72fee8d16f
Create persistence_google_workspace_admin_role_assigned_to_user.toml ( #554 )
2020-11-18 09:07:39 -07:00
78b8d5c761
new-rule-mfa-disabled-for-google-workspace-organization ( #553 )
2020-11-18 09:05:07 -07:00
6aca322cfd
[New Rule] Google Workspace Password Policy Modified ( #552 )
...
* new-rule-google-workspace-policy-modified
* lint rule
2020-11-18 09:02:59 -07:00
f11e9f8302
[New Rule] Administrator Role Assigned to Okta User ( #489 )
...
* Create persistence_administrator_role_assigned_to_okta_user.toml
* set maturity to production
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Reorder references to put the most relevant at the top
* tweak rule name
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-18 08:59:23 -07:00
eb487f9433
[New Rule] Timestomping using Touch Command ( #463 )
...
* [New Rule] Timestomping using Touch Command
* Update defense_evasion_timestomp_touch.toml
* added macOS tag
* Update rules/linux/defense_evasion_timestomp_touch.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 23:29:47 +01:00
ad4a2ef0eb
Add test commands to search and survey rule hits ( #485 )
2020-11-17 13:08:00 -09:00
abea5d0779
[New Rule] Prompt for Credentials with OSASCRIPT ( #540 )
2020-11-17 22:25:40 +01:00
4547ee3750
[New Rule] Suspicious Execution - Short Program Name ( #536 )
...
* [New Rule] Suspicious Execution - Short Program Name
* Update rules/windows/execution_suspicious_short_program_name.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:27:37 +01:00
4741f70fad
[New Rule] Potential Remote Desktop Tunneling Detected ( #374 )
...
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility
* Update lateral_movement_rdp_tunnel_plink.toml
* Update lateral_movement_rdp_tunnel_plink.toml
* changed tags
* expanded condition to more than plink
there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.
* Update lateral_movement_rdp_tunnel_plink.toml
* more args options
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:25:48 +01:00
14e36c2693
[New Rule] Security Software Discovery using WMIC ( #387 )
...
* [New Rule] Security Software Discovery using WMIC
* added tags
* adjusted args for performance
avoiding leading wildcard in process args
* Update discovery_security_software_wmic.toml
* Update discovery_security_software_wmic.toml
* Update discovery_security_software_wmic.toml
* Update rules/windows/discovery_security_software_wmic.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/discovery_security_software_wmic.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:23:28 +01:00
ba4b8bc3e3
[New Rule] UAC Bypass via Elevated COM IEinstall ( #450 )
...
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer
* Linted
* Update privilege_escalation_uac_bypass_com_ieinstal.toml
* adjusted executable path for better performance
* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:21:15 +01:00
3af915ff49
[New Rule] Suspicious Cmd Execution via WMI ( #389 )
...
* [New Rule] Suspicious Cmd Execution via WMI
* Update lateral_movement_suspicious_cmd_wmi.toml
* Update lateral_movement_suspicious_cmd_wmi.toml
* expanded process args for more coverage
* Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-17 21:19:30 +01:00
9d3395f9e3
Create okta_attempt_to_delete_okta_application.toml ( #497 )
2020-11-17 08:53:59 -07:00
58e54f40e3
Create okta_attempt_to_deactivate_okta_application.toml ( #496 )
2020-11-17 08:51:51 -07:00
768069a8bc
[New Rule] Attempt to Modify an Okta Application ( #495 )
...
* Create okta_attempt_to_modify_okta_application.toml
* add reference
2020-11-17 08:49:02 -07:00
88b8bca929
Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml ( #530 )
2020-11-17 08:44:37 -07:00
0573def41c
Merge pull request #528 from brokensound77/mergeback/7.10-to-main
...
