f0f7d217c0
[FR] Refactor Schema Validation & Support Multi-Dataset Sequence Validation ( #5059 )
2025-09-10 13:11:04 -05:00
25539fd6c6
Delete Development Rules ( #5084 )
2025-09-10 23:24:28 +05:30
6adee51410
Fix Ruff failures ( #5083 )
2025-09-10 22:24:07 +05:30
822f649715
Fix updated_date for tunings as part of #5079 ( #5081 )
2025-09-10 22:05:36 +05:30
a6dfd2c0e1
Add test_min_stack_version_supported testcase ( #5077 )
2025-09-10 20:12:36 +05:30
c6406e97c2
Tune Rules that have unsupported versions in min_stack_version ( #5079 )
2025-09-10 19:43:28 +05:30
392e0253c3
[Rule Tuning] Beats & Endgame Indices ( #5072 )
2025-09-09 13:19:13 -05:00
35b000b7ab
[FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2) ( #5041 )
2025-09-09 10:58:53 -05:00
0f0f16bdee
[Rule Tuning] D-Bus Service Created ( #5076 )
2025-09-09 15:33:58 +02:00
375082729a
[Rule Tuning] Adjust process.code_signature.trusted condition ( #5067 )
...
* [Rule Tuning] Adjust process.code_signature.trusted condition
* typo
2025-09-08 08:42:17 -07:00
6ac71050dc
[Rule Tuning] Remote File Download via PowerShell ( #5062 )
...
* [Rule Tuning] Remote File Download via PowerShell
* Update command_and_control_remote_file_copy_powershell.toml
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update command_and_control_remote_file_copy_powershell.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-09-08 07:59:53 -07:00
4aa6c4e715
[Rule Tuning] Untrusted Driver Loaded ( #5061 )
...
* [Rule Tuning] Untrusted Driver Loaded
* Update defense_evasion_untrusted_driver_loaded.toml
2025-09-05 06:12:30 -07:00
9ee15a13b0
[Rule Tuning] Connection to Commonly Abused Web Services ( #5060 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2025-09-04 11:58:13 -07:00
cbb892b4bc
[Bug] Incorrect Integrations Schema Parsing for Nested Fields ( #5058 )
...
* Add proper handling for nested fields
* Updated schemas
* bump patch
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-04 14:12:33 -04:00
3c1de72f6b
[FR] Add support for 5 group_by fields in threshold rules (>=9.2) ( #5040 )
2025-09-04 09:24:36 -05:00
b4db783413
Tune a Tag discrepency in rule ( #5053 )
2025-09-02 21:12:06 +05:30
0bbad3bbf8
Update defense_evasion_modify_ownership_os_files.toml ( #5051 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-02 08:18:35 -07:00
ef7ff52119
[Rule Tuning] Misc. Linux ES|QL Rules ( #5050 )
...
* [Rule Tuning] Misc. Linux ES|QL Rules
* update date bump
* ++
* Update persistence_web_server_sus_child_spawned.toml
* Update working directory conditions in TOML file
2025-09-02 13:49:22 +02:00
f2291e0261
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5049 )
2025-09-01 23:19:12 +05:30
8d2ea9220b
[New Rules] Potential Relay Attack against a Computer Account ( #4826 )
...
* [New Rules] Potential Relay Attack against a Computer Account Rules
* update description
* .
* add min_stack
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-01 10:07:37 -07:00
464fb3951e
[Tuning] Unusual Network Activity from a Windows System Binary ( #5048 )
2025-09-01 22:17:53 +05:30
a31b3a36ad
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 ( #5025 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
* pending adjustments
* Update execution_windows_cmd_shell_susp_args.toml
2025-09-01 09:30:21 -07:00
a62ee7a8a2
[New] Active Directory Discovery using AdExplorer ( #5047 )
...
* [New] Active Directory Discovery using AdExplorer
* Update discovery_ad_explorer_execution.toml
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:58:22 +01:00
40794368a7
[New] Connection to Common Large Language Model Endpoints ( #5044 )
...
* [New] Connection to Common Large Language Model Endpoints
* [New] Connection to Common Large Language Model Endpoints
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_common_llm_endpoint.toml
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:47:31 +01:00
ba354ceff9
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 ( #5038 )
2025-09-01 08:25:52 -07:00
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
61af3e801d
[New] Potential System Tampering via File Modification ( #5043 )
...
* [New] Potential System Tampering via File Modification
* Update impact_mod_critical_os_files.toml
* Update rules/windows/impact_mod_critical_os_files.toml
* Create defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:52:26 +01:00
e1205cb5c5
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 ( #5001 )
...
* [New/Tuning] Windows Top Threats 2024/2025
1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.
2) MSIEXEC:
* Update defense_evasion_mshta_susp_child.toml
* Update defense_evasion_script_via_html_app.toml
* Update defense_evasion_mshta_susp_child.toml
* Create defense_evasion_msiexec_remote_payload.toml
* Update defense_evasion_msiexec_remote_payload.toml
* ++
* Create execution_scripting_remote_webdav.toml
* Create execution_windows_fakecaptcha_cmd_ps.toml
* Create command_and_control_rmm_netsupport_susp_path.toml
* Update command_and_control_rmm_netsupport_susp_path.toml
* ++
* Update execution_jscript_fake_updates.toml
* Create command_and_control_dns_susp_tld.toml
* ++
* Create command_and_control_remcos_rat_iocs.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Update execution_scripts_archive_file.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* ++
* Create execution_nodejs_susp_patterns.toml
* Update execution_nodejs_susp_patterns.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Fix unit test errors
* Update defense_evasion_network_connection_from_windows_binary.toml
* Add system index
* Add tag
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Remove duplicate
* Update defense_evasion_msiexec_child_proc_netcon.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Create credential_access_browsers_unusual_parent.toml
* Update credential_access_browsers_unusual_parent.toml
* ++
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_mshta_susp_child.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_windows_phish_clickfix.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update execution_windows_phish_clickfix.toml
* Update rules/windows/defense_evasion_script_via_html_app.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_browsers_unusual_parent.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_nodejs_susp_patterns.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_script_via_html_app.toml
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:41:51 +01:00
b2bc6021f2
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths ( #5037 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths
* ++
* Update defense_evasion_workfolders_control_execution.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
2025-09-01 05:31:12 -07:00
dd918b1f80
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #5039 )
2025-09-01 05:09:31 -07:00
d9151c30ae
[Rule Tuning] M365 Portal Logins (Impossible & Atypical) ( #5031 )
...
* [Rule Tuning] M365 Portal Logins (Impossible & Atypical)
Fixes #5009
* updated new terms value
* fixed unit test failures
* Update rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* adjusted rule name and file names
* fixed field mispelling
* fixed investigation guide
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-29 15:41:38 -04:00
d2791bf29a
[New Rule] Toolshell Exploit Chain Detections ( #4928 )
...
* adding toolshell attack chain rules for exploit and RCE
* updated query
* added references
* fixed references; linted
* Update rules/network/execution_potential_rce_via_toolshell.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/network/initial_access_potential_toolshell_exploit_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* changed to BBR; lowered severity; adjusted queries
* Update rules_building_block/execution_potential_rce_via_toolshell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/execution_potential_rce_via_toolshell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* fixed from and interval failures
* changed file name
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-29 15:17:52 -04:00
4aebb7dfc5
[Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access ( #4997 )
...
* tuning rule 'Microsoft Entra ID Suspicious Session Reuse to Graph Access'
* Update rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-08-29 14:57:25 -04:00
7e9ef00b79
[New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365 ( #4994 )
...
* adding new rule 'Threat Intelligence Signal - Microsoft Defender for Office 365'
* added mitre mapping
* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added note for max signals
* linted
* fixed unit test failure
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-08-29 14:41:34 -04:00
4b9e3887bb
[Rule Tuning] Multi-Factor Authentication Disabled for User ( #5006 )
...
* tuning rule 'Multi-Factor Authentication Disabled for User'
* adjusted query logic
* fixed query logic for optimization that passes unit tests; changed severity and risk back to medium
2025-08-29 13:20:12 -04:00
590cc9cbbd
[Tuning] First Occurrence of STS GetFederationToken Request by User ( #5007 )
...
Rule is executing as expected, however it is alerting on failed requests. Low alert telemetry.
This tuning:
- removed markdown and edited description to be more specific
- reduced execution window for 1 min lookback
- name change to add `AWS` consistent with all other rules
- added references that reflect in the wild threats and persistence usage
- increased risk_score and severity to medium accounting for usage as persistence mechanism in the wild
- added Persistence tag and Mitre tactic, technique, subtechnique
- added `event.outcome: success` criteria to query
- edited investigation guide to be more accurate reflection of steps required for investigating alert, including appropriate response action
- added highlighted fields
** Note: only IAMUser and Root user identities can call this actions so we can use `aws.cloudtrail.user_identity.arn` as the new terms field without worrying about Role vs Role + Session issue seen with other new_terms rules
2025-08-29 13:08:59 -04:00
4cde57de07
[Tuning] First Time AWS Cloudformation Stack Creation by User ( #5036 )
...
* [Tuning] First Time AWS Cloudformation Stack Creation by User
- corrected a creation_date error
- Removed `CreateStackSet` API call as this only creates a blueprint for creating stack instances across multiple AWS accounts and regions but does not actually create the resources
- Added `CreateStackInstances` API call which is used to create resources defined in the StackSet
- removed user from rule name as this also triggers for roles
- edited description and investigation guide
- added Mitre technique
* adding highlighted fields
2025-08-29 12:36:21 -04:00
79daf3fc68
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 ( #5028 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:28:14 -07:00
ccedd45df1
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 ( #5030 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:07:38 -07:00
86dd350579
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 ( #5029 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:50:59 -07:00
7eec833ec8
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 ( #5027 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12
* Update rules/windows/persistence_app_compat_shim.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:40:03 -07:00
41dd521546
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 ( #5026 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:28:49 -07:00
9c08869575
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 ( #5024 )
2025-08-28 12:15:25 -07:00
be18b4db16
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 ( #5023 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_wdac_policy_by_unusual_process.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:04:55 -07:00
48dfb759cd
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 ( #5022 )
2025-08-28 11:51:45 -07:00
1af98a6170
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 ( #5021 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_proxy_execution_via_msdt.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 11:37:15 -07:00
b91e73714e
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 ( #5020 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5
* Update defense_evasion_ms_office_suspicious_regmod.toml
2025-08-28 11:26:09 -07:00
85a0d27b13
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 ( #5019 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 11:05:42 -07:00
0fbf57c1d9
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 ( #5018 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_file_creation_mult_extension.toml
* Update rules/windows/defense_evasion_file_creation_mult_extension.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 10:55:21 -07:00
8ab98458fa
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 ( #5017 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2
* Update defense_evasion_code_signing_policy_modification_registry.toml
* Update defense_evasion_communication_apps_suspicious_child_process.toml
* Update rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
* Update defense_evasion_communication_apps_suspicious_child_process.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 10:40:34 -07:00
Mika Ayenson, PhD