72f15dda6a
[New Rule] PowerShell Kerberos Ticket Dump ( #2967 )
...
* [New Rule] PowerShell Kerberos Ticket Dump
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-20 17:29:16 -03:00
b5e011a892
[Rule Tuning] Privileges Elevation via Parent Process PID Spoofing ( #2873 )
...
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
* bump date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-17 13:52:26 -03:00
9144dc0448
[New Rule] Building Block Rules - Part 2 ( #2923 )
...
* [New Rule] Building Block Rules - Part 2
* .
* Update rules_building_block/defense_evasion_dll_hijack.toml
* Update rules_building_block/defense_evasion_file_permission_modification.toml
* Update rules_building_block/discovery_posh_password_policy.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-17 13:00:50 -03:00
4cf70654ad
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3019 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/deprecated_rules.json
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-17 09:09:05 -04:00
08b646aa94
[FR] 8.10 Release Preparation and Update Main Branch to 8.11 ( #3012 )
...
* prepping for 8.11 branch
* fixed lint errors
* added 8.11 to stack schema map
* trimmed version lock file; adjusted new terms validation
* reverting changes to version lock, stack schema and workflow
2023-08-16 14:23:44 -04:00
96e50be5a6
[Rule Tuning] Potential Masquerading as Communication Apps ( #2997 )
...
* [Rule Tuning] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update persistence_run_key_and_startup_broad.toml
* CI
* Revert "CI"
This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
2023-08-16 09:34:21 -03:00
f589ad4a4b
Merge branch 'main' of github.com:elastic/detection-rules
2023-08-11 08:58:51 -05:00
e938ed28a0
[Rule Tuning] added additional event action ( #3008 )
2023-08-10 16:59:07 +02:00
2393190edf
[New Rule] PowerShell Script with Webcam Video Capture Capabilities ( #2935 )
...
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities
* Update collection_posh_webcam_video_capture.toml
* Update rules_building_block/collection_posh_webcam_video_capture.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-08-09 15:17:15 -03:00
f500cec497
fixing typo in 127.0.0.1 address ( #3004 )
2023-08-08 17:06:26 +02:00
4cbfd7c4ae
[Rule Tuning] Restricted Shell Breakout ( #2999 )
2023-08-04 19:30:18 +02:00
e904ebb760
[New Rule] PE via Container Misconfiguration ( #2983 )
...
* [New Rule] PE via Container Misconfiguration
* fixed boolean comparison unit test error
* Update privilege_escalation_container_util_misconfiguration.toml
* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-04 16:39:40 +02:00
ef49709c7d
[New Rules] Linux Wildcard Injection ( #2973 )
...
* [New Rules] Linux Wildcard Injection
* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-04 16:32:34 +02:00
c6eba3e4e6
[New Rule] Suspicious Symbolic Link Created ( #2969 )
...
* [New Rule] Suspicious Symbolic Link Created
* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* fixed unit testing issues after suggestion commit
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 23:23:23 +02:00
4bcec3397c
[New Rule] Potential Suspicious DebugFS Root Device Access ( #2982 )
...
* [New Rule] Potential DebugFS Privilege Escalation
* Changed rule name
* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 16:13:34 +02:00
207d94e51c
[New Rule] Potential Sudo Token Manipulation via Process Injection ( #2984 )
...
* [New Rule] Sudo Token Access via Process Injection
* [New Rule] Sudo Token Manipulation via Proc Inject
* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
* Update privilege_escalation_sudo_token_via_process_injection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:58:25 +02:00
7cc841cc87
[New Rule] PE via UID INT_MAX Bug ( #2971 )
...
* [New Rule] PE via UID INT_MAX Bug
* changed file name
* Should be more decisive
* fix
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:51:06 +02:00
ef1fa94c52
[New BBR] Suspicious Clipboard Activity ( #2970 )
...
* [New BBR] Suspicious Clipboard Activity
* Added new line to end of file
* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 15:41:23 +02:00
a7ff449fbc
[Rule Tuning] Some Tunings of several 8.9 rules ( #2985 )
...
* [Rule Tuning] Doing some quick tunings
* updated_date bump
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_sysctl_enumeration.toml
* Update rules/linux/persistence_init_d_file_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_shared_object_creation.toml
* deprecate rule
* deprecate rule
* Update execution_abnormal_process_id_file_created.toml
* Update discovery_kernel_module_enumeration_via_proc.toml
* Update discovery_linux_modprobe_enumeration.toml
* Update execution_remote_code_execution_via_postgresql.toml
* Update discovery_potential_syn_port_scan_detected.toml
* Added 2 tunings, sorry I missed those..
* One more tune
* Update discovery_suspicious_proc_enumeration.toml
2023-08-03 15:25:33 +02:00
03110fb24c
[New Rule] SUID/SGUID Enumeration Detected ( #2956 )
...
* [New Rule] SUID/SGUID Enumeration Detected
* Remove endgame compatibility
* readded endgame support after troubleshooting
* Update discovery_suid_sguid_enumeration.toml
* Update rules/linux/discovery_suid_sguid_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:57:30 +02:00
716b621af2
[New Rule] Potential Sudo Hijacking Detected ( #2966 )
...
* [New Rule] Potential Sudo Hijacking Detected
* Update privilege_escalation_sudo_hijacking.toml
2023-08-03 09:49:14 +02:00
18c2214956
[New Rule] Sudo Command Enumeration Detected ( #2946 )
...
