feaeabf60c
[New Rule] Dynamic Linker (ld.so) Creation ( #4306 )
2025-01-03 17:06:38 +01:00
fea5c90ed9
[New Rule] Kernel Object File Creation ( #4325 )
...
* [New Rule] Kernel Object File Creation
* ++
* Update rules/linux/persistence_kernel_object_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-03 16:49:59 +01:00
466097c31e
[Rule Tuning] Potential Persistence via File Modification ( #4310 )
...
* [Rule Tuning] Potential Persistence via File Modification
* Update persistence_suspicious_file_modifications.toml
* Update persistence_suspicious_file_modifications.toml
2025-01-03 16:19:58 +01:00
53ca51b20c
[New Rule] Simple HTTP Web Server Connection ( #4309 )
2025-01-03 16:06:28 +01:00
e26e4e40b4
[New Rule] Simple HTTP Web Server Creation ( #4308 )
2025-01-03 15:54:25 +01:00
0273997581
[New Rule] Loadable Kernel Module Configuration File Creation ( #4307 )
2025-01-03 15:33:31 +01:00
7e775a6c95
[New Rule] Unusual Preload Environment Variable Process Execution ( #4305 )
2025-01-03 15:23:41 +01:00
9424a57207
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration ( #4304 )
2025-01-03 15:05:05 +01:00
c9c8e3501e
[New Rule] Unusual SSHD Child Process ( #4303 )
...
* [New Rule] Unusual SSHD Child Process
* Update persistence_unusual_sshd_child_process.toml
2025-01-03 14:50:43 +01:00
c7fe940206
[New Rule] Pluggable Authentication Module Creation in Unusual Directory ( #4302 )
...
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory
* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
2025-01-03 14:35:08 +01:00
5384191934
[New Rule] PAM Version Discovery ( #4300 )
...
* [New Rule] PAM Version Discovery
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update rules/linux/discovery_pam_version_discovery.toml
2025-01-03 14:25:38 +01:00
aca416a779
[Rule Tuning] Windows misc Rule Tuning ( #4298 )
2025-01-02 07:44:01 -03:00
c99cf9279d
[Tuning] Uncommon Registry Persistence Change ( #4286 )
...
* Update persistence_registry_uncommon.toml
Add registry rules for additional SMSS persistence vectors
* Update persistence_registry_uncommon.toml
* Update persistence_registry_uncommon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-12-25 19:06:58 -03:00
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events ( #3533 )
...
* new endpoint security rules for specific alerts
* updated risk scores
* fixed rule names and UUIDs
* changed logic to use message field for detection vs prevention
* reverting changes
* reverting changes
* reverting to old commit
* reverting to old commit
* reverting to old commit
* reverting to old commit
* changed naming to Elastic Defend
* updated rule dates and min-stacks
* linted; adjusted queries
* updated ransomware, memory sig or shellcode risk
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* updated promotion rule
* fixed typos in naming
* updated setup guides
* added intervals
* added MITRE
* added investigation guide for Memory Threat
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update defense_evasion_elastic_memory_threat_prevented.toml
* toml-lint
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co >
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-12-19 13:24:23 -05:00
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules ( #4324 )
...
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-12-19 13:03:50 -05:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
f0291b440a
Minstack endpoint rules with process.group.id fields ( #4294 )
2024-12-10 21:03:32 +05:30
e6012b1db6
Removing ESQL query format error ( #4292 )
2024-12-10 09:27:37 -05:00
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS ( #4277 )
...
* new rule 'AWS IAM Login Profile Added for Root'
* added min-stack
* linted; fixed rule schema errors
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-09 08:55:20 -05:00
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application ( #4283 )
...
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
2024-12-06 17:27:38 -05:00
801efb3d93
Protections for AWS Bedrock ( #4270 )
2024-12-03 21:56:39 +05:30
53cfeb76e3
Add event dataset for missing rule in Github integration ( #4278 )
2024-12-03 20:32:55 +05:30
5ab7565923
Minstack versions for Okta and Github Integration ( #4273 )
2024-11-27 18:39:41 +05:30
4e28895e66
[Rule Tuning] Kernel Module Removal ( #4269 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-11-25 21:13:44 +01:00
2d79494068
new rule 'AWS STS AssumeRoot by Rare User and Member Account' ( #4271 )
2024-11-25 10:28:43 -05:00
f36845318e
[New] First Time Seen User Auth via DeviceCode Protocol ( #4153 )
...
