Rule APIs

The following APIs can be used for a number of tasks related to rules, from searching for pre-packaged rules to creating and updating custom rules.

Create Custom Rule

The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information on how to write a rule in Sigma format, see information provided at Sigma’s GitHub repository.

  1. POST /_plugins/_security_analytics/rules?category=windows

Example request

  1. Header:
  2. Content-Type: application/json
  4. Body:
  6. title: Moriya Rootkit
  7. id: 25b9c01c-350d-4b95-bed1-836d04a4f324
  8. description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
  9. status: experimental
  10. author: Bhabesh Raj
  11. date: 2021/05/06
  12. modified: 2021/11/30
  13. references:
  14.     - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
  15. tags:
  16.     - attack.persistence
  17.     - attack.privilege_escalation
  18.     - attack.t1543.003
  19. logsource:
  20.     product: windows
  21.     service: system
  22. detection:
  23.     selection:
  24.         Provider_Name: 'Service Control Manager'
  25.         EventID: 7045
  26.         ServiceName: ZzNetSvc
  27.     condition: selection
  28. level: critical
  29. falsepositives:
  30.     - Unknown

Example response

Sample 1:

  1. {
  2.     "_id": "M1Rm1IMByX0LvTiGvde2",
  3.     "_version": 1,
  4.     "rule": {
  5.         "category": "windows",
  6.         "title": "Moriya Rootkit",
  7.         "log_source": "",
  8.         "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
  9.         "tags": [
  10.             {
  11.                 "value": "attack.persistence"
  12.             },
  13.             {
  14.                 "value": "attack.privilege_escalation"
  15.             },
  16.             {
  17.                 "value": "attack.t1543.003"
  18.             }
  19.         ],
  20.         "references": [
  21.             {
  22.                 "value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
  23.             }
  24.         ],
  25.         "level": "critical",
  26.         "false_positives": [
  27.             {
  28.                 "value": "Unknown"
  29.             }
  30.         ],
  31.         "author": "Bhabesh Raj",
  32.         "status": "experimental",
  33.         "last_update_time": "2021-05-06T00:00:00.000Z",
  34.         "rule": "title: Moriya Rootkit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: ZzNetSvc\n    condition: selection\nlevel: critical\nfalsepositives:\n    - Unknown"
  35.     }
  36. }

Sample 2:

  1. {
  2.   "error": {
  3.     "root_cause": [
  4.       {
  5.         "type": "security_analytics_exception",
  6.         "reason": "{\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"}"
  7.       }
  8.     ],
  9.     "type": "security_analytics_exception",
  10.     "reason": "{\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"}",
  11.     "caused_by": {
  12.       "type": "exception",
  13.       "reason": "java.util.Arrays$ArrayList: {\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"}"
  14.     }
  15.   },
  16.   "status": 400
  17. }

Update Custom Rule (not forced)

Example request

  1. PUT /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI?category=windows
  3. Content-Type: application/json
  5. Body:
  7. title: Moriya Rooskit
  8. id: 25b9c01c-350d-4b95-bed1-836d04a4f324
  9. description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
  10. status: experimental
  11. author: Bhabesh Raj
  12. date: 2021/05/06
  13. modified: 2021/11/30
  14. references:
  15.     - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
  16. tags:
  17.     - attack.persistence
  18.     - attack.privilege_escalation
  19.     - attack.t1543.003
  20. logsource:
  21.     product: windows
  22.     service: system
  23. detection:
  24.     selection:
  25.         Provider_Name: 'Service Control Manager'
  26.         EventID: 7045
  27.         ServiceName: ZzNetSvc
  28.     condition: selection
  29. level: critical
  30. falsepositives:
  31.     - Unknown

Example response

  1. {
  2.     "error": {
  3.         "root_cause": [
  4.             {
  5.                 "type": "security_analytics_exception",
  6.                 "reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Update can be forced by setting forced flag to true"
  7.             }
  8.         ],
  9.         "type": "security_analytics_exception",
  10.         "reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Update can be forced by setting forced flag to true",
  11.         "caused_by": {
  12.             "type": "exception",
  13.             "reason": "org.opensearch.OpenSearchStatusException: Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Update can be forced by setting forced flag to true"
  14.         }
  15.     },
  16.     "status": 500
  17. }

Update Custom Rule (forced)

