From 90131331ba27a2996328e62dca20b256b78e5480 Mon Sep 17 00:00:00 2001
From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com>
Date: Wed, 28 Feb 2024 14:38:52 -0700
Subject: [PATCH] Create armis-endpoint-security

moving contents of pull 103 to this branch
---
 rule-packs/armis-endpoint-security | 86 ++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 rule-packs/armis-endpoint-security

diff --git a/rule-packs/armis-endpoint-security b/rule-packs/armis-endpoint-security
new file mode 100644
index 0000000..e38a09c
--- /dev/null
+++ b/rule-packs/armis-endpoint-security
@@ -0,0 +1,86 @@
+[
+    {
+        "name": "armis-device-1",
+        "description": "This will find endpoints that are considered a high risk. These devices will require immediate action.",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_device as device THAT RELATES TO armis_finding_vulnerability WITH status != 'Closed' AND numericSeverity >= 7 as vuln",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "HIGH"
+    },
+    {
+        "name": "armis-device-2",
+        "description": "This will find and alert on endpoints that have active findings of a severity of high or critical. ",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_device as device THAT RELATES TO armis_finding_alert WITH status = 'Unhandled' AND numericSeverity >= 7 as alert",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "HIGH"
+    },    
+    {
+        "name": "armis-device-3",
+        "description": "This will find and alert on endpoints that have a policy violation.",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_device as device THAT RELATES TO armis_finding_alert WITH description ~= 'policy' AND numericSeverity >= 7 as alert",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "MEDIUM"
+    },
+    {
+        "name": "armis-vuln-1",
+        "description": "This will find and alert on new vulnerabilities that are high or critical. ",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_finding_vulnerability WITH status != 'Closed' AND numericSeverity >= 7 as vuln",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "HIGH"
+    },    
+    {
+        "name": "armis-vuln-2",
+        "description": "This will alert on vulnerabilities that have not been addressed withing 7 days of first report. ",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_finding_vulnerability WITH status != 'Resolved' and _createdOn > date.now - 7 days",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "MEDIUM"
+    },
+    {
+        "name": "armis-alert-1",
+        "description": "This will find and report on high or critical alerts.",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_finding_alert WITH status != 'Closed' AND numericSeverity >= 7 as vuln",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "HIGH"
+    },    
+    {
+        "name": "armis-alert-2",
+        "description": "This will find and report on high or critical alerts that have not been addressed within 7 days of first report.",
+        "queries": [
+            {
+                "name": "query0",
+                "query": "FIND armis_finding_alert WITH status = 'Unhandled' and _createdOn > date.now - 7 days",
+                "version": "v1"
+            }
+        ],
+        "alertLevel": "MEDIUM"
+    },
+]