fix[backend](rules): fixed rules definitions

Author: AlexSanchez-bit

rules/SIGMA_DELTA_REPORT.md

@@ -1,38 +1,39 @@
-- id: 1004
-  dataTypes:
-    - antivirus-bitdefender-gz
-  name: Antivirus Service Stopped or Disabled
-  impact:
-    confidentiality: 2
-    integrity: 3
-    availability: 3
-  category: System
-  technique: "T1562.001 - Impair Defenses: Disable or Modify Tools"
-  adversary: origin
-  references:
-    - https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
-    - https://attack.mitre.org/techniques/T1562/001/
-  description: |
-    Detects when the Bitdefender antivirus service or critical security modules are stopped, disabled, or experiencing failures. This is a critical security event that could indicate malicious tampering or system issues.
-    
-    Next Steps:
-    - Verify if the service was intentionally stopped by authorized personnel
-    - Check system logs for any errors or crashes that may have caused the service to stop
-    - Look for signs of malware or unauthorized access attempts around the time of the event
-    - Review recent system changes or updates that might have affected the antivirus service
-    - If tampering is suspected, isolate the affected system and perform a forensic analysis
-    - Restart the Bitdefender service and ensure all modules are functioning properly
-    - Monitor for recurring issues that might indicate persistent threats
-  where: >
-    (safe(log.eventType, "") == "modules" || 
-     safe(log.eventType, "") == "Product ModulesStatus" ||
-     safe(log.eventType, "") == "registration") &&
-    (safe(log.severity, "") in ["high", "5"] ||
-     safe(log.product, "").contains("disabled") ||
-     safe(log.product, "").contains("stopped") ||
-     safe(log.restData, "").contains("module") && safe(log.restData, "").contains("stopped") ||
-     safe(log.restData, "").contains("module") && safe(log.restData, "").contains("disabled") ||
-     safe(log.restData, "").contains("av") && safe(log.restData, "").contains("failure"))
-  deduplicateBy:
-    - lastEvent.log.hostId
-    - lastEvent.log.eventType
+# Rule version v1.0.0
+
+dataTypes:
+  - antivirus-bitdefender-gz
+name: Antivirus Service Stopped or Disabled
+impact:
+  confidentiality: 2
+  integrity: 3
+  availability: 3
+category: Defense Evasion
+technique: "T1562.001 - Impair Defenses: Disable or Modify Tools"
+adversary: origin
+references:
+  - https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
+  - https://attack.mitre.org/techniques/T1562/001/
+description: |
+  Detects when the Bitdefender antivirus service or critical security modules are stopped, disabled, or experiencing failures. This is a critical security event that could indicate malicious tampering or system issues.
+
+  Next Steps:
+  - Verify if the service was intentionally stopped by authorized personnel
+  - Check system logs for any errors or crashes that may have caused the service to stop
+  - Look for signs of malware or unauthorized access attempts around the time of the event
+  - Review recent system changes or updates that might have affected the antivirus service
+  - If tampering is suspected, isolate the affected system and perform a forensic analysis
+  - Restart the Bitdefender service and ensure all modules are functioning properly
+  - Monitor for recurring issues that might indicate persistent threats
+where: |
+  (equals("log.eventType", "modules") ||
+   equals("log.eventType", "Product ModulesStatus") ||
+   equals("log.eventType", "registration")) &&
+  (oneOf("log.severity", ["high", "5"]) ||
+   contains("log.product", "disabled") ||
+   contains("log.product", "stopped") ||
+   (contains("log.restData", "module") && contains("log.restData", "stopped")) ||
+   (contains("log.restData", "module") && contains("log.restData", "disabled")) ||
+   (contains("log.restData", "av") && contains("log.restData", "failure")))
+groupBy:
+  - lastEvent.log.eventType
+  - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/antivirus_service_stopped.yml