Example request

  1. PUT /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI?category=windows&forced=true
  3. Content-Type: application/json
  5. Body:
  7. title: Moriya Rooskit
  8. id: 25b9c01c-350d-4b95-bed1-836d04a4f324
  9. description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
  10. status: experimental
  11. author: Bhabesh Raj
  12. date: 2021/05/06
  13. modified: 2021/11/30
  14. references:
  15.     - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
  16. tags:
  17.     - attack.persistence
  18.     - attack.privilege_escalation
  19.     - attack.t1543.003
  20. logsource:
  21.     product: windows
  22.     service: system
  23. detection:
  24.     selection:
  25.         Provider_Name: 'Service Control Manager'
  26.         EventID: 7045
  27.         ServiceName: ZzNetSvc
  28.     condition: selection
  29. level: critical
  30. falsepositives:
  31.     - Unknown

Example response

  1. {
  2.     "_id": "ZaFv1IMBdLpXWBiBa1XI",
  3.     "_version": 1,
  4.     "rule": {
  5.         "category": "windows",
  6.         "title": "Moriya Rooskit",
  7.         "log_source": "",
  8.         "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
  9.         "tags": [
  10.             {
  11.                 "value": "attack.persistence"
  12.             },
  13.             {
  14.                 "value": "attack.privilege_escalation"
  15.             },
  16.             {
  17.                 "value": "attack.t1543.003"
  18.             }
  19.         ],
  20.         "references": [
  21.             {
  22.                 "value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
  23.             }
  24.         ],
  25.         "level": "critical",
  26.         "false_positives": [
  27.             {
  28.                 "value": "Unknown"
  29.             }
  30.         ],
  31.         "author": "Bhabesh Raj",
  32.         "status": "experimental",
  33.         "last_update_time": "2021-05-06T00:00:00.000Z",
  34.         "rule": "title: Moriya Rooskit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: ZzNetSvc\n    condition: selection\nlevel: critical\nfalsepositives:\n    - Unknown"
  35.     }
  36. }

Search Pre-Packaged Rules

Example request

  1. POST /_plugins/_security_analytics/rules/_search?pre_packaged=true
  3. {
  4.   "from": 0,
  5.   "size": 20,  
  6.   "query": {
  7.     "nested": {
  8.       "path": "rule",
  9.       "query": {
  10.         "bool": {
  11.           "must": [
  12.             { "match": { "rule.category": "windows" } }
  13.           ]
  14.         }
  15.       }
  16.     }
  17.   }
  18. }

Example response

  1. {
  2.     "took": 3,
  3.     "timed_out": false,
  4.     "_shards": {
  5.         "total": 1,
  6.         "successful": 1,
  7.         "skipped": 0,
  8.         "failed": 0
  9.     },
  10.     "hits": {
  11.         "total": {
  12.             "value": 1580,
  13.             "relation": "eq"
  14.         },
  15.         "max_score": 0.25863406,
  16.         "hits": [
  17.             {
  18.                 "_index": ".opensearch-pre-packaged-rules-config",
  19.                 "_id": "6KFv1IMBdLpXWBiBelZg",
  20.                 "_version": 1,
  21.                 "_seq_no": 386,
  22.                 "_primary_term": 1,
  23.                 "_score": 0.25863406,
  24.                 "_source": {
  25.                     "category": "windows",
  26.                     "title": "Change Outlook Security Setting in Registry",
  27.                     "log_source": "registry_set",
  28.                     "description": "Change outlook email security settings",
  29.                     "references": [
  30.                         {
  31.                             "value": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"
  32.                         },
  33.                         {
  34.                             "value": "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings"
  35.                         }
  36.                     ],
  37.                     "tags": [
  38.                         {
  39.                             "value": "attack.persistence"
  40.                         },
  41.                         {
  42.                             "value": "attack.t1137"
  43.                         }
  44.                     ],
  45.                     "level": "medium",
  46.                     "false_positives": [
  47.                         {
  48.                             "value": "Administrative scripts"
  49.                         }
  50.                     ],
  51.                     "author": "frack113",
  52.                     "status": "experimental",
  53.                     "last_update_time": "2021-12-28T00:00:00.000Z",
  54.                     "queries": [
  55.                         {
  56.                             "value": "((TargetObject: *\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*) AND (TargetObject: *\\\\Outlook\\\\Security\\\\*)) AND (EventType: \"SetValue\")"
  57.                         }
  58.                     ],
  59.                     "rule": "title: Change Outlook Security Setting in Registry\nid: c3cefdf4-6703-4e1c-bad8-bf422fc5015a\ndescription: Change outlook email security settings\nauthor: frack113\ndate: 2021/12/28\nmodified: 2022/03/26\nstatus: experimental\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md\n    - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Office\\'\n            - '\\Outlook\\Security\\'\n        EventType: SetValue\n    condition: selection\nfalsepositives:\n    - Administrative scripts\nlevel: medium\ntags:\n  - attack.persistence\n  - attack.t1137\n"
  60.                 }
  61.             }
  62.         ]
  63.     }
  64. }

