Fix terminology and doc links (#54)

benskelker · web-flow · commit 680a04da8fa5 · 2020-07-13T12:47:42.000-06:00
diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml
@@ -27,7 +27,7 @@ Signals from this rule indicate the presence of network activity from a Linux pr
 - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b"
 severity = "low"
diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml
@@ -18,7 +18,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "linux_anomalous_network_port_activity_ecs"
 name = "Unusual Linux Network Port Activity"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0"
 severity = "low"
diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml
@@ -17,7 +17,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "linux_anomalous_network_service"
 name = "Unusual Linux Network Service"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b"
 severity = "low"
diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml
@@ -25,7 +25,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "linux_anomalous_network_url_activity_ecs"
 name = "Unusual Linux Web Activity"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c"
 severity = "low"
diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml
@@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88"
 severity = "low"
diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml
@@ -33,7 +33,7 @@ Signals from this rule indicate activity for a Linux user name that is rare and
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?
 - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing."""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c"
 severity = "low"
diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml
@@ -24,7 +24,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "packetbeat_dns_tunneling"
 name = "DNS Tunneling"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9"
 severity = "low"
diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml
@@ -27,7 +27,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "packetbeat_rare_dns_question"
 name = "Unusual DNS Activity"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "746edc4c-c54c-49c6-97a1-651223819448"
 severity = "low"
diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml
@@ -27,7 +27,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "packetbeat_rare_server_domain"
 name = "Unusual Network Destination Domain Name"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126"
 severity = "low"
diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml
@@ -30,7 +30,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "packetbeat_rare_urls"
 name = "Unusual Web Request"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
 severity = "low"
diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml
@@ -28,7 +28,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "packetbeat_rare_user_agent"
 name = "Unusual Web User Agent"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0"
 severity = "low"
diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml
@@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75"
 severity = "low"
diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml
@@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a
 - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
 - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
 - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76"
 severity = "low"
diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml
@@ -19,7 +19,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "suspicious_login_activity_ecs"
 name = "Unusual Login Activity"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml
@@ -29,7 +29,7 @@ Signals from this rule indicate the presence of network activity from a Windows
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
 - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
 - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools."""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml
@@ -25,7 +25,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_path_activity_ecs"
 name = "Unusual Windows Path Activity"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml
@@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a
 - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
 - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
 - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml
@@ -27,7 +27,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_process_creation"
 name = "Anomalous Windows Process Creation"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml
@@ -22,7 +22,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_script"
 name = "Suspicious Powershell Script"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml
@@ -23,7 +23,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_service"
 name = "Unusual Windows Service"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
 severity = "low"
diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml
@@ -34,7 +34,7 @@ Signals from this rule indicate activity for a Windows user name that is rare an
 - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.
 - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious."""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5"
 severity = "low"
diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml
@@ -23,7 +23,7 @@ interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "windows_rare_user_runas_event"
 name = "Unusual Windows User Privilege Elevation Activity"
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8"
 severity = "low"
diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml
@@ -27,7 +27,7 @@ note = """### Investigating an Unusual Windows User ###
 Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? 
 - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?"""
-references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9"
 severity = "low"
diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml
@@ -15,8 +15,7 @@ false_positives = [
     """
     Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this
     rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually
-    local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if
-    desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or
+    local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or
     destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not
     in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this
     rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in
diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
@@ -9,7 +9,7 @@ author = ["Elastic"]
 description = """
 Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature
 validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass
-application whitelisting and signature validation.
+application allowlists and signature validation.
 """
 index = ["winlogbeat-*"]
 language = "kuery"
diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
@@ -8,7 +8,7 @@ updated_date = "2020/06/24"
 author = ["Elastic"]
 description = """
 Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of
-an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.
+an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.
 """
 false_positives = [
     """
