f98f4e5a95
[Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #5525 )
...
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
2026-01-07 21:03:44 +00:00
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
dd918b1f80
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #5039 )
2025-09-01 05:09:31 -07:00
e4856d3c2c
Refresh ecs, beats, integration manifests & schemas ( #4699 )
2025-05-05 23:06:40 +05:30
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
15177246cc
[Rule Tuning] Windows - Improve Index Pattern Consistency ( #4462 )
2025-02-17 07:04:34 -03:00
2c07e88c07
[Rule Tuning] Fix double bumps caused by Windows Integration Update ( #4156 )
2024-10-15 23:57:44 +05:30
a98161ad2a
[Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #4144 )
...
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-10-15 10:49:01 +01:00
ffb68174f9
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #3887 )
2024-07-15 06:41:45 -03:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
b47b91b9ec
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-01 20:45:12 -03:00
f5254f3b5e
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 ( #3501 )
...
* Initial commit
* Date bump
2024-03-13 10:27:44 -03:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
a568c56bc1
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
2023-10-30 16:53:04 +05:30
f584fb6e31
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
2023-10-15 18:12:20 -03:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
7aa8a7b5fb
[Rules Tuning] diverse tuning ( #2506 )
...
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_remote_services.toml
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_rdp_enabled_registry.toml
* Update persistence_scheduled_task_updated.toml
* Update persistence_scheduled_task_updated.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update rules/windows/persistence_scheduled_task_updated.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 18:57:00 +01:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
0273d118a6
[Rule Tuning] Add endgame support for Windows Rules ( #2428 )
...
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* 1/2
* bump updated_date
* 2/3
* Finale
* Update persistence_evasion_registry_ifeo_injection.toml
* .
* Multiple fixes
* Missing index
* Missing AND
2023-03-06 12:47:11 -03:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
73ebdb64c3
Update privilege_escalation_persistence_phantom_dll.toml ( #2443 )
2023-01-04 07:46:59 +00:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
9861958833
[Security Content] Add missing "has_guide" tag ( #2349 )
...
* Add missing "has_guide" tag
* bump updated_date
2022-10-11 06:30:19 -07:00
f02ffbbe13
[Security Content] Add Investigation Guides - 8.5 ( #2305 )
...
* [Security Content] Add Investigation Guides - 8.5
* Update persistence_run_key_and_startup_broad.toml
* Apply suggestions from security-docs review review
* Update execution_suspicious_jar_child_process.toml
* Apply suggestions from review
2022-09-23 18:44:24 -03:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
b15f0de9a4
[Rules Tuning] Diverse Windows Rules - FPs reduction ( #2213 )
...
* [Rules Tuning] 7 diverse Windows rules
Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.
* Update initial_access_suspicious_ms_exchange_process.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update execution_psexec_lateral_movement_command.toml
* Update persistence_remote_password_reset.toml
* Update non-ecs-schema.json
* Update persistence_remote_password_reset.toml
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
2022-08-02 18:37:07 +02:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
20d2e92cfe
Review & Fix Invalid References ( #1936 )
2022-04-26 17:57:15 -03:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
6626cbb943
Update privilege_escalation_persistence_phantom_dll.toml ( #1228 )
2021-06-01 09:29:09 -04:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
645a0cd67b
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules ( #945 )
...
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
4d68377d1b
[New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #819 )
...
* [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation
* replaced file.name with dll.name
* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update privilege_escalation_persistence_phantom_dll.toml
* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-08 23:04:02 +01:00
Samirbous