Search Custom Rules

Example request

  1. POST /_plugins/_security_analytics/rules/_search?pre_packaged=false
  3. Body:
  5. {
  6.   "from": 0,
  7.   "size": 20,  
  8.   "query": {
  9.     "nested": {
  10.       "path": "rule",
  11.       "query": {
  12.         "bool": {
  13.           "must": [
  14.             { "match": { "rule.category": "windows" } }
  15.           ]
  16.         }
  17.       }
  18.     }
  19.   }
  20. }

Example response

  1. {
  2.     "took": 1,
  3.     "timed_out": false,
  4.     "_shards": {
  5.         "total": 1,
  6.         "successful": 1,
  7.         "skipped": 0,
  8.         "failed": 0
  9.     },
  10.     "hits": {
  11.         "total": {
  12.             "value": 1,
  13.             "relation": "eq"
  14.         },
  15.         "max_score": 0.2876821,
  16.         "hits": [
  17.             {
  18.                 "_index": ".opensearch-custom-rules-config",
  19.                 "_id": "ZaFv1IMBdLpXWBiBa1XI",
  20.                 "_version": 2,
  21.                 "_seq_no": 1,
  22.                 "_primary_term": 1,
  23.                 "_score": 0.2876821,
  24.                 "_source": {
  25.                     "category": "windows",
  26.                     "title": "Moriya Rooskit",
  27.                     "log_source": "",
  28.                     "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
  29.                     "references": [
  30.                         {
  31.                             "value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
  32.                         }
  33.                     ],
  34.                     "tags": [
  35.                         {
  36.                             "value": "attack.persistence"
  37.                         },
  38.                         {
  39.                             "value": "attack.privilege_escalation"
  40.                         },
  41.                         {
  42.                             "value": "attack.t1543.003"
  43.                         }
  44.                     ],
  45.                     "level": "critical",
  46.                     "false_positives": [
  47.                         {
  48.                             "value": "Unknown"
  49.                         }
  50.                     ],
  51.                     "author": "Bhabesh Raj",
  52.                     "status": "experimental",
  53.                     "last_update_time": "2021-05-06T00:00:00.000Z",
  54.                     "queries": [
  55.                         {
  56.                             "value": "(Provider_Name: \"Service_ws_Control_ws_Manager\") AND (event_uid: 7045) AND (ServiceName: \"ZzNetSvc\")"
  57.                         }
  58.                     ],
  59.                     "rule": "title: Moriya Rooskit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: ZzNetSvc\n    condition: selection\nlevel: critical\nfalsepositives:\n    - Unknown"
  60.                 }
  61.             }
  62.         ]
  63.     }
  64. }

Delete Custom Rule (not forced)

Example request

  1. DELETE /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI

Example response

  1. {
  2.     "error": {
  3.         "root_cause": [
  4.             {
  5.                 "type": "security_analytics_exception",
  6.                 "reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Deletion can be forced by setting forced flag to true"
  7.             }
  8.         ],
  9.         "type": "security_analytics_exception",
  10.         "reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Deletion can be forced by setting forced flag to true",
  11.         "caused_by": {
  12.             "type": "exception",
  13.             "reason": "org.opensearch.OpenSearchStatusException: Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Deletion can be forced by setting forced flag to true"
  14.         }
  15.     },
  16.     "status": 500
  17. }

Delete Custom Rule (forced)

Example request

  1. DELETE /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI?forced=true

Example response

  1. {
  2.     "_id": "ZaFv1IMBdLpXWBiBa1XI",
  3.     "_version": 1
  4. }