b2bc6021f2
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths ( #5037 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths
* ++
* Update defense_evasion_workfolders_control_execution.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
2025-09-01 05:31:12 -07:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
c0f12ddecf
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags ( #4464 )
...
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags
* Format & order
* Update pyproject.toml
* Update credential_access_cookies_chromium_browsers_debugging.toml
2025-02-19 12:54:31 -03:00
80841b5619
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 ( #4221 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2
* Update rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-11-04 11:47:43 -03:00
2c07e88c07
[Rule Tuning] Fix double bumps caused by Windows Integration Update ( #4156 )
2024-10-15 23:57:44 +05:30
5b17dfa63a
[Rule Tuning] 3rd Party EDR Compatibility - 8 ( #4032 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - 8
* min_stack for merge, bump updated_date
2024-10-11 15:12:58 -03:00
f5069763b6
[Rule Tuning] Add System tag to DRs ( #3968 )
...
* [Rule Tuning] Add System tag to DRs
* bump
2024-08-09 11:14:33 -03:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
27262a585b
[Tuning] Add logs-system. index where applicable ( #3390 )
...
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update initial_access_suspicious_ms_office_child_process.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update initial_access_suspicious_ms_exchange_process.toml
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update execution_from_unusual_path_cmdline.toml
* Update execution_enumeration_via_wmiprvse.toml
* Update execution_command_shell_started_by_svchost.toml
* Update discovery_enumerating_domain_trusts_via_nltest.toml
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
* Update defense_evasion_workfolders_control_execution.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_enable_inbound_rdp_with_netsh.toml
* Update defense_evasion_disabling_windows_logs.toml
* Update credential_access_wireless_creds_dumping.toml
* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
* Update credential_access_iis_connectionstrings_dumping.toml
* Update command_and_control_remote_file_copy_desktopimgdownldr.toml
* Update command_and_control_remote_file_copy_mpcmdrun.toml
* Update command_and_control_dns_tunneling_nslookup.toml
* Update persistence_webshell_detection.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update privilege_escalation_named_pipe_impersonation.toml
* Update command_and_control_certreq_postdata.toml
* Update defense_evasion_suspicious_certutil_commands.toml
* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update persistence_system_shells_via_services.toml
* Update execution_suspicious_cmd_wmi.toml
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update discovery_adfind_command_activity.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_unusual_dir_ads.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update discovery_admin_recon.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update lateral_movement_alternate_creds_pth.toml
* Update persistence_via_windows_management_instrumentation_event_subscription.toml
* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml
* Update persistence_via_application_shimming.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-01-17 13:49:59 +00:00
a568c56bc1
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
2023-10-30 16:53:04 +05:30
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
183b1ffdd3
[Rule Tuning] Add endgame support for Windows Rules ( #2285 )
...
* [Rule Tuning] Add endgame support for Windows Rules
* Update collection_email_powershell_exchange_mailbox.toml
* Supported Rules - First Half
* bum updated_date
* Add tag
* Revert compat
* missing tags
2022-10-19 08:27:44 -07:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
d52c0d2257
[Rule Tuning] Remove "process_started" from Windows Rules ( #2238 )
...
* [Rule Tuning] Remove "process_started" from Windows Rules
* Additional, pending ones
* Update defense_evasion_code_injection_conhost.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-09-19 13:06:30 -05:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
e8c39d19a7
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-07-22 14:30:34 -04:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
e9f5585a9f
[Rule Tuning] Update Rule Content Changes from Security Docs Team ( #1945 )
...
* updated content to reflect changes from Security Docs team
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_expect_binary.toml
* TOML linting
* added escape for crdential_access_spn_attribute_modified.toml
2022-05-06 13:21:12 -04:00
ebeb270075
[Security Content] Current Investigation Guides Review ( #1896 )
...
* Modify investigation guides
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Rewrite and apply previous reviews
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Update rules/windows/credential_access_spn_attribute_modified.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-04-12 22:05:13 -03:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
202b9c7479
[New Rule] Execution control.exe via WorkFolders.exe ( #1806 )
...
* added detection rule defense_evasion_workfolders_control_execution.toml related to issue #1586
* updated rule authors
* added references to the rule
* added timestamp override variable to the rule
* adjusted value of timestamp override from event_ingested to event.ingested
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted toml file as suggested
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-03 09:21:40 -05:00
Jonhnathan