@@ -1,54 +1,41 @@
-- id: 1013
-  dataTypes:
-    - antivirus-bitdefender-gz
-  name: Advanced Persistent Threat (APT) Detection
-  impact:
-    confidentiality: 3
-    integrity: 3
-    availability: 2
-  category: Intrusion
-  technique: "TA0011 - Command and Control"
-  adversary: origin
-  references:
-    - https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
-    - https://attack.mitre.org/tactics/TA0011/
-  description: |
-    Detects indicators of Advanced Persistent Threats including targeted attacks, sophisticated malware, and persistent threats detected by Bitdefender GravityZone's HyperDetect module.
-    
-    Next Steps:
-    - Investigate the affected endpoint to determine the scope of compromise
-    - Review process execution history and network connections from the affected system
-    - Check for lateral movement by examining authentication logs from the same source IP
-    - Isolate the affected system if active threat is confirmed
-    - Collect forensic artifacts including memory dumps and event logs
-    - Search for similar malware indicators across the environment
-    - Review user account activities for signs of credential compromise
-    - Contact security operations center if threat actors match known APT groups
-  where: |
-    safe(log.product, "") == "Bitdefender GravityZone" &&
-    safe(log.severity, 0) >= 8 &&
-    (
-      contains(lower(safe(log.eventType, "")), "apt") ||
-      contains(lower(safe(log.eventType, "")), "targeted") ||
-      contains(lower(safe(log.eventType, "")), "advanced") ||
-      contains(lower(safe(log.eventType, "")), "persistent") ||
-      contains(lower(safe(log.eventType, "")), "hyperdetect") ||
-      contains(lower(safe(log.restData, "")), "apt") ||
-      contains(lower(safe(log.restData, "")), "targeted attack") ||
-      contains(lower(safe(log.restData, "")), "advanced persistent") ||
-      contains(lower(safe(log.restData, "")), "lazarus") ||
-      contains(lower(safe(log.restData, "")), "equation") ||
-      contains(lower(safe(log.restData, "")), "sofacy") ||
-      contains(lower(safe(log.restData, "")), "cozy bear") ||
-      contains(lower(safe(log.restData, "")), "fancy bear") ||
-      contains(lower(safe(log.restData, "")), "panda") ||
-      contains(lower(safe(log.restData, "")), "kitten") ||
-      contains(lower(safe(log.restData, "")), "carbanak") ||
-      contains(lower(safe(log.restData, "")), "fin7") ||
-      contains(lower(safe(log.restData, "")), "fileless") ||
-      safe(log.signatureID, "") == "hyperdetect"
-    ) &&
-    safe(log.hostId, "") != ""
-  deduplicateBy:
-    - log.hostId
-    - log.eventType
+# Rule version v1.0.0
+
+dataTypes:
+  - antivirus-bitdefender-gz
+name: Advanced Persistent Threat (APT) Detection
+impact:
+  confidentiality: 3
+  integrity: 3
+  availability: 2
+category: Command and Control
+technique: "TA0011 - Application Layer Protocol"
+adversary: origin
+references:
+  - https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
+  - https://attack.mitre.org/tactics/TA0011/
+description: |
+  Detects indicators of Advanced Persistent Threats including targeted attacks, sophisticated malware, and persistent threats detected by Bitdefender GravityZone's HyperDetect module.
+  
+  Next Steps:
+  - Investigate the affected endpoint to determine the scope of compromise
+  - Review process execution history and network connections from the affected system
+  - Check for lateral movement by examining authentication logs from the same source IP
+  - Isolate the affected system if active threat is confirmed
+  - Collect forensic artifacts including memory dumps and event logs
+  - Search for similar malware indicators across the environment
+  - Review user account activities for signs of credential compromise
+  - Contact security operations center if threat actors match known APT groups
+where: |
+  equals("log.product", "Bitdefender GravityZone") &&
+  greaterOrEqual("log.severity", 8) &&
+  (
+    contains("log.eventType", ["apt", "targeted", "advanced", "persistent", "hyperdetect"]) ||
+    contains("log.restData", ["apt", "targeted attack", "advanced persistent",
+      "lazarus", "equation", "sofacy", "cozy bear", "fancy bear",
+      "panda", "kitten", "carbanak", "fin7", "fileless"]) ||
+    equals("log.signatureID", "hyperdetect")
+  ) &&
+  exists("log.hostId")
+groupBy:
+  - lastEvent.log.eventType
+  - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/apt_detection.yml

