[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (elastic#4447)

rules/macos/credential_access_credentials_keychains.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ for macOS to keep track of users' passwords and credentials for many services an
 websites, secure notes and certificates.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Access to Keychain Credentials Directories"

rules/macos/credential_access_dumping_keychain_security.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ built-in way for macOS to keep track of users' passwords and credentials for man
 and website passwords, secure notes, certificates, and Kerberos.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Dumping of Keychain Content via Security Command"

rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos.
 """
 false_positives = ["Applications for password management."]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Keychain Password Retrieval via Command Line"

rules/macos/credential_access_promt_for_pwd_via_osascript.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the use of osascript to execute scripts via standard input that may p
 credentials.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Prompt for Credentials with OSASCRIPT"

rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ downloaded from the internet, there is a quarantine flag set on the file. This a
 defense program at execution time. An adversary may disable this attribute to evade defenses.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Quarantine Attrib Removed by Unsigned or Untrusted Process"

rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ indicate an attempt to bypass macOS privacy controls, including access to sensit
 microphone, address book, and calendar.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via TCCDB Modification"

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Daemon (sshd) to the authorized application list for Full Disk Access. This may
 privacy controls to access sensitive files.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via Localhost Secure Copy"

rules/macos/discovery_users_domain_built_in_commands.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands related to account or group
 and group information to orient themselves before deciding how to act.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Users or Groups via Built-in Commands"

rules/macos/execution_initial_access_suspicious_browser_childproc.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ visiting a website over the normal course of browsing. With this technique, the
 for exploitation.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Browser Child Process"

rules/macos/execution_installer_package_spawned_network_event.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/02/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MacOS Installer Package Spawns Network Event"

rules/macos/execution_script_via_automator_workflows.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Adversaries may drop a custom workflow template that hosts malicious JavaScript
 alternative to using osascript.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Automator Workflows Execution"

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Detects execution via the Apple script interpreter (osascript) followed by a net
 within a short time period. Adversaries may use malicious scripts for execution and command and control.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Apple Script Execution followed by Network Connection"

rules/macos/execution_shell_execution_via_apple_scripting.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the execution of the shell process (sh) via scripting (JXA or AppleSc
 doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Shell Execution via Apple Scripting"

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Excel). These child processes are often launched during exploitation of Office a
 malicious macros.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious macOS MS Office Child Process"

rules/macos/lateral_movement_mounting_smb_share.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/25"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to mount a Server Message Bl
 use valid accounts to interact with a remote network share using SMB.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Attempt to Mount SMB Share via Command Line"

rules/macos/lateral_movement_vpn_connection_attempt.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/25"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to connect to an existing Vi
 may use VPN connections to laterally move and control remote systems on a network.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Virtual Private Network Connection Attempt"

rules/macos/persistence_creation_change_launch_agents_file.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ launchctl to load a plist into the appropriate directories.
 """
 false_positives = ["Trusted applications persisting via LaunchAgent"]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Launch Agent Creation or Modification and Immediate Loading"

rules/macos/persistence_creation_hidden_login_item_osascript.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the execution of osascript to create a hidden login item. This may in
 program while concealing its presence.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation of Hidden Login Item via Apple Script"

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ payloads as part of persistence.
 """
 false_positives = ["Trusted applications persisting via LaunchDaemons"]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LaunchDaemon Creation or Modification and Immediate Loading"

rules/macos/persistence_crontab_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/04/25"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies attempts to create or modify a crontab via a process that is not cron
 activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious CronTab Creation or Modification"

rules/macos/persistence_emond_rules_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the creation or modification of the Event Monitor Daemon (emond) rule
 writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Emond Rules Creation or Modification"

rules/macos/persistence_emond_rules_process_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ service by writing a rule to execute commands when a defined event occurs, such
 authentication.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Emond Child Process"