4980a3b50c
[Rule Tuning] PowerShell Rules Revamp - 8 ( #5705 )
...
* [Rule Tuning] PowerShell Rules Revamp - 8
* update disclaimer
* Apply suggestion from @w0rk3r
* Update rules/windows/execution_posh_psreflect.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Apply suggestion from @w0rk3r
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-11 16:32:04 -03:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
92fe46b8ff
Fix Minstack version for windows integration ( #4214 )
2024-10-28 19:28:10 +05:30
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
f5254f3b5e
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 ( #3501 )
...
* Initial commit
* Date bump
2024-03-13 10:27:44 -03:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
a568c56bc1
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
2023-10-30 16:53:04 +05:30
f584fb6e31
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
2023-10-15 18:12:20 -03:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
f17b6f1702
[Security Content] Fix verbiage used on Osquery Note ( #2513 )
...
* [Security Content] Fix verbiage used on Osquery Note
* Adjust verbiage
* date bump
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-02-22 12:33:23 -03:00
4124a82496
[Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules ( #2449 )
...
* [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules
* Update privilege_escalation_posh_token_impersonation.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Adjust severity
2023-01-10 09:37:07 -03:00
7725e32126
[Security Content] Fix Osquery Markdown Plugin Escaped queries ( #2447 )
...
* [Security Content] Fix Osquery Markdown Plugin Escaped queries
* Re-add line
* Update credential_access_credential_dumping_msbuild.toml
* Update command_and_control_common_webservices.toml
2023-01-09 14:45:31 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
6055d0db60
[Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides ( #2387 )
...
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides
* Remove min_stack and add Note
* Fix Typo and preffix
* Update command_and_control_certutil_network_connection.toml
* Add unit test to check Note about Osquery Markdown plugin and Version limitations
* Update test_all_rules.py
* Update test_all_rules.py
* Change Note Verbiage
2022-11-17 18:38:34 -03:00
f02ffbbe13
[Security Content] Add Investigation Guides - 8.5 ( #2305 )
...
* [Security Content] Add Investigation Guides - 8.5
* Update persistence_run_key_and_startup_broad.toml
* Apply suggestions from security-docs review review
* Update execution_suspicious_jar_child_process.toml
* Apply suggestions from review
2022-09-23 18:44:24 -03:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
817b97f428
[Security Content] Refactor Existing Investigation Guides ( #1959 )
...
* Initial commit
* Update Investigation guides - security-docs review
* Update command_and_control_dns_tunneling_nslookup.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply security-docs review
* Remove dot
* Update rules/windows/command_and_control_rdp_tunnel_plink.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply changes from review
* Apply the suggestion
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
2022-05-18 12:59:39 -03:00
8a59b49fea
[Security Content] Adjust Investigation Guides to be less generic ( #1805 )
...
* PowerShell Suspicious Script with Audio Capture Capabilities
* PowerShell Keylogging Script
* PowerShell MiniDump Script
* Potential Process Injection via PowerShell
* PowerShell Suspicious Discovery Related Windows API Functions
* Suspicious Portable Executable Encoded in Powershell Script
* PowerShell PSReflect Script
* Startup/Logon Script added to Group Policy Object
* Group Policy Abuse for Privilege Addition
* Scheduled Task Execution at Scale via GPO
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Adjust Posh desc
* .
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* .
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update privilege_escalation_group_policy_scheduled_task.toml
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-03-31 11:29:30 -03:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
dec4243db0
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-16 07:42:06 -09:00
49854aaae2
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules ( #1610 )
...
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script
* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule
* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule
* Add logging policy reference
* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"
* Add Related Rules GUIDs
* Add Investigation Guide/config for "Potential Process Injection via PowerShell"
* Adjust Response and remediation
* Add Investigation Guide/config for "PowerShell Keylogging Script"
* bump updated_date
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions
* Revise line from investigation guides
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-01-20 08:56:53 -03:00
851c566730
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-07 21:32:39 -09:00
14c46f50b9
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
2021-12-07 15:42:58 -09:00
f50fb1d61b
[New Rule] Suspicious Portable Executable Encoded in Powershell Script ( #1562 )
...
* Create execution_posh_portable_executable.toml
* Add wildcard
* Remove the wildcard
* Update rules/windows/execution_posh_portable_executable.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-18 17:50:16 -03:00
Jonhnathan