@@ -0,0 +1,42 @@
+# Rule version v1.0.0
+
+dataTypes:
+  - antivirus-bitdefender-gz
+name: Bitdefender Console Used for Lateral Movement
+impact:
+  confidentiality: 3
+  integrity: 3
+  availability: 3
+category: Lateral Movement
+technique: "T1072 - Software Deployment Tools"
+adversary: origin
+references:
+  - https://attack.mitre.org/techniques/T1072/
+  - https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
+description: |
+  Detects when the Bitdefender GravityZone management console is potentially being used to push malicious policies, scripts, or tasks to managed endpoints, indicating a compromised admin account being leveraged for lateral movement.
+
+  Next Steps:
+  1. Review all recent task and policy deployments from the console
+  2. Identify the admin account used and verify its legitimacy
+  3. Check for unusual login patterns to the GravityZone console
+  4. Review the content of pushed policies for malicious configurations
+  5. Suspend the admin account if compromise is suspected
+  6. Audit all managed endpoints for signs of compromise
+where: |
+  (contains("log.message", ["remote task", "deploy", "push policy", "execute script"]) ||
+   (contains("log.message", "task") && contains("log.message", "created") &&
+    (contains("log.message", "scan") || contains("log.message", "install") ||
+     contains("log.message", "uninstall") || contains("log.message", "execute")))) &&
+  exists("log.severity")
+afterEvents:
+  - indexPattern: v11-log-antivirus-bitdefender-gz-*
+    with:
+      - field: log.hostId
+        operator: filter_term
+        value: '{{.log.hostId}}'
+    within: now-30m
+    count: 10
+groupBy:
+  - lastEvent.log.eventType
+  - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml

@@ -0,0 +1,43 @@
+# Rule version v1.0.0
+
+dataTypes:
+  - antivirus-bitdefender-gz
+name: Bitdefender AV Policy Weakened
+impact:
+  confidentiality: 3
+  integrity: 3
+  availability: 2
+category: Defense Evasion
+technique: "T1562.001 - Impair Defenses: Disable or Modify Tools"
+adversary: origin
+references:
+  - https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
+  - https://attack.mitre.org/techniques/T1562/001/
+description: |
+  Detects when Bitdefender GravityZone antivirus policies are weakened by administrators, such as disabling real-time protection, reducing scan aggressiveness, or adding broad exclusions. This could indicate a compromised admin account or insider threat.
+
+  Next Steps:
+  1. Identify the administrator who modified the policy
+  2. Verify the policy change was authorized through change management
+  3. Review the specific settings that were weakened
+  4. Check for concurrent suspicious activity on managed endpoints
+  5. Restore the previous policy configuration if unauthorized
+  6. Review admin account access logs for compromise indicators
+where: |
+  (contains("log.message", ["policy", "configuration", "setting"]) &&
+   (contains("log.message", ["disabled", "weakened", "reduced", "lowered", "excluded"]) ||
+    (contains("log.message", "real-time") && contains("log.message", "off")) ||
+    (contains("log.message", "exclusion") && contains("log.message", "added")) ||
+    (contains("log.message", "protection") && contains("log.message", "disabled")))) &&
+  exists("log.severity")
+afterEvents:
+  - indexPattern: v11-log-antivirus-bitdefender-gz-*
+    with:
+      - field: log.hostId
+        operator: filter_term
+        value: '{{.log.hostId}}'
+    within: now-1h
+    count: 3
+groupBy:
+  - lastEvent.log.eventType
+  - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/av_policy_override.yml

