Deprecation Notice to Cloud Defend Rules

shashank-elastic · shashank-elastic · commit c588b9f0626c · 2025-03-06T14:11:59.000+05:30
diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/05"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend.alerts-*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
-name = "Container Workload Protection"
+name = "Deprecated - Container Workload Protection"
 risk_score = 47
 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512"
 rule_name_override = "message"
diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/06/28"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "AWS Credentials Searched For Inside A Container"
+name = "Deprecated - AWS Credentials Searched For Inside A Container"
 references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"]
 risk_score = 47
 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Sensitive Files Compression Inside A Container"
+name = "Deprecated - Sensitive Files Compression Inside A Container"
 risk_score = 47
 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1"
 severity = "medium"
diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Sensitive Keys Or Passwords Searched For Inside A Container"
+name = "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container"
 references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"]
 risk_score = 47
 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a"
diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/06/06"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
+name = "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container"
 references = [
     "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
     "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/",
diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Suspicious Network Tool Launched Inside A Container"
+name = "Deprecated - Suspicious Network Tool Launched Inside A Container"
 risk_score = 47
 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50"
 severity = "medium"
diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic Licence v2"
-name = "Container Management Utility Run Inside A Container"
+name = "Deprecated - Container Management Utility Run Inside A Container"
 risk_score = 21
 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
 severity = "low"
diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "File Made Executable via Chmod Inside A Container"
+name = "Deprecated - File Made Executable via Chmod Inside A Container"
 risk_score = 47
 rule_id = "ec604672-bed9-43e1-8871-cf591c052550"
 severity = "medium"
diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Interactive Exec Command Launched Against A Running Container"
+name = "Deprecated - Interactive Exec Command Launched Against A Running Container"
 references = [
     "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
     "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Suspicious Interactive Shell Spawned From Inside A Container"
+name = "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container"
 risk_score = 73
 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470"
 severity = "high"
diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Netcat Listener Established Inside A Container"
+name = "Deprecated - Netcat Listener Established Inside A Container"
 risk_score = 73
 rule_id = "a52a9439-d52c-401c-be37-2785235c6547"
 severity = "high"
diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "SSH Connection Established Inside A Running Container"
+name = "Deprecated - SSH Connection Established Inside A Running Container"
 references = [
     "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
 ]
diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "SSH Process Launched From Inside A Container"
+name = "Deprecated - SSH Process Launched From Inside A Container"
 references = [
     "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
     "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/",
diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "SSH Authorized Keys File Modified Inside a Container"
+name = "Deprecated - SSH Authorized Keys File Modified Inside a Container"
 risk_score = 73
 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3"
 severity = "high"
diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "File System Debugger Launched Inside a Privileged Container"
+name = "Deprecated - File System Debugger Launched Inside a Privileged Container"
 references = [
     "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q",
     "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Mount Launched Inside a Privileged Container"
+name = "Deprecated - Mount Launched Inside a Privileged Container"
 references = [
     "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
 ]
diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Container Escape via Modified notify_on_release File"
+name = "Deprecated - Potential Container Escape via Modified notify_on_release File"
 references = [
     "https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/",
     "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Container Escape via Modified release_agent File"
+name = "Deprecated - Potential Container Escape via Modified release_agent File"
 references = [
     "https://blog.aquasec.com/threat-alert-container-escape",
     "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
