields:
integrity_level_name: {}
protection: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
thread:
fields:
id: {}
Ext:
fields:
call_stack_final_hook_module:
fields:
path: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
hash:
fields:
sha256: {}
call_stack_final_user_module:
fields:
name: {}
path: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
hash:
fields:
sha256: {}
call_stack_summary: {}
threat:
fields:
enrichments:
fields:
indicator:
fields:
file:
fields:
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
accessed: {}
attributes: {}
created: {}
ctime: {}
device: {}
directory: {}
drive_letter: {}
elf:
fields: "*"
extension: {}
gid: {}
group: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
ssdeep: {}
inode: {}
mime_type: {}
mode: {}
mtime: {}
name: {}
owner: {}
path: {}
pe:
fields:
architecture: {}
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
size: {}
target_path: {}
type: {}
uid: {}
Ext:
fields:
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
device:
fields:
bus_type: {}
dos_name: {}
nt_name: {}
product_id: {}
serial_number: {}
vendor_id: {}
entropy: {}
entry_modified: {}
header_bytes: {}
header_data: {}
malware_classification:
fields:
features:
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
identifier: {}
score: {}
threshold: {}
upx_packed: {}
version: {}
malware_signature:
fields:
all_names: {}
identifier: {}
primary:
fields:
matches: {}
signature:
fields:
hash:
fields:
sha256: {}
id: {}
name: {}
secondary: {}
version: {}
monotonic_id: {}
original:
fields:
gid: {}
group: {}
mode: {}
name: {}
owner: {}
path: {}
uid: {}
quarantine_message: {}
quarantine_path: {}
quarantine_result: {}
temp_file_path: {}
windows:
fields:
zone_identifier: {}
first_seen: {}
last_seen: {}
geo:
fields:
city_name: {}
continent_code: {}
continent_name: {}
country_iso_code: {}
country_name: {}
location: {}
name: {}
postal_code: {}
region_iso_code: {}
region_name: {}
timezone: {}
ip: {}
marking:
fields:
tlp: {}
modified_at: {}
port: {}
provider: {}
reference: {}
registry:
fields:
data:
fields:
bytes: {}
strings: {}
type: {}
hive: {}
key: {}
path: {}
value: {}
scanner_stats: {}
sightings: {}
type: {}
url:
fields:
domain: {}
extension: {}
fragment: {}
full: {}
original: {}
password: {}
path: {}
port: {}
query: {}
registered_domain: {}
scheme: {}
subdomain: {}
top_level_domain: {}
username: {}
x509:
fields: "*"
matched:
fields:
atomic: {}
field: {}
id: {}
index: {}
type: {}
framework: {}
group:
fields: "*"
indicator:
fields:
as:
fields:
number: {}
organization:
fields:
name: {}
confidence: {}
description: {}
email:
fields:
address: {}
file:
fields:
Ext:
fields:
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
device:
fields:
bus_type: {}
dos_name: {}
nt_name: {}
product_id: {}
serial_number: {}
vendor_id: {}
entropy: {}
entry_modified: {}
header_bytes: {}
header_data: {}
malware_classification:
fields:
features:
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
identifier: {}
score: {}
threshold: {}
upx_packed: {}
version: {}
malware_signature:
fields:
all_names: {}
identifier: {}
primary:
fields:
matches: {}
signature:
fields:
hash:
fields:
sha256: {}
id: {}
name: {}
secondary: {}
version: {}
monotonic_id: {}
original:
fields:
gid: {}
group: {}
mode: {}
name: {}
owner: {}
path: {}
uid: {}
quarantine_message: {}
quarantine_path: {}
quarantine_result: {}
temp_file_path: {}
windows:
fields:
zone_identifier: {}
accessed: {}
attributes: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
created: {}
ctime: {}
device: {}
directory: {}
drive_letter: {}
elf:
fields: "*"
extension: {}
gid: {}
group: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
ssdeep: {}
inode: {}
mime_type: {}
mode: {}
mtime: {}
name: {}
owner: {}
path: {}
pe:
fields:
architecture: {}
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
size: {}
target_path: {}
type: {}
uid: {}
first_seen: {}
geo:
fields: "*"
ip: {}
last_seen: {}
marking:
fields:
tlp: {}
modified_at: {}
port: {}
provider: {}
reference: {}
registry:
fields: "*"
scanner_stats: {}
sightings: {}
type: {}
url:
fields:
domain: {}
extension: {}
fragment: {}
full: {}
original: {}
password: {}
path: {}
port: {}
query: {}
registered_domain: {}
scheme: {}
subdomain: {}
top_level_domain: {}
username: {}
x509:
fields: "*"
software:
fields:
id: {}
name: {}
platforms: {}
reference: {}
type: {}
tactic:
fields: "*"
technique:
fields: "*"
Responses:
fields: "*"