bcd698add2
[New Rule] Azure Event Hub Deletion ( #170 )
...
* Create defense_evasion_event_hub_deletion.toml
* Update rules/azure/defense_evasion_event_hub_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/azure/defense_evasion_event_hub_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* lint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 10:23:43 -04:00
a49d102de3
[New Rule] Azure Event Hub Authorization Rule Created or Updated ( #173 )
...
* Create collection_update_event_hub_auth_rule.toml
* Update rules/azure/collection_update_event_hub_auth_rule.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/collection_update_event_hub_auth_rule.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-04 09:32:30 -04:00
0ac7f3d672
[New Rule] Azure Firewall Policy Deletion ( #169 )
...
* Create defense_evasion_firewall_policy_deletion.toml
* Update rules/azure/defense_evasion_firewall_policy_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 09:28:58 -04:00
9025a7d183
[New Rule] Azure Diagnostic Settings Deletion ( #157 )
...
* Create azure_diagnostic_settings_deletion.toml
* Update azure_diagnostic_settings_deletion.toml
2020-09-04 09:20:13 -04:00
b4a15960cb
[New Rule] Azure Command Execution on Virtual Machine ( #155 )
...
* Create execution_command_virtual_machine.toml
* Update execution_command_virtual_machine.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-03 17:09:40 -04:00
6b04105936
[New Rule] Azure Resource Group Deletion ( #158 )
...
* Create impact_resource_group_deletion.toml
* Update rules/azure/impact_resource_group_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-03 17:06:43 -04:00
1f555c289f
[New Rule] Azure Privileged Identity Management Role Modified ( #238 )
...
* new-rule-azure-pim-role-modified
* Add ATT&CK metadata to rule
* Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml
2020-09-03 15:02:14 -06:00
89db7384a0
[New Rule] Azure Automation Runbook Deleted ( #235 )
...
* new-rule-azure-automation-runbook-deleted
* Update rules/azure/impact_azure_automation_runbook_deleted.toml
Fix typo in rule description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/impact_azure_automation_runbook_deleted.toml
Remove superfluous parens from query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-03 13:09:40 -06:00
225aba61c9
[New Rule] Multi-Factor Authentication Disabled for an Azure User ( #195 )
...
* new-rule-mfa-disabled-for-an-azure-user
* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml
Update ECS version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-03 12:42:27 -06:00
43204391b6
[New Rule] User Added as Owner for Azure Service Principal ( #194 )
...
* new-rule-user-added-as-owner-for-azure-service-principal
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Add parens to query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Update ECS version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 12:21:44 -06:00
43f657ac4e
[New Rule] User Added as Owner for Azure Application ( #191 )
...
* new-rule-user-added-as-owner-for-azure-application
* Update rule name and description
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Update query to remove superfluous quotes
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Add ATT&CK metadata to rule
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 12:15:33 -06:00
75474387a8
[New Rule] Attempts to Brute Force an Okta User Account ( #186 )
...
* new-rule-attempts-to-brute-force-an-okta-user-account
* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
Update ecs_version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 11:23:56 -06:00
4c431d2408
[New Rule] Azure Automation Webhook Created ( #179 )
...
* new-rule-azure-automation-webhook-created
* Update rules/azure/persistence_azure_automation_webhook_created.toml
Update description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/persistence_azure_automation_webhook_created.toml
Update ecs_version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 11:20:50 -06:00
98f216404a
[New Rule] Azure Automation Runbook Created or Modified ( #178 )
...
* new-rule-azure-automation-runbook-created-or-modified
* Update rules/azure/persistence_azure_automation_runbook_created_or_modified.toml
Update ecs_version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-03 11:16:42 -06:00
85e799b378
[New Rule] Azure Automation Account Created ( #177 )
...
* new-rule-azure-automation-account-created
* Fix rule name format 😄
* Update rules/azure/persistence_azure_automation_account_created.toml
Update maturity to production
* Update rules/azure/persistence_azure_automation_account_created.toml
Update ecs_version to 1.6.0
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 11:08:38 -06:00
6e931959bb
Update pythonpackage.yml ( #242 )
2020-09-02 12:59:33 -08:00
b8e0c379c5
Update packages.yml
2020-09-02 14:10:46 -05:00
6b7ea7e66c
Fix kibana-diff command ( #198 )
2020-09-02 12:19:17 -05:00
464d5e645a
Fix kibana-upload and remove cumbersome dataclasses ( #216 )
...
* Fix kibana-upload and remove cumbersom dataclasses
* Linting fixes
2020-09-01 05:47:27 -06:00
aec3ec31b9
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
779a3a5b0d
Build all branches
2020-08-27 17:35:13 -06:00
4ffdc46ba7
Lock rule versions ( #207 )
2020-08-27 17:47:29 -05:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
d955ad275e
Add help wanted label to contrib ( #219 )
2020-08-27 10:05:20 -06:00
5310ec722a
Fix NOTICE.txt typo
2020-08-24 08:06:58 -06:00
be08536880
Increase lookback for endpoint rules ( #200 )
2020-08-21 12:23:43 -05:00
1fccc39699
Change verbiage around Elastic license
2020-08-19 11:47:10 -06:00
28c869fb5f
Expand documentation on CLI and workflows ( #130 )
2020-08-18 14:27:51 -05:00
9b70383898
Refresh ecs master and add beats v7.8.1 schemas ( #156 )
2020-08-17 12:33:20 -05:00
08e500e44e
Merge locked versions from 7.9
2020-08-04 13:35:25 -06:00
69a5b7e409
Lock versions for 7.9 release
2020-08-04 13:35:14 -06:00
cb1c401e27
Merge branch '7.9' into main
2020-08-03 15:20:36 -06:00
01b1e8be26
[Rule Tuning] Update Tags for Cloud Rules ( #99 )
...
* [Rule Tuning] Update Tags for Cloud Rules
* commenting out specifying alphabetical tag order in rule formatter
* Update rule_formatter.py
* py lint
* Lint fix comments
* update modified dates
* Update credential_access_secretsmanager_getsecretvalue.toml
* adding Continuous Monitoring tag
* update tags
* fixed and in tags
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-08-03 17:15:15 -04:00
a99b7c96fe
Merge branch '7.9' into main
2020-08-03 14:03:15 -06:00
7efe33e01d
[Rule Tuning] Update Index Pattern for Detection Engine Rules ( #101 )
...
* [Rule Tuning] Update Index Pattern for Detection Engine Rules
* update indices
2020-08-03 15:46:57 -04:00
83e33e70bb
Rename slack channel
2020-07-30 19:44:02 -06:00
0455307577
Downgrade rule version before uploading to Kibana ( #97 )
...
* Downgrade version before uploading to Kibana
* Update downgrade exception format
* Update s/siem/detection
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-07-28 11:03:47 -06:00
3c4a383947
Add list_id to exceptions_list and remove endgame:* from external alerts ( #98 )
2020-07-28 07:30:48 -06:00
8f5ddbb121
Add better CLI support for handling Kibana exported rules ( #83 )
2020-07-27 23:31:19 -05:00
d15da0ada1
Add versioned schemas with a downgrade path ( #84 )
...
* Add versioned schemas with a downgrade path
* Remove and move unused variables
* Add missing license
* Skip NotField for output_index
* Add strip_additional_properties for kibana import
* Remove stray comment
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-07-23 11:39:35 -06:00
978a8d9df8
[Bug] Set threshold.field to empty string instead of null ( #87 )
2020-07-22 19:31:09 -04:00
4ba23ad6cd
Merge branch '7.9' into main
2020-07-22 14:39:18 -06:00
4b17cb37f0
Update External Alerts rule index to match default securitySolution:defaultIndex value ( #86 )
...
## Summary
Updates the External Alerts rule index to match default securitySolution:defaultIndex value
``` toml
index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
```
Note: extra spaces are from running `toml-lint`
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement )? Yes!
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md )? Yes!
2020-07-22 14:37:19 -06:00
5f867dbb72
Add KQL -> DSL conversion ( #81 )
...
* Add KQL -> DSL converter
* Lint with black to 120 chars
* Add more tests and flatten shoulds
* Fix NotValue conversion to DSL
2020-07-22 11:05:45 -06:00
b5213e66b2
[Rule Tuning} Correct Promotion Rule Descriptions ( #85 )
2020-07-22 12:36:18 -04:00
b4d8985105
[Rule Tuning] Update terms in promotion rules ( #72 )
...
* [Rule Tuning] Update terms in promotion rules
* Update Endpoint terms and lint
2020-07-21 14:28:30 -04:00
e08ff6c55d
[Rule Tuning] Update Cloud rules with note field ( #79 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-21 12:27:42 -04:00
16fb306254
Add command to upload to kibana ( #58 )
...
* Add upload command to kibana
* Restore skipped fields
* Change prefix to DR_
* Add note to manage_versions call
* Reorder requirements.txt to trigger build
2020-07-20 15:58:28 -06:00
aaef4b99f4
[New Rule] Okta Brute Force or Password Spraying Attack ( #66 )
...
* Create credential_access_okta_brute_force_or_password_spraying.toml
* Update maturity to production
* Update severity and risk score
* Aggregate by source.ip field
To ensure that investigate in timeline displays expected events
* Update false positive information
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Tweak false positive info
* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-07-20 12:44:59 -06:00
4784342723
[New Rule] AWS IAM Brute Force of Assume Role Policy ( #67 )
...
* Create credential_access_aws_iam_assume_role_brute_force.toml
* Update maturity to production
* Update formatting for query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rule name
* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rule description
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update note field in rule
... to inform users that AWS Filebeat module must be enabled to use this rule.
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* lint rule
* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-07-20 12:43:26 -06:00
Brent Murphy