@@ -1,46 +1,39 @@
-- id: 1016
-  dataTypes:
-    - antivirus-bitdefender-gz
-  name: Bootkit/UEFI Threat Detection
-  impact:
-    confidentiality: 3
-    integrity: 3
-    availability: 3
-  category: Malware
-  technique: "T1542.001 - Boot or Logon Autostart Execution: System Firmware"
-  adversary: origin
-  references:
-    - https://attack.mitre.org/techniques/T1542/001/
-    - https://www.bitdefender.com/business/support/en/77209-135324-event-types.html
-  description: |
-    Detects bootkit or UEFI-level threats that attempt to persist at the firmware level and compromise the boot process. These threats can survive system reinstalls and bypass traditional security measures by infecting the system firmware.
-    
-    Next Steps:
-    - Isolate the affected system immediately to prevent spread
-    - Review system boot logs and firmware settings for modifications
-    - Check for other malware detections on the same host in the past 24-48 hours
-    - Verify system integrity using offline scanning tools
-    - Consider reimaging the system and updating firmware/UEFI
-    - Enable Secure Boot if not already enabled
-    - Review user activity and recently installed software on the affected system
-    - Document the infection for incident response reporting
-    - Check if other systems with similar hardware/firmware versions are affected
-  where: |
-    safe(log.eventType, "") == "av" &&
-    safe(log.severity, 0) >= 8 &&
-    (
-      (safe(log.requested, "").contains("boot") || 
-       safe(log.requested, "").contains("uefi") || 
-       safe(log.requested, "").contains("rootkit") ||
-       safe(log.requested, "").contains("firmware")) ||
-      (safe(log.restData, "").contains("boot") || 
-       safe(log.restData, "").contains("uefi") || 
-       safe(log.restData, "").contains("rootkit") ||
-       safe(log.restData, "").contains("firmware") ||
-       safe(log.restData, "").contains("\\EFI\\") || 
-       safe(log.restData, "").contains("/EFI/") ||
-       safe(log.restData, "").contains("\\boot\\") ||
-       safe(log.restData, "").contains("/boot/"))
-    )
-  deduplicateBy:
-    - log.hostId
+# Rule version v1.0.0
+
+dataTypes:
+  - antivirus-bitdefender-gz
+name: Bootkit/UEFI Threat Detection
+impact:
+  confidentiality: 3
+  integrity: 3
+  availability: 3
+category: Defense Evasion, Persistence
+technique: "T1542.001 - Boot or Logon Autostart Execution: System Firmware"
+adversary: origin
+references:
+  - https://attack.mitre.org/techniques/T1542/001/
+  - https://www.bitdefender.com/business/support/en/77209-135324-event-types.html
+description: |
+  Detects bootkit or UEFI-level threats that attempt to persist at the firmware level and compromise the boot process. These threats can survive system reinstalls and bypass traditional security measures by infecting the system firmware.
+  
+  Next Steps:
+  - Isolate the affected system immediately to prevent spread
+  - Review system boot logs and firmware settings for modifications
+  - Check for other malware detections on the same host in the past 24-48 hours
+  - Verify system integrity using offline scanning tools
+  - Consider reimaging the system and updating firmware/UEFI
+  - Enable Secure Boot if not already enabled
+  - Review user activity and recently installed software on the affected system
+  - Document the infection for incident response reporting
+  - Check if other systems with similar hardware/firmware versions are affected
+where: |
+  equals("log.eventType", "av") &&
+  greaterOrEqual("log.severity", 8) &&
+  (
+    contains("log.requested", ["boot", "uefi", "rootkit", "firmware"]) ||
+    contains("log.restData", ["boot", "uefi", "rootkit", "firmware",
+      "\\EFI\\", "/EFI/", "\\boot\\", "/boot/"])
+  )
+groupBy:
+  - lastEvent.log.hostId
+  - lastEvent.log.severity