Mergeback 7.10 changes to main
2020-11-12 20:49:04 +01:00
00f8f83a25
Merge branch 'main' into mergeback/7.10-to-main
2020-11-12 20:28:42 +01:00
b91203233d
Link to the Elastic contributor program ( #520 )
2020-11-12 07:02:18 -07:00
75d37e9271
Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main
2020-11-12 00:59:31 -09:00
123d523cf0
lock version changes for 7.10
2020-11-12 00:52:44 -09:00
8ca32f1423
Fix ClientError (NoneType) suffix
2020-11-09 11:08:36 -07:00
f87f2a46f4
[Rule Tuning] Remove all rule timelines ( #466 )
2020-11-03 09:51:53 -09:00
da64bacac1
[Rule Tuning] Add timeline_title to rules with timeline IDs defined ( #452 )
2020-11-02 14:12:20 -09:00
9838d3d2f7
[Rule Tuning] Remove duplicate rules after EQL conversion ( #436 )
...
* [Rule Tuning] Remove duplicate rules after EQL conversion
* Update defense_evasion_rundll32_sequence.toml
* swap msxsl rules
2020-10-30 15:49:28 -04:00
3b597bdb72
fix auth args in get_es_client
2020-10-30 09:19:50 -08:00
3827d01a65
fix bugs in es client retrieval
2020-10-29 21:20:49 -08:00
a575cf9ff3
[Rule Tuning] Use cidrMatch for eql rules checking multiple IPs ( #431 )
2020-10-29 11:06:24 -08:00
fda1e7ef94
Bump zoom rule to production ( #427 )
2020-10-29 11:02:29 -08:00
0d3c35886c
Remove connection type from endpoint network rules ( #426 )
2020-10-28 12:35:34 -08:00
7da343e89f
Fix kibana upload command ( #425 )
2020-10-28 10:16:36 -06:00
a0a8d63baf
Merge branch '7.10' into main
2020-10-28 09:40:15 -06:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
e71398e2ad
[Bug] Fix Kibana client login to work with 7.10 ( #404 )
2020-10-26 22:25:48 -08:00
442b31bd2f
Update packages.yml
2020-10-26 12:07:34 -08:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2e422f7159
[Rule Tuning] Minor Rule Tweaks for 7.10 ( #400 )
...
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-10-22 09:07:04 -04:00
0a992d716a
[Rule Tuning] Update EQL rules for 7.10 ( #399 )
...
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
2020-10-21 12:35:18 -08:00
fd2d36573d
Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name ( #364 )
2020-10-20 15:22:02 -08:00
d3226c72c9
Add test for tactic in rule filename ( #398 )
2020-10-20 14:48:33 -08:00
60b3d47efd
Add kibana-upload --space option ( #251 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-10-08 12:21:54 -06:00
758e4a2c5b
Add unit tests for rule tags ( #359 )
2020-10-07 19:29:19 -08:00
bd680a2bd4
Re-organize commands under more specific click groups ( #356 )
...
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files
* distinguish variable names for better env/config parsing
2020-10-07 12:15:33 -08:00
f34c96f4dc
[Rule Tuning][SECURITY_SOLUTION] rename Endpoint security ( #355 )
2020-10-05 09:55:15 -08:00
0b745c5492
[New Rule] Zoom Meeting with no Passcode ( #292 )
2020-09-30 21:44:45 -08:00
bf202b6b6c
[New Rule] Initial converted EQL rules ( #304 )
...
* 18 converted eql rules (not all prod)
2020-09-30 21:40:55 -08:00
2460333595
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays ( #351 )
2020-09-30 16:16:04 -08:00
d094c76534
[New Rule] Suspicious Zoom ChildProcess ( #245 )
2020-09-30 15:46:33 -08:00
5ba848552a
[New Rule] Post Exploitation Public IP Reconnaissance ( #270 )
2020-09-30 15:36:22 -08:00
e753162fe2
[New Rule] Detecting Unsecure Elasticsearch Nodes ( #109 )
2020-09-30 15:34:38 -08:00
David French