71d93e875e
[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms ( #2760 )
...
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms
* updated new terms
2023-05-03 09:28:59 -04:00
6524acf98a
[rule tuning] modified std auth module or config ( #2737 )
2023-05-03 09:32:33 +02:00
d5350ae6e0
[New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) ( #2685 )
...
* adding initial rule
* changed new terms to host.id
* removed windows integration tag
* removed windows integration tag
* changed rule to be process started related
* rule linted
* updating description
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
* added process.name.caseless to non-ecs.json
* removed host type related to #2761
* added host.os.type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-02 23:09:17 -04:00
e55679059b
updating att&ck to 13.0 ( #2755 )
2023-05-02 11:17:38 -04:00
a04cf186fd
[Bug][FR] Remove Rule Type Change Restriction and Fix Version Lock Bug ( #2769 )
...
* updated version_lock to remove type restriction
* addressing flake errors
* reverting version lock and testing rule
* reverting spaces in testing rule
2023-05-02 11:00:36 -04:00
855ba16299
Linux Rule Tuning ( #2753 )
2023-05-02 19:12:13 +05:30
7435ac39d2
[Rule Tuning] added rule name override for cloud_defend integration rule ( #2767 )
2023-05-02 00:05:24 -04:00
792da36fb9
[Bug] Add Cloud Defend to definitions.NON_DATASET_PACKAGES ( #2764 )
...
* updating code to include cloud defend package
* updated integration manifests and schemas
2023-04-28 11:23:48 -04:00
6ecd65721d
[FR] Add release-docs workflow and automation ( #2745 )
2023-04-27 11:44:05 -04:00
92945172bb
add base of workflow ( #2762 )
2023-04-27 10:03:56 -04:00
cd5bc2c44b
Update file path regex for /run ( #2749 )
2023-04-26 14:02:16 +05:30
e254816068
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 ( #2748 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8
* kicking off testing
* removed change to kickoff testing
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-04-25 13:42:38 -04:00
2c76527922
Make call to TOMLRuleContents.to_dict from TOMLRuleContents.to_api_format ( #2742 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-04-25 12:33:43 -04:00
0107e0fcaa
Detect Threat indicators for VMware ESXi servers ( #2708 )
2023-04-25 20:17:16 +05:30
c60e1a61a9
Updating some rule names ( #2744 )
...
* Changing some rule names
* Updating the date
2023-04-25 09:01:06 -03:00
597e6e2de1
[Bug] Add --add-historical argument to lock versions workflow ( #2739 )
...
* bug fix for lock version workflow
* updated all use cases with build-release
* added default to add historical
* fixed flake errors
2023-04-24 12:12:49 -04:00
fadb5c2343
[FR] 8.8 Release Preparation and Update Main Branch to 8.9 ( #2734 )
...
* [FR] 8.8 Release Preparation and Update Main Branch to 8.9
* fixed flake errors
2023-04-24 10:13:07 -04:00
2eda02c10e
[Rule Tuning] Multiple Logon Failure from the same Source Address ( #2588 )
...
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-24 09:16:17 -03:00
2996c79ff4
Detect Mount Execution With Hidepid Parameter ( #2706 )
2023-04-22 08:00:30 +05:30
84acf004da
[Rule Tuning] Component Object Model Hijacking ( #2730 )
2023-04-21 18:43:02 -03:00
12d6b49a24
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2727 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Add system integration index
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-21 18:27:44 -03:00
b5ef2f5f02
[FR] Generate Historical Rule Files in Build Release Packages ( #2715 )
...
* adding solution for historical rules in release package
* addressing flake errors
* format changes
* REVERT CHANGES - testing release-fleet workflow
* REVERTING CHANGES
* added historical flag for packaging to account for older branches
* addressing flake errors
* updated build for CI
* REMOVE: This is temporary to run a workflow from this branch
* updates to address requirements for contents
* reverting packages.yml
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed feedback and added click echo comments
* addressed flake errors and added some comments
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-04-21 11:03:29 -04:00
255c53cff0
[Rule Tuning] Connection to Commonly Abused Web Services ( #2728 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-20 18:26:00 -03:00
b1e3215cd5
[Rule Tuning] Tune PowerShell rule FPs related to MS ATP ( #2729 )
2023-04-20 12:37:06 -03:00
2705df81e2
Tune Shell evasion Rule to incorporate GTFOArgs shell evasion ( #2687 )
2023-04-20 18:35:18 +05:30
f7aa477536
Correct Event Action to include endgame event schema ( #2610 )
2023-04-20 17:28:01 +05:30
94baa89ea8
New Rule to identify defense evasion via PRoot ( #2625 )
2023-04-20 17:14:01 +05:30
8ef2f6557b
Patch to allow integration validation if ECS/beats fails ( #2701 )
...
