Skip to content

[New Rule] Azure Network Watcher Deletion #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 4, 2020
Merged

[New Rule] Azure Network Watcher Deletion #232

merged 2 commits into from
Sep 4, 2020

Conversation

bm11100
Copy link
Contributor

@bm11100 bm11100 commented Aug 31, 2020

Issue(s)

resolves #197

Description

Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.

Checklists

Use strikethroughs to remove items which are not applicable to this issue.

For submitter

  • Verify all query fields co-exist in a single event source (beats) or annotated otherwise
    -- Query field process.name.text doesn't currently exist in endgame-     eventing data, but does exist for winlogbeats, and is case insensitive.
  • Verify all query fields co-exist within a single ECS version and annotated the minimum version
    -- 1.4.0
  • Verified the query detects the intended event(s)
    • detonate
    • search in discover
    • trigger as a custom signal
  • Create rule using create-rule
  • Verify and convert to standard linting (toml-lint -f <rule-file>)
  • Run tests using pytest -x -v unit_tests or make test
  • Internal search to determine noise and FP

For reviewers

  • Verify existing rule for activity doesn't exist as a siem or endpoint rule (unless intentionally specified in issue)
  • Verify all query fields co-exist in a single event source (*beats) or annotated otherwise
  • Verify all query fields co-exist within a single ECS version and annotated the minimum version
  • Internal search to determine noise and FP
  • Verify metadata accuracy and spelling

@bm11100 bm11100 added v7.10.0 Integration: AWS AWS related rules Domain: Cloud Rule: New Proposal for new rule labels Aug 31, 2020
@bm11100 bm11100 self-assigned this Aug 31, 2020
brokensound77
brokensound77 approved these changes Sep 1, 2020
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@bm11100 bm11100 requested a review from Samirbous September 2, 2020 14:33
@bm11100 bm11100 merged commit 040f56f into elastic:main Sep 4, 2020
@devonakerr devonakerr mentioned this pull request Nov 9, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 brokensound77 approved these changes

@threat-punter threat-punter threat-punter approved these changes

@Samirbous Samirbous Awaiting requested review from Samirbous

Assignees

@bm11100 bm11100

Labels
Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Rule] Azure Network Watcher Deletion
3 participants
@bm11100 @brokensound77 @threat-punter