5ec8e3e500
[Rule Tuning] Communication App Rules ( #5487 )
...
* [Rule Tuning] Communication App Rules
* Update defense_evasion_masquerading_business_apps_installer.toml
* Update defense_evasion_masquerading_business_apps_installer.toml
* Update defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_business_apps_installer.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-12-18 02:38:18 -08:00
85a9c7180d
[Rule Tuning] Windows Misc Tuning ( #5382 )
...
* [Rule Tuning] Windows Misc Tuning
* Update execution_suspicious_powershell_imgload.toml
* I need some coffee
2025-12-01 07:28:25 -08:00
da9bfd0abc
MITRE ATT&CK Sub-Technique Update - Solves Issue #5279 ( #5280 )
...
* Resolves Issue #5279
* Corrected the "updated_date" value
* Put the technique and sub-technique in the correct location
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-11-11 10:26:14 -05:00
9ee15a13b0
[Rule Tuning] Connection to Commonly Abused Web Services ( #5060 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2025-09-04 11:58:13 -07:00
9dfc42aa1d
[Tuning] Connection to Commonly Abused Web Services - alerts JetBrains to GH ( #4973 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-08-18 17:21:04 +01:00
bcff3f95d5
Update command_and_control_common_webservices.toml ( #4686 )
2025-05-06 13:27:21 +05:30
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
b60b6e2af3
[New] Attempt to establish VScode Remote Tunnel ( #4061 )
...
* [New] Attempt to establish VScode Remote Tunnel
* Update command_and_control_tunnel_vscode.toml
* Update command_and_control_tunnel_vscode.toml
* Update command_and_control_tunnel_vscode.toml
* Update rules/windows/command_and_control_tunnel_vscode.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-09-16 07:39:39 +01:00
6ac278df0c
[tuning] Connection to Commonly Abused Web Services ( #3901 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-18 09:59:53 -03:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
83462a3087
[New] Potential File Download via a Headless Browser ( #3660 )
...
* [New] Potential File Download via a Headless Browser
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_common_webservices.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
2024-05-14 13:55:14 +01:00
9692e59abb
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
2024-04-11 08:11:28 -03:00
69173872da
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-02 14:41:10 +01:00
b47b91b9ec
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-01 20:45:12 -03:00
aeb1f91320
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 11:54:40 -07:00
a5240e4063
[Rule Tuning] Windows DR Tuning - 1 ( #3198 )
...
* [Rule Tuning] Windows DR Tuning - 1
* Update collection_winrar_encryption.toml
2023-10-26 17:20:32 -03:00
f584fb6e31
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
2023-10-15 18:12:20 -03:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
255c53cff0
[Rule Tuning] Connection to Commonly Abused Web Services ( #2728 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-20 18:26:00 -03:00
fb09208132
[Rule Tuning] Connection to Commonly Abused Web Services ( #2717 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2023-04-18 09:15:47 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
f17b6f1702
[Security Content] Fix verbiage used on Osquery Note ( #2513 )
...
* [Security Content] Fix verbiage used on Osquery Note
* Adjust verbiage
* date bump
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-02-22 12:33:23 -03:00
7725e32126
[Security Content] Fix Osquery Markdown Plugin Escaped queries ( #2447 )
...
* [Security Content] Fix Osquery Markdown Plugin Escaped queries
* Re-add line
* Update credential_access_credential_dumping_msbuild.toml
* Update command_and_control_common_webservices.toml
2023-01-09 14:45:31 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
6055d0db60
[Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides ( #2387 )
...
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides
* Remove min_stack and add Note
* Fix Typo and preffix
* Update command_and_control_certutil_network_connection.toml
* Add unit test to check Note about Osquery Markdown plugin and Version limitations
* Update test_all_rules.py
* Update test_all_rules.py
* Change Note Verbiage
2022-11-17 18:38:34 -03:00
e89bc230ab
[Tuning] Diverse Windows Rules Tuning ( #2383 )
...
* [Rules Tuning] TPrep
* more
* Update credential_access_wireless_creds_dumping.toml
* Update persistence_user_account_creation_event_logs.toml
* Update discovery_files_dir_systeminfo_via_cmd.toml
* fix errors
* Update command_and_control_common_webservices.toml
* fix errors
* Update persistence_user_account_creation_event_logs.toml
* Update rules/windows/credential_access_wireless_creds_dumping.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_files_dir_systeminfo_via_cmd.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* switched back to kql
* Update persistence_user_account_creation_event_logs.toml
* Update rules/windows/credential_access_wireless_creds_dumping.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added T1555
* Update persistence_user_account_creation_event_logs.toml
* Update defense_evasion_persistence_account_tokenfilterpolicy.toml
* Update defense_evasion_persistence_account_tokenfilterpolicy.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2022-11-01 16:48:25 +00:00
f02ffbbe13
[Security Content] Add Investigation Guides - 8.5 ( #2305 )
...
* [Security Content] Add Investigation Guides - 8.5
* Update persistence_run_key_and_startup_broad.toml
* Apply suggestions from security-docs review review
* Update execution_suspicious_jar_child_process.toml
* Apply suggestions from review
2022-09-23 18:44:24 -03:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
817b97f428
[Security Content] Refactor Existing Investigation Guides ( #1959 )
...
* Initial commit
* Update Investigation guides - security-docs review
* Update command_and_control_dns_tunneling_nslookup.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply security-docs review
* Remove dot
* Update rules/windows/command_and_control_rdp_tunnel_plink.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply changes from review
* Apply the suggestion
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
2022-05-18 12:59:39 -03:00
27e6632ecd
Update command_and_control_common_webservices.toml ( #1970 )
2022-05-16 14:04:26 -03:00
a3d7427d29
[Security Content] Add Investigation Guides - 2 ( #1822 )
...
* Add Investigation Guides for Windows Rules - First half
* + 1/2
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update credential_access_mod_wdigest_security_provider.toml
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update defense_evasion_amsienable_key_mod.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update command_and_control_certutil_network_connection.toml
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update collection_winrar_encryption.toml
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
2022-03-30 14:43:55 -03:00
3227d65cd8
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id ( #1773 )
...
* Remove Windows Integration & Winlogbeat Support
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 23:04:55 -03:00
6a0164cbd3
[Rule Tuning] Connection to Commonly Abused Web Services ( #1708 )
...
Added Discord domains often abused to stage malicious files.
2022-01-17 14:52:26 -03:00
61afb1c1c0
[Rule Tuning] Update threat mappings for Windows rules ( #1497 )
...
* Windows Rules Att&ck Mapping review
* Bump updated_date and fix reference URLs
* Fix subtechnique
* Fix test errors
2021-09-23 12:08:38 -05:00
dd4bc3e57e
[Rule Tuning] Connection to Commonly Abused Web Services ( #1079 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* adjusted 1 exclusion
* update date
* added 3 dns.names as suggested by Daniel
* added requestbin.net used for DNS tunneling by APT34
2021-04-14 00:53:27 +02:00
9cff72bbcb
[Rule Tuning] Connection to Commonly Abused Web Services ( #1016 )
2021-03-19 10:23:12 +01:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
a77bd6178f
Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12
...
# Conflicts:
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
2021-02-17 14:11:50 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
Jonhnathan