* Updated for AND logic
* Added case for no package_intregrations
* Fixed linting
* Added unit test for new functionality
* Fixed linting
* Added valid query tests
* Add unit test for event.dataset
* Switched type calls to isinstance calls
* Removed unused stack validation call
* Added additional error type
* Fixed linting
* Cleaned up error handling
* fixed linting
* Added proper type hints
* Fixed typo in Unions
* Updated unit test with additional test cases
* Updated test_invalid_queries unit test
* Fixed linting
* Added kql to unit tests
* Updated tests
* Fixed error handling
* Fixed style issues
* updating integration manifests and schemas
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-04-18 15:43:35 -04:00
fb09208132
[Rule Tuning] Connection to Commonly Abused Web Services ( #2717 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2023-04-18 09:15:47 -03:00
f21a9e4793
updating min stack comments ( #2712 )
2023-04-12 14:30:34 -04:00
894e34f82c
[Bug] Add new-package argument to bump-pkg-versions CLI ( #2703 )
...
* initial changes to release fleet workflow and CLI
* changed the default value of package version for 8.8
* changed how true/false is passed into CLI command
* reverted changes to packages.yml
2023-04-12 13:48:58 -04:00
d6f277e379
[New Rule] Google Workspace New OAuth Login from Third-Party Application ( #2677 )
...
* adding new rule 'Google Workspace New OAuth Login from Custom Application'
* changed name and 'custom' to 'third-party'
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* updated non-ecs
2023-04-12 09:40:31 -04:00
4511ab0666
[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace ( #2674 )
...
* tuning rule to add token sequence
* updated date
* updated non-ecs, integration schemas and manifests
* added investigation guide
* Updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updated false positive description
* updating manifest and schemas with main to resolve conflicts
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-04-12 09:15:58 -04:00
16749e45ae
[Rule Tuning] Third-party Backup Files Deleted via Unexpected Process ( #2704 )
...
* [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process
* Update impact_backup_file_deletion.toml
2023-04-11 13:47:52 -03:00
e9ebb1f2d8
[Bug] Rename 8.7 schemas from *.master and strip build time fields ( #2707 )
2023-04-11 10:56:20 -04:00
6edfb32160
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 ( #2702 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7
* kicking off testing
* removed change to kickoff testing
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-04-10 11:24:16 -04:00
d1aadde671
[Rule Tuning] Suspicious Antimalware Scan Interface DLL ( #2671 ) ( #2672 )
...
* --amend
* --amend
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-04-06 15:15:57 -03:00
d0ea8c6f98
[New Rule] new CWP rule to surface alerts from the cloud_defend integration ( #2679 )
...
* new CWP rule to surface alerts from the cloud_defend integration
* created new rule uuid
* updated version info. removed risk level overrides and endpoint exception list
* added event.module
* removed rule name override
* updated_date and min_stack_comments updated
* updated external alerts updated_date. added kubernetes to cwp rule tags
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-04-05 21:31:03 -03:00
1a9b0e732c
[Rule Tuning] Potential PowerShell HackTool Script by Function Names ( #2692 )
2023-04-05 16:48:33 -03:00
eafe54c2cc
[Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot ( #2691 )
2023-04-05 13:28:57 -03:00
5aaac84f3a
[Rule Tuning] Suspicious service was installed in the system ( #2693 )
...
* [Rule Tuning] Suspicious service was installed in the system
* Update persistence_service_windows_service_winlog.toml
2023-04-05 13:23:47 -03:00
0c8d0bfd3d
[New Rule] Suspicious Execution via Microsoft Office Add-Ins ( #2651 )
...
* Create
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update rules/windows/initial_access_execution_via_office_addins.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-05 17:02:04 +01:00
e878f4b820
adding fix for unit testing that broke in 8.3 ( #2683 )
2023-04-03 10:11:26 -04:00
71d12bdda4
[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests ( #2682 )
...
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
2023-04-03 09:42:40 -04:00
51d50b7d8a
[New Rule] Lsass Process Access - Generic ( #2613 )
...
* Create credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-04-03 14:34:30 +01:00
9713384888
Add Rule Id and Rule Name to the RTA Test List Function ( #2680 )
2023-03-31 16:08:42 -04:00
94621d7567
Update layer version to 4.4 ( #2676 )
2023-03-30 12:29:17 -04:00
892757f4a4
[New Rule] Potential Pass The Hash ( #2670 )
...
* Create lateral_movement_alternate_creds_pth.toml
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-29 19:37:27 +01:00
5ed2120e3f
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2659 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Update credential_access_cmdline_dump_tool.toml
2023-03-29 09:32:36 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
Terrance DeJesus