1dfb05ec1c
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4442 )
2025-02-04 00:05:59 +05:30
aba793f3e5
Add prerelease version Integration manifests & schemas for sentinel_one_cloud_funnel ( #4438 )
2025-02-03 09:15:14 -05:00
350474b7b4
Refresh ECS & Beats schemas, Integration manifests & schemas ( #4436 )
2025-02-03 19:18:49 +05:30
bf1caf8b5f
[Rule Tuning] December-January AWS Rule Tuning ( #4425 )
...
* [Rule Tuning] AWS Monthly Rule Tunings
* Adding several more AWS tunings
* updating patch version
* updating non-ecs type to boolean
* fixed cloudtrail index
2025-01-31 10:35:18 -05:00
8093655f76
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4400 )
2025-01-21 19:35:57 +05:30
5162067a51
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C ( #4377 )
...
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'
* updated pyproject patch version
* bump repo version
* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
* updating patch version
* updating patch version
* Adding additional threshold rule
2025-01-15 14:11:58 -05:00
97b3f43870
[New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery ( #4328 )
...
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
2025-01-15 11:53:18 -05:00
47571956a7
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4347 )
2025-01-07 22:54:34 +05:30
52db5e0361
Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. ( #4332 )
2025-01-06 21:48:11 +05:30
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created ( #4327 )
...
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
* Update detection_rules/etc/non-ecs-schema.json
* Update pyproject.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-06 09:40:26 -03:00
691126cd3d
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4295 )
2024-12-10 21:43:29 +05:30
febdafa1f4
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4291 )
2024-12-09 21:38:33 +05:30
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
86cc61c233
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4274 )
...
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16
* Update detection_rules/etc/version.lock.json
* Update Patch version for version lock changes
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-11-27 09:34:54 -05:00
ebb3675ea0
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4267 )
2024-11-11 22:29:22 +05:30
4a7f83e432
Version Lock File Reconcile Ref: #4266
2024-11-11 10:48:43 -05:00
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules ( #4261 )
...
* adding investigation fields to specific aws rules
* updated patch
* removing min-stack requirements
* removed user.name redundancy
* adjusted order of investigation fields
* adding source address
2024-11-08 23:11:18 -05:00
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
09ea35f33a
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device ( #4210 )
...
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device
New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"
* add serialNumber to non-ecs schema file
* fixed misspelled toml file name
* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-11-05 02:09:05 -05:00
81292aee8a
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 ( #4220 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1
* Update Integrations unit tests
* Update test_all_rules.py
2024-11-04 11:32:22 -03:00
5d2940fa7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4217 )
2024-10-28 21:07:46 +05:30
c1ce0d43d1
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4159 )
2024-10-16 10:23:33 +05:30
acb01cf9ee
Refresh to fetch latest ECS & Beats schemas, Integration manifests & schemas. ( #4140 )
2024-10-10 11:30:00 +05:30
afbca3ee75
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4147 )
2024-10-09 20:56:57 -05:00
50e23ba242
[Hunting] Re-factor Hunting Library Code ( #4085 )
...
* updating python code for hunting library
* fixed okta queries; added MITRE search capability
* fixed hunting unit test imports
* fixed duplicate UUID; fixed duplicate index entry bug
* fixed technique finding sub-technique in search
* added more unit tests
* linted
* flake errors addressed; fixed unit test import; fixed markdown generate bug
* added description for generate-markdown command
* updated README
* adjusted YAML index, adjusted code for index changes
* adjusted relative imports; updated CODEOWNERS
* adding updates; moving to different branch for main dependencies
* finished run-query command; made some code adjustments
* removed some comments
* revised makefile; fixed unit tests; adjusted detection rules pyproject
* updated README
* updated README
* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands
* adjusted package to be more object-oriented
* removed unused variable
* Add simple breakdown stats
* addressed feedback; added keyword option for search
* Update hunting/README.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/etc/test_hunting_cli.bash
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* addressing feedback
* addressed feedback
* added message for unknown index; fixed function call
* fixed search command
* fixed flake error
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-10-03 12:47:40 -04:00
80143b23b2
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4116 )
2024-10-01 18:14:03 +05:30
5e0fb4a63e
[Tuning] Add logs-panw.panos index to Network rules ( #4089 )
...
* [Tuning] Add logs-panw.panos index to Network rules
https://github.com/elastic/detection-rules/issues/3998
This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.
* add tag and integration
* Update command_and_control_fin7_c2_behavior.toml
* Build Manifest and Schema for panw integration
* Update definitions.py
* Update definitions.py
* Fix definitions declaration
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-09-19 08:01:44 +01:00
574064272d
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4082 )
2024-09-16 21:43:16 +05:30
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
8618b1ad73
Support toml lint for investigate transforms ( #4066 )
2024-09-11 20:45:36 +05:30
6a1ba19f7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4050 )
2024-09-03 17:40:44 +05:30
c77356c0f2
Refresh Integration Manifest and Schema ( #4001 )
2024-08-21 22:24:05 +05:30
fbe47298cf
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3997 )
2024-08-20 23:46:25 +05:30
760d9f6398
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3995 )
2024-08-20 21:32:43 +05:30
2559b7bb41
[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS ( #3898 )
...
* tuning AWS rules for SAML provider updates and assumed roles via STS
* fixed mitre mapping
* adjusted new terms and added user ID to query
* reverting new terms value change
* adding non-ecs to new term checks
* fixing mitre mapping
* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
* reverting file removal to add diff changes
* changeing rule contents
* reverting rule changes
* added rule contents
* changed file name
* linted
* reverting lint
2024-08-20 11:53:46 -04:00
d3dc231315
Refresh ECS, Beats manifest and schemas ( #3993 )
2024-08-20 20:45:20 +05:30
10ba6ad5a6
[FR] Add Alert Suppression for Addtional Rule Types ( #3986 )
2024-08-15 15:03:45 -05:00
47d7a3acaa
[DaC] Beta Release ( #3889 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2024-08-06 18:07:12 -04:00
f9717e71bb
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3961 )
2024-08-06 19:37:36 +05:30
823e8fd140
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3926 )
2024-07-25 18:38:08 +05:30
f3b0dc1954
Prep for next release 8.16 ( #3919 )
2024-07-24 11:19:56 -04:00
baee89de9b
Revert "Prep for next release 8.16 ( #3914 )"
...
This reverts commit 4245a815d2
2024-07-23 14:06:04 -04:00
4245a815d2
Prep for next release 8.16 ( #3914 )
...
* Prep for Release 8.16
* Add subscription
* Remove double subscription
* Formatting
* Formatting
* Revert Beaconing rules minstack and lock version
2024-07-23 13:04:03 -04:00
03c99d22d3
Revert "Prep for Release 8.16 ( #3913 )"
...
This reverts commit 01135085f6
2024-07-23 09:50:04 -05:00
01135085f6
Prep for Release 8.16 ( #3913 )
2024-07-23 09:42:26 -05:00
80ac2794f2
[Rule BugFix] Google Workspace Oauth2 new app ( #3436 )
...
* [Rule BugFix] Google Workspace Oauth2 new app
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
* [Rule BugFix] Google Workspace Oauth2 new app update (#3436 )
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-11 10:45:17 -04:00
6a28881b5f
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3880 )
2024-07-09 19:13:24 +05:30
5048bc26bd
[Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 ( #3806 )
...
* Add "by host.id" argument to the sequence command in the rule query.
* Update collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-03 10:39:15 -04:00
github-actions[bot]