Add rules for integration-v0.14.3 (#1331) (#1344)

* Add rules for integration-v0.14.3

* add summary note

* fix link

* fix file name

* remove duplicated links caused by a deprecation/rename

* update date and summary description

(cherry picked from commit d07ae02)

Co-authored-by: Justin Ibarra <[email protected]>

Author: mergify[bot]

docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-account-password-reset-remotely.asciidoc

@@ -0,0 +1,70 @@
+[[prebuilt-rule-0-14-3-account-password-reset-remotely]]
+=== Account Password Reset Remotely
+
+Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.
+
+*Rule type*: eql
+
+*Rule indices*: 
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5m
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
+* https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/
+* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+
+*Tags*: 
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Persistence
+
+*Version*: 1
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=5m
+  [authentication where event.action == "logged-in" and
+    /* event 4624 need to be logged */
+    winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
+    not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId
+   /* event 4724 need to be logged */
+  [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/

docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted.asciidoc

@@ -0,0 +1,75 @@
+[[prebuilt-rule-0-14-3-aws-efs-file-system-or-mount-deleted]]
+=== AWS EFS File System or Mount Deleted
+
+Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 10m
+
+*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
+* https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Data Protection
+
+*Version*: 1
+
+*Rule authors*: 
+
+* Austin Songer
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and 
+event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Data Destruction
+** ID: T1485
+** Reference URL: https://attack.mitre.org/techniques/T1485/

docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted.asciidoc

@@ -0,0 +1,71 @@
+[[prebuilt-rule-0-14-3-aws-eventbridge-rule-disabled-or-deleted]]
+=== AWS EventBridge Rule Disabled or Deleted
+
+Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html
+* https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Monitoring
+
+*Version*: 2
+
+*Rule authors*: 
+
+* Austin Songer
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and 
+event.outcome:success
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/

docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-export.asciidoc

@@ -0,0 +1,69 @@
+[[prebuilt-rule-0-14-3-aws-rds-snapshot-export]]
+=== AWS RDS Snapshot Export
+
+Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 10m
+
+*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Asset Visibility
+
+*Version*: 3
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/

docs/detections/prebuilt-rules/downloadable-packages/0-14-3/prebuilt-rule-0-14-3-aws-rds-snapshot-restored.asciidoc

@@ -0,0 +1,71 @@
+[[prebuilt-rule-0-14-3-aws-rds-snapshot-restored]]
+=== AWS RDS Snapshot Restored
+
+Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5m
+
+*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html
+* https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Asset Visibility
+
+*Version*: 2
+
+*Rule authors*: 
+
+* Austin Songer
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and
+event.outcome:success
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/