904e37b732
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-14 17:16:51 -04:00
af99186992
[New Rule] New BBR Rules - Part 3 ( #3034 )
...
* [New Rule] New BBR Rules - Part 3
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-12 21:28:01 -03:00
87af5b43ba
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3079 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-09-06 13:21:22 -04:00
6d7df50d78
[New Rule] Suspicious WMI Event Subscription Created ( #1860 )
...
* Suspicious WMI Event Subscription Initial rule
* Use EQL sequence
* Update non-ecs-schema
* Update persistence_sysmon_wmi_event_subscription.toml
* update description
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* update query too look for even code 21 only
* update to case sensitive compare
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 16:42:19 -03:00
9144dc0448
[New Rule] Building Block Rules - Part 2 ( #2923 )
...
* [New Rule] Building Block Rules - Part 2
* .
* Update rules_building_block/defense_evasion_dll_hijack.toml
* Update rules_building_block/defense_evasion_file_permission_modification.toml
* Update rules_building_block/discovery_posh_password_policy.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-17 13:00:50 -03:00
4cf70654ad
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3019 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/deprecated_rules.json
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-17 09:09:05 -04:00
08b646aa94
[FR] 8.10 Release Preparation and Update Main Branch to 8.11 ( #3012 )
...
* prepping for 8.11 branch
* fixed lint errors
* added 8.11 to stack schema map
* trimmed version lock file; adjusted new terms validation
* reverting changes to version lock, stack schema and workflow
2023-08-16 14:23:44 -04:00
1cb5c174ce
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2988 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* Update detection_rules/etc/version.lock.json
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-01 10:12:29 -04:00
b330cf9438
[New Rule] Pspy Process Monitoring Detected ( #2945 )
...
* [New Rule] Pspy Process Monitoring Detected
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 15:58:33 +02:00
9414095d96
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2921 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* adding newline to start CI
* removing newline
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-07-11 19:57:02 -04:00
d9bc209c76
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2892 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-29 12:25:51 -04:00
35d373b2bd
[FR] 8.9 Release Preparation and Update Main Branch to 8.10 ( #2891 )
...
* adding new branch and refreshed schema
* fixed flake errors
2023-06-29 11:39:11 -04:00
73970eb2f2
[FR] Add Support for Multi-Fields and Validation in Rules ( #2882 )
2023-06-28 20:35:33 -04:00
90c79a8283
[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules ( #2777 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-28 10:22:24 -03:00
c94c79ba77
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 ( #2883 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-27 12:00:19 -04:00
48cf95c8eb
[Rule Tuning] Change Network Rules to Use Network Packet Capture Integration ( #2665 )
...
* updated indexes and updated dates
* added network_traffic integration tag to rules
* reverting changes to resolve conflicts
* metadata changes; indexes changed; schemas and manifest updated
* updated default telnet port connection rule
* updating integration manifests
* adjusted rules; updated integrations; deduplicate packages
2023-06-26 17:35:49 -04:00
01334a28bd
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 ( #2853 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-13 09:48:24 -04:00
8db42da040
Limit backports to 8.3+ ( #2450 )
...
* Drop Rule Support for Outdated Stack Versions Less Than 8.3
* changed version lock key assignment logic and updated version lock file
* added comment to stack-schema-map file
* changed version lock key assignment logic to use custom Version method)
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* reverting version lock file to original
* updated version lock from adjusted comparison logic of stack versions
* updated logic in devtools; removed < 8.3.0 in version lock file
* trimmed lock version before merge
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-12 12:51:40 -04:00
cc377b6634
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 ( #2824 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-31 12:42:12 -04:00
e0ceb5a434
adjust integrations file; add option for single integration update ( #2816 )
2023-05-31 11:00:58 -04:00
836c803e9d
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 ( #2797 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8
* kicking off testing
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-17 12:16:54 -04:00
24974108f3
updated ATT&CK 13.0 to 13.1 ( #2795 )
2023-05-16 11:01:52 -04:00
81bef59236
[FR] Generate mdx docs ( #2718 )
2023-05-03 16:27:30 -04:00
d5350ae6e0
[New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) ( #2685 )
...
* adding initial rule
* changed new terms to host.id
* removed windows integration tag
* removed windows integration tag
* changed rule to be process started related
* rule linted
* updating description
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
* added process.name.caseless to non-ecs.json
* removed host type related to #2761
* added host.os.type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-02 23:09:17 -04:00
e55679059b
updating att&ck to 13.0 ( #2755 )
2023-05-02 11:17:38 -04:00
792da36fb9
[Bug] Add Cloud Defend to definitions.NON_DATASET_PACKAGES ( #2764 )
...
* updating code to include cloud defend package
* updated integration manifests and schemas
2023-04-28 11:23:48 -04:00
e254816068
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 ( #2748 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8
* kicking off testing
* removed change to kickoff testing
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-04-25 13:42:38 -04:00
fadb5c2343
[FR] 8.8 Release Preparation and Update Main Branch to 8.9 ( #2734 )
...
