From a296b39fc20f3b9a87fcb5f6091f1768c9205a4f Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 28 Feb 2024 14:40:05 -0700 Subject: [PATCH] Create trellix-endpoint-security adding contents of pull 99 to this branch --- rule-packs/trellix-endpoint-security | 110 +++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 rule-packs/trellix-endpoint-security diff --git a/rule-packs/trellix-endpoint-security b/rule-packs/trellix-endpoint-security new file mode 100644 index 0000000..74629fb --- /dev/null +++ b/rule-packs/trellix-endpoint-security @@ -0,0 +1,110 @@ +[ + { + "name": "trellix-threats-1", + "description": "This query will return threats with an unresolved status", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_threat with status = 'unresolved'", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + }, + { + "name": "trellix-threats-2", + "description": "This query will return unresolved threats with a criticality status of major or higher", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_threat with status = 'Critical' or 'Major'", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "trellix-threats-3", + "description": "This query will return threats that require immediate attention due to a failure to quarantine or remove", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_threat WHERE remediationStatus = 'removedFailed' or 'quarantineFailed'", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + }, + { + "name": "trellix-threats-4", + "description": "This will return Devices that have a non-compliant software status", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_device THAT INSTALLED trellix_detected_application with complianceStatus = false", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + }, + { + "name": "trellix-threats-4", + "description": "This will return trellix endpoints that do not have a trellix agent installed", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_device THAT !INSTALLED trellix_detected_application", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + }, + { + "name": "trellix-threats-4", + "description": "This will return trellix endpoints that have not reported a threat in the last 2 weeks. This may be due to a device that is no longer active, or is reporting incorrectly.", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_device THAT EXPLOITS << trellix_threat WHERE createdOn > 14 days", + "version": "v1" + } + ], + "alertLevel": "INFO" + }, + { + "name": "trellix-threats-4", + "description": "This will alert when a device is First Seen.", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_device WITH createdOn < 24 hours return device.name, device.user ", + "version": "v1" + } + ], + "alertLevel": "INFO" + }, + { + "name": "trellix-threats-4", + "description": "All devices should be under a group. This will notifiy if a trellix device is not associated with a trellix group", + "queries": [ + { + "name": "query0", + "query": "FIND trellix_device THAT !ASSIGNED trellix_group", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + }, + { + "name": "trellix-threats-4", + "description": "Look for potential Expired API keys.", + "queries": [ + { + "name": "query0", + "query": "FIND (trellix_apiKey|trellix_mobileApiKey) WITH expiredOn = true OR startDate > 365 days", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + } +]