3726611b93
[Tuning] Top Noisy Rules ( #5449 )
...
* [Tuning] Windows BruteForce Rules Tuning
#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)
#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.
* ++
* Update execution_shell_evasion_linux_binary.toml
* Update execution_shell_evasion_linux_binary.toml
* Update defense_evasion_indirect_exec_forfiles.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update persistence_service_windows_service_winlog.toml
* Update credential_access_lsass_openprocess_api.toml
* Update persistence_suspicious_scheduled_task_runtime.toml
* Update impact_hosts_file_modified.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
* Update rules/windows/credential_access_lsass_openprocess_api.toml
* Update rules/windows/credential_access_bruteforce_admin_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update impact_hosts_file_modified.toml
* Update credential_access_dollar_account_relay.toml
* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-12-12 14:28:12 +00:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
46c4a80015
[Tuning] Remote File Copy to a Hidden Share ( #4494 )
...
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 11:50:02 -03:00
c0f12ddecf
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags ( #4464 )
...
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags
* Format & order
* Update pyproject.toml
* Update credential_access_cookies_chromium_browsers_debugging.toml
2025-02-19 12:54:31 -03:00
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
63956a6f51
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 ( #4225 )
2024-11-05 14:22:14 -03:00
2c07e88c07
[Rule Tuning] Fix double bumps caused by Windows Integration Update ( #4156 )
2024-10-15 23:57:44 +05:30
07c4535871
[Rule Tuning] 3rd Party EDR Compatibility - 13 ( #4038 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - 13
* min_stack for merge, bump updated_date
2024-10-11 16:55:02 -03:00
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
f5069763b6
[Rule Tuning] Add System tag to DRs ( #3968 )
...
* [Rule Tuning] Add System tag to DRs
* bump
2024-08-09 11:14:33 -03:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
b47b91b9ec
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-01 20:45:12 -03:00
f5254f3b5e
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 ( #3501 )
...
* Initial commit
* Date bump
2024-03-13 10:27:44 -03:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
f6ba12a700
[Rule Tuning] Windows DR Tuning - 12 ( #3364 )
2024-01-17 13:19:12 -03:00
a568c56bc1
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
2023-10-30 16:53:04 +05:30
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
0273d118a6
[Rule Tuning] Add endgame support for Windows Rules ( #2428 )
...
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* 1/2
* bump updated_date
* 2/3
* Finale
* Update persistence_evasion_registry_ifeo_injection.toml
* .
* Multiple fixes
* Missing index
* Missing AND
2023-03-06 12:47:11 -03:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
d52c0d2257
[Rule Tuning] Remove "process_started" from Windows Rules ( #2238 )
...
* [Rule Tuning] Remove "process_started" from Windows Rules
* Additional, pending ones
* Update defense_evasion_code_injection_conhost.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-09-19 13:06:30 -05:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
a77bd6178f
Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12
...
# Conflicts:
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
2021-02-17 14:11:50 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
6ce418877f
Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12
...
# Conflicts:
# etc/version.lock.json
# rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
# rules/cross-platform/impact_hosts_file_modified.toml
# rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
# rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
# rules/linux/defense_evasion_timestomp_touch.toml
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
# rules/macos/credential_access_credentials_keychains.toml
# rules/macos/credential_access_promt_for_pwd_via_osascript.toml
# rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
# rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
# rules/promotions/external_alerts.toml
# rules/windows/collection_email_powershell_exchange_mailbox.toml
# rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
# rules/windows/collection_winrar_encryption.toml
# rules/windows/command_and_control_common_webservices.toml
# rules/windows/command_and_control_encrypted_channel_freesslcert.toml
# rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
# rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
# rules/windows/command_and_control_teamviewer_remote_file_copy.toml
# rules/windows/credential_access_cmdline_dump_tool.toml
# rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
# rules/windows/credential_access_credential_dumping_msbuild.toml
# rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
# rules/windows/credential_access_dump_registry_hives.toml
# rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
# rules/windows/credential_access_iis_connectionstrings_dumping.toml
# rules/windows/credential_access_kerberoasting_unusual_process.toml
# rules/windows/credential_access_lsass_memdump_file_created.toml
# rules/windows/credential_access_mimikatz_memssp_default_logs.toml
# rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
# rules/windows/defense_evasion_clearing_windows_event_logs.toml
# rules/windows/defense_evasion_code_injection_conhost.toml
# rules/windows/defense_evasion_cve_2020_0601.toml
# rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
# rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
# rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
# rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
# rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
# rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
# rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
# rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
# rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
# rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
# rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
# rules/windows/defense_evasion_hide_encoded_executable_registry.toml
# rules/windows/defense_evasion_iis_httplogging_disabled.toml
# rules/windows/defense_evasion_injection_msbuild.toml
# rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
# rules/windows/defense_evasion_masquerading_renamed_autoit.toml
# rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
# rules/windows/defense_evasion_masquerading_trusted_directory.toml
# rules/windows/defense_evasion_modification_of_boot_config.toml
# rules/windows/defense_evasion_port_forwarding_added_registry.toml
# rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
# rules/windows/defense_evasion_sdelete_like_filename_rename.toml
# rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
# rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
# rules/windows/defense_evasion_suspicious_zoom_child_process.toml
# rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
# rules/windows/defense_evasion_unusual_dir_ads.toml
# rules/windows/defense_evasion_unusual_system_vp_child_program.toml
# rules/windows/defense_evasion_via_filter_manager.toml
# rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
# rules/windows/discovery_adfind_command_activity.toml
# rules/windows/discovery_admin_recon.toml
# rules/windows/discovery_file_dir_discovery.toml
# rules/windows/discovery_net_command_system_account.toml
# rules/windows/discovery_net_view.toml
# rules/windows/discovery_peripheral_device.toml
# rules/windows/discovery_process_discovery_via_tasklist_command.toml
# rules/windows/discovery_query_registry_via_reg.toml
# rules/windows/discovery_remote_system_discovery_commands_windows.toml
# rules/windows/discovery_security_software_wmic.toml
# rules/windows/discovery_whoami_command_activity.toml
# rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
# rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
# rules/windows/execution_command_shell_started_by_powershell.toml
# rules/windows/execution_command_shell_started_by_svchost.toml
# rules/windows/execution_command_shell_started_by_unusual_process.toml
# rules/windows/execution_command_shell_via_rundll32.toml
# rules/windows/execution_from_unusual_directory.toml
# rules/windows/execution_from_unusual_path_cmdline.toml
# rules/windows/execution_shared_modules_local_sxs_dll.toml
# rules/windows/execution_suspicious_cmd_wmi.toml
# rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
# rules/windows/execution_suspicious_pdf_reader.toml
# rules/windows/execution_suspicious_powershell_imgload.toml
# rules/windows/execution_suspicious_psexesvc.toml
# rules/windows/execution_suspicious_short_program_name.toml
# rules/windows/execution_via_compiled_html_file.toml
# rules/windows/execution_via_hidden_shell_conhost.toml
# rules/windows/execution_via_net_com_assemblies.toml
# rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
# rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
# rules/windows/initial_access_script_executing_powershell.toml
# rules/windows/initial_access_suspicious_ms_office_child_process.toml
# rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
# rules/windows/initial_access_unusual_dns_service_children.toml
# rules/windows/initial_access_unusual_dns_service_file_writes.toml
# rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
# rules/windows/lateral_movement_execution_from_tsclient_mup.toml
# rules/windows/lateral_movement_local_service_commands.toml
# rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
# rules/windows/lateral_movement_rdp_enabled_registry.toml
# rules/windows/lateral_movement_rdp_tunnel_plink.toml
# rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
# rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
# rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
# rules/windows/persistence_adobe_hijack_persistence.toml
# rules/windows/persistence_appcertdlls_registry.toml
# rules/windows/persistence_appinitdlls_registry.toml
# rules/windows/persistence_evasion_registry_ifeo_injection.toml
# rules/windows/persistence_gpo_schtask_service_creation.toml
# rules/windows/persistence_local_scheduled_task_commands.toml
# rules/windows/persistence_ms_office_addins_file.toml
# rules/windows/persistence_ms_outlook_vba_template.toml
# rules/windows/persistence_priv_escalation_via_accessibility_features.toml
# rules/windows/persistence_registry_uncommon.toml
# rules/windows/persistence_run_key_and_startup_broad.toml
# rules/windows/persistence_services_registry.toml
# rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
# rules/windows/persistence_startup_folder_scripts.toml
# rules/windows/persistence_suspicious_com_hijack_registry.toml
# rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
# rules/windows/persistence_suspicious_scheduled_task_runtime.toml
# rules/windows/persistence_suspicious_service_created_registry.toml
# rules/windows/persistence_system_shells_via_services.toml
# rules/windows/persistence_user_account_creation.toml
# rules/windows/persistence_via_application_shimming.toml
# rules/windows/persistence_via_hidden_run_key_valuename.toml
# rules/windows/persistence_via_lsa_security_support_provider_registry.toml
# rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
# rules/windows/persistence_via_update_orchestrator_service_hijack.toml
# rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
# rules/windows/privilege_escalation_named_pipe_impersonation.toml
# rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
# rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
# rules/windows/privilege_escalation_rogue_windir_environment_var.toml
# rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
# rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
# rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
# rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
# rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
# rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
# rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
# rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
# rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
# rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
2021-02-17 12:18:06 -09:00
61deed3fd2
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules ( #948 )
...
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
a0e86e20d6
[Rule Tuning] Add windows integration index to rules ( #923 )
2021-01-28 20:53:57 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
525512fdae
[New Rule] Remote File Copy to a Hidden Share ( #474 )
...
* [New Rule] Remote File Copy to a Hidden Share
* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* ecs_version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-08 16:07:18 +01:00
Samirbous