Add filebeat-* index pattern to rules based on system.auth dataset (#3561)

herrBez · Aegrah · web-flow · commit 153657029b0b · 2024-04-03T11:27:31.000+02:00
Co-authored-by: Ruben Groenewoud &lt;78494512+Aegrah@users.noreply.github.com&gt;
diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
@@ -14,7 +14,7 @@ a short time interval. Adversaries will often brute force login attempts across
 password, in an attempt to gain access to these accounts.
 """
 from = "now-9m"
-index = ["logs-system.auth-*"]
+index = ["filebeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 5
diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
@@ -14,7 +14,7 @@ a short time interval. Adversaries will often brute force login attempts across
 password, in an attempt to gain access to these accounts.
 """
 from = "now-9m"
-index = ["logs-system.auth-*"]
+index = ["filebeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 5
diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
@@ -13,7 +13,7 @@ Identifies multiple SSH login failures followed by a successful one from the sam
 to login into multiple users with a common or known password to gain access to accounts.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-system.auth-*"]
+index = ["auditbeat-*",  "filebeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Successful SSH Brute Force Attack"
diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml
@@ -29,7 +29,7 @@ description = """
 Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.
 """
 from = "now-9m"
-index = ["logs-system.auth-*"]
+index = ["filebeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux Group Creation"
diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml
@@ -29,7 +29,7 @@ description = """
 Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.
 """
 from = "now-9m"
-index = ["logs-system.auth-*"]
+index = ["filebeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux User Account Creation"