* [FR] 8.8 Release Preparation and Update Main Branch to 8.9
* fixed flake errors
2023-04-24 10:13:07 -04:00
8ef2f6557b
Patch to allow integration validation if ECS/beats fails ( #2701 )
...
* Updated for AND logic
* Added case for no package_intregrations
* Fixed linting
* Added unit test for new functionality
* Fixed linting
* Added valid query tests
* Add unit test for event.dataset
* Switched type calls to isinstance calls
* Removed unused stack validation call
* Added additional error type
* Fixed linting
* Cleaned up error handling
* fixed linting
* Added proper type hints
* Fixed typo in Unions
* Updated unit test with additional test cases
* Updated test_invalid_queries unit test
* Fixed linting
* Added kql to unit tests
* Updated tests
* Fixed error handling
* Fixed style issues
* updating integration manifests and schemas
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-04-18 15:43:35 -04:00
894e34f82c
[Bug] Add new-package argument to bump-pkg-versions CLI ( #2703 )
...
* initial changes to release fleet workflow and CLI
* changed the default value of package version for 8.8
* changed how true/false is passed into CLI command
* reverted changes to packages.yml
2023-04-12 13:48:58 -04:00
d6f277e379
[New Rule] Google Workspace New OAuth Login from Third-Party Application ( #2677 )
...
* adding new rule 'Google Workspace New OAuth Login from Custom Application'
* changed name and 'custom' to 'third-party'
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* updated non-ecs
2023-04-12 09:40:31 -04:00
4511ab0666
[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace ( #2674 )
...
* tuning rule to add token sequence
* updated date
* updated non-ecs, integration schemas and manifests
* added investigation guide
* Updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updated false positive description
* updating manifest and schemas with main to resolve conflicts
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-04-12 09:15:58 -04:00
e9ebb1f2d8
[Bug] Rename 8.7 schemas from *.master and strip build time fields ( #2707 )
2023-04-11 10:56:20 -04:00
6edfb32160
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 ( #2702 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7
* kicking off testing
* removed change to kickoff testing
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-04-10 11:24:16 -04:00
71d12bdda4
[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests ( #2682 )
...
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
2023-04-03 09:42:40 -04:00
51d50b7d8a
[New Rule] Lsass Process Access - Generic ( #2613 )
...
* Create credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-04-03 14:34:30 +01:00
76500f0d46
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User ( #2654 )
...
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'
* updated MITRE ATT&CK mappings
2023-03-24 12:21:56 -04:00
7be5788945
[New Rule] Google Workspace Resource Copied from External Drive ( #2627 )
...
* added new rule 'Google Workspace Resource Copied from External Drive'
* adjusted mitre att&ck subtechnique ID
2023-03-20 14:37:58 -04:00
87c66f923e
Update commit-and-push.sh ( #2640 )
2023-03-09 17:31:19 -05:00
c07ced2ce4
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 ( #2542 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7
* newline in version lock file to start CI
* removed newline in version lock file
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-02-10 14:11:33 -05:00
8a7ad13611
[FR] 8.7 Release Preparation and Update Main Branch to 8.8 ( #2533 )
...
* adding preparations for 8.8 release
* addressed flake single new line error
* froze and updated API schemas
* updated get_intregration_manifests
* adjusted boolean in find_latest_integration_version
2023-02-08 17:27:21 -05:00
9ce8faebea
Updated ECS mappings from keyword to wildcard ( #2518 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-02-07 09:43:19 -05:00
51b7df8613
Check integrations cross major versions for older release support ( #2520 )
2023-02-02 18:17:02 -05:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
b8dcc6ab4b
[New Rules] C2 via BITS and CertReq ( #2466 )
...
* Create command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Create command_and_control_ingress_transfer_bits.toml
* Update non-ecs-schema.json
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_ingress_transfer_bits.toml
* Update rules/windows/command_and_control_certreq_postdata.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-27 20:17:36 +00:00
1c6e5a3448
[New Rule] Suspicious Inter-Process Communication via Outlook ( #2458 )
...
* Create collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 17:44:32 +00:00
1a5e64ce13
[New Rule] T1543.003 - Unsigned DLL Loaded by Svchost ( #2477 )
...
* Create persistence_service_dll_unsigned.toml
* Update non-ecs-schema.json
* Update persistence_service_dll_unsigned.toml
* Update rules/windows/persistence_service_dll_unsigned.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update detection_rules/etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update persistence_service_dll_unsigned.toml
* Update persistence_service_dll_unsigned.toml
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 17:11:38 +00:00
bcd8ef15ba
[New Rule] Unsigned DLL Side-Loading from a Suspicious Folder ( #2409 )
...
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update non-ecs-schema.json
* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 13:23:20 +00:00
d81bc25d09
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2468 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-01-13 15:20:23 -05:00
6acc0f9b11
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2455 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-10 09:50:41 -05:00
Isai