* [New Rule] Sudo Command Enumeration Detected
* Update discovery_sudo_allowed_command_enumeration.toml
* revert endgame support due to unit testing fail
* Update discovery_sudo_allowed_command_enumeration.toml
* Update discovery_sudo_allowed_command_enumeration.toml
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:39:16 +02:00
3f9e7aced1
[Bug] Strip Non-Public Fields Prior to Uploading Rules ( #2986 )
2023-08-02 12:38:48 -05:00
29fc61d55b
updated pyproject.toml ( #2991 )
2023-08-02 10:16:12 -04:00
1cb5c174ce
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2988 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* Update detection_rules/etc/version.lock.json
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-01 10:12:29 -04:00
b245d5b46b
Merge branch 'main' of github.com:elastic/detection-rules
2023-08-01 08:49:22 -05:00
ea26ea77d7
[FR] Update build-release to support bbr release ( #2987 )
...
* Fixes bug in unit tests
* fix rule paths
* removed unused import
2023-07-31 15:20:18 -04:00
b8bb2da932
[New Rule] Potential Privilege Escalation via OverlayFS ( #2974 )
...
* [New Rule] Privilege Escalation via OverlayFS
* Layout change
* Revert "[New Rule] Privilege Escalation via OverlayFS"
This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.
* Made rule broader
* Update privilege_escalation_overlayfs_local_privesc.toml
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
* Update user.id to strings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-07-31 19:15:11 +02:00
d1db3a0048
[New Rule] Building Block Rules - Part 4 ( #2926 )
...
* [New Rule] Building Block Rules - Part 4
* Update discovery_win_network_connections.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update rules_building_block/discovery_win_network_connections.toml
* Update rules_building_block/privilege_escalation_unquoted_service_path.toml
* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml
* Update discovery_net_share_discovery_winlog.toml
2023-07-31 11:03:57 -03:00
1e769c51b6
Tune Unusual File Activity ADS for Teams weblogs ( #2929 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-31 10:41:31 -03:00
6966a6df09
[New Rule] Building Block Rules - Part 3 ( #2924 )
...
* [New Rule] Building Block Rules - Part 3
* Update defense_evasion_generic_deletion.toml
* Update defense_evasion_generic_deletion.toml
* Update defense_evasion_generic_deletion.toml
* Apply suggestions from code review
* Update rules_building_block/discovery_generic_account_groups.toml
* Apply suggestions from code review
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-31 10:28:25 -03:00
3813a08f59
[FR] Add support for BBR rules to the rule loader ( #2968 )
...
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2023-07-27 11:27:04 -05:00
77b43d16e8
[FR] Generate Prebuilt Rules Reference Page ( #2964 )
2023-07-27 11:05:31 -05:00
9387a081bc
[Security Content] Add Investigation Guides to Threat Intel rules ( #2827 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* [Security Content] Add Investigation Guides to Threat Intel rules
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
* Apply suggestions from review, adds Setup guide
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
2023-07-27 11:30:14 -03:00
bbb24704b6
[New Rule] PE through Writable Docker Socket ( #2958 )
...
* [New Rule] PE through Writable Docker Socket
* simplified query
* Update privilege_escalation_writable_docker_socket.toml
* Update privilege_escalation_writable_docker_socket.toml
* Update rules/linux/privilege_escalation_writable_docker_socket.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-27 10:01:29 +02:00
0666b594c6
[New Rule] Linux Local Account Brute Force ( #2965 )
2023-07-27 09:43:53 +02:00
0ff50acfd2
[Rule Tuning] Tune Threat Indicator Match Rules ( #2957 )
...
* [Rule Tuning] Tune Threat Indicator Match Rules
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-26 15:12:28 -03:00
b330cf9438
[New Rule] Pspy Process Monitoring Detected ( #2945 )
...
* [New Rule] Pspy Process Monitoring Detected
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 15:58:33 +02:00
9cc4b0e348
[New BBR] Potential Suspicious File Edit ( #2960 )
...
* [New BBR] Potential Suspicious File Edit
* Added a few more interesting files
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2023-07-26 15:22:56 +02:00
6527eb0500
Rule Tuning File Permission Modification in Writable Directory ( #2961 )
2023-07-26 17:47:00 +05:30
d0d99829a2
Correct misspelling of AppDara to AppData ( #2952 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 08:10:03 -03:00
056db6003e
[Security Content] Added Compatibility note to all IGs ( #2943 )
...
* added investigation guide note
* added ig notes
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* implemented note feedback
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 12:54:50 +02:00
dbd7ed65a9
[Tuning] Reverse Shell Rules ( #2959 )
...
* [Rule Tuning] Reverse Shell Rule destination.ip tuning
* Updated updated_date
2023-07-25 14:55:56 +02:00
f92b34f46a
Merge branch 'main' of github.com:elastic/detection-rules
2023-07-20 13:31:52 -05:00
93845626b7
Potential Cross Site Scripting ( XSS ) ( #2922 )
2023-07-20 19:12:00 +05:30
8b808b9b83
New Cross Platform BBR Rules ( #2920 )
2023-07-19 21:27:23 +05:30
8de2684498
[Security Content] Add Investigation Guides to Linux DRs 8.9 ( #2868 )
...
* [Investigation Guide] 10 new Linux IG's 8.9
* Added 4 more IG tags
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* implemented feedback
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-19 17:13:24 +02:00
97d429e314
[New] Suspicious Microsoft 365 Mail Access by ClientAppId ( #2933 )
...
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId
Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
2023-07-19 16:05:13 +01:00
f920bc6151
New Linux BBR Rules ( #2917 )
2023-07-19 20:12:59 +05:30
5e714e01e6
[Security Content] Add Windows Investigation Guides ( #2825 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Add IG Tag
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-19 08:07:01 -03:00
Jonhnathan