* Create credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update credential_access_first_time_seen_device_code_auth.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-11 13:04:18 +00:00
b66d0e0a0d
[New] Remote Desktop File Opened from Suspicious Path ( #4251 )
2024-11-11 18:08:48 +05:30
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules ( #4261 )
...
* adding investigation fields to specific aws rules
* updated patch
* removing min-stack requirements
* removed user.name redundancy
* adjusted order of investigation fields
* adding source address
2024-11-08 23:11:18 -05:00
33d832d4e4
[Rule Tuning] Tuning Process Termination followed by Deletion ( #4173 )
...
* adding rule tuning
* adjusted operators; fixed missing quotes
* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-11-08 16:38:17 -03:00
56e61a6321
[New Rule] Potential Hex Payload Execution ( #4241 )
...
* [New Rule] Potential Hex Payload Execution
* Update rules/linux/defense_evasion_hex_payload_execution.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 19:15:17 +01:00
54bb319f7b
[New Rule] Memory Swap Modification ( #4239 )
...
* [New Rule] Memory Swap Modification
* Update rules/linux/impact_memory_swap_modification.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 19:06:55 +01:00
3207ca37e4
[New Rule] Unusual Interactive Shell Launched from System User ( #4238 )
...
* [New Rule] Unusual Interactive Shell Launched from System User
* Update defense_evasion_interactive_shell_from_system_user.toml
* Update defense_evasion_interactive_shell_from_system_user.toml
* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:24:30 +01:00
267a6b6fa6
[New Rule] Web Server Spawned via Python ( #4236 )
...
* [New Rule] Web Server Spawned via Python
* Update execution_python_webserver_spawned.toml
* Update rules/linux/execution_python_webserver_spawned.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_python_webserver_spawned.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:16:19 +01:00
83f31e1640
[New Rule] Directory Creation in /bin directory ( #4227 )
...
* [New Rule] Directory Creation in /bin directory
* Description fix
* Update rules/linux/defense_evasion_directory_creation_in_bin.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:07:06 +01:00
6040b6aee4
[New Rule] Hidden Directory Creation via Unusual Parent ( #4226 )
...
* [New Rule] Hidden Directory Creation via Unusual Parent
* Update rules/linux/defense_evasion_hidden_directory_creation.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:58:13 +01:00
43148a72f4
[New Rule] Security File Access via Common Utilities ( #4243 )
...
* [New Rule] Security File Access via Common Utilities
* [New Rule] Security File Access via Common Utilities
* Update discovery_security_file_access_via_common_utility.toml
2024-11-08 17:41:33 +01:00
f89e245e29
[New Rule] Potential Data Splitting Detected ( #4235 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:32:59 +01:00
3e268282d1
[New Rule] Private Key Searching Activity ( #4242 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:13:55 +01:00
40118186fb
[New Rule] IPv4/IPv6 Forwarding Activity ( #4240 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:06:07 +01:00
993c60decb
[New Rule] Curl SOCKS Proxy Activity from Unusual Parent ( #4237 )
...
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent
* OS Type update
* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 16:51:18 +01:00
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
d1b102730c
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 ( #4233 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8
* Update defense_evasion_powershell_windows_firewall_disabled.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-07 12:38:27 -03:00
ef0f96c874
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 ( #4232 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-07 12:27:47 -03:00
d2dfd46b3e
Update credential_access_suspicious_lsass_access_generic.toml ( #4188 )
2024-11-07 13:56:53 +00:00
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
6a39009402
Add investigation guide for Amazon Bedrock Rules ( #4247 )
...
* Add investigation guide for Amazon Bedrock Rules
* updated date
* review comments
* review comments
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-06 12:58:02 -05:00
1cc160fe2e
[Rule Tuning] Add Investigation Guides to AWS Rules ( #4249 )
...
* adding investigation guides for existing AWS rules
* removing 'AWS EC2 Instance Interaction with IAM Service' rule tuning
* adding back newline
* adjusted mitre att&ck mapping
* adjusted query and rule name
* updating date
2024-11-06 12:29:14 -05:00
c602042954
[New Rule] Adding Coverage for AWS Discovery API Calls via CLI from a Single Resource ( #4246 )
...
* adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource'
* adjusted name
* adjusted ESQL functions
* changed query comment
* Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml
* adjusted query
* added min-stack
* adjusted query
2024-11-06 12:14:38 -05:00
Ruben Groenewoud