fa0310d0fb
[New Rule] Kubernetes Anonymous Request Authorized ( #2300 )
...
* [New Rule] Kubernetes Anonymous Request Authorized
## Issue
#2038
## Summary
This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use
anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster.
This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.
* [New Rule] Kubernetes Suspicious Change to Privileges of Running Security Context
## Issue
https://github.com/elastic/detection-rules/issues/2032
## Summary
* Delete non-ecs-schema.json
* Delete privilege_escalation_suspicious_change_to_privileges_of_running_security_context.toml
* Create non-ecs-schema.json
* Update detection_rules/etc/non-ecs-schema.json
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2022-09-19 11:33:09 -05:00
2ee5a185c7
Add test command to verify version collisions do not occur ( #2272 )
...
* Add test command to verify version collisions do not occur
* add max_allowable_version to schema and lock flow
* add max_allowable_version to all entries in version.lock
* add test-version-lock command
* use min supported stack if > locked min stack
* share lock conversion code with rule and lock to fix M.m bug
2022-09-19 09:53:30 -06:00
725f7f3480
Linux rule to detect potential ssh brute force attack ( #2291 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-09-19 20:26:18 +05:30
c2e7011ec6
break out the logic to a script and manual workflow ( #1908 )
...
* Break out the logic to a script and manual workflow with an option to skip staging files
2022-09-16 13:34:04 -04:00
ca2b3c2b7f
[New Rule] Full User-Mode Dumps Enabled System-Wide ( #2276 )
...
* [New Rule] Full User-Mode Dumps Enabled System-Wide
* Apply suggestions from review
* Update credential_access_generic_localdumps.toml
2022-09-15 16:57:00 -03:00
273c589bd4
RTA Deprecation ( #2303 )
2022-09-15 23:00:02 +05:30
ae2a98e3f7
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read ( #2283 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-14 22:01:46 +05:30
59297c836e
[New Rule] User Organizational Unit Changed - Google Workspace ( #2289 )
...
* adding new rule
* adjusting severity and risk
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
2022-09-13 15:36:27 -04:00
e3040d8019
[Bug] Keyerror on rule-survey hits ( #2293 )
2022-09-13 11:38:29 -04:00
8c19e9ff6c
[New Rule] Bitlocker Settings Disabled - Google Workspace ( #2288 )
...
* adding new rule
* adjusted UUID
2022-09-12 16:06:01 -04:00
0358ec9d9a
Release ER Production RTAs to DR ( #2270 )
2022-09-08 12:50:39 -04:00
332ea40100
Cleanup rule survey code ( #1923 )
...
* Cleanup rule survey code
* default to only unique-ing on process name for lucene rules
* fix bug in kibana url parsing by removing redundant port from domain
* update search-alerts columns and nest fields
* fix rule.contents.data.index
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-09-06 15:53:47 -06:00
0fc8006e7a
Update RTA common.py for py3 ( #2287 )
...
* add run-all argument and initial p2 conversion
* remove unicode
* format with black
2022-09-01 09:16:39 -06:00
3ba777c1b1
[Rule Tuning] Disable Windows Firewall Rules via Netsh ( #2231 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 13:10:08 -04:00
6a6ef0ce11
[New Rule] Restrictions for Google Marketplace Modified to Allow Any App - Google Workspace ( #2268 )
...
* adding new rule
* adjusted UUID to address unit testing failures
* adjusted UUID to address unit testing failures
* adjusted references
2022-08-26 12:43:30 -04:00
bd6befb168
[New Rule] Google Drive Ownership Transferred ( #2265 )
...
* adding new rule
* adjusted query format
* adjusted file and rule name to include google workspace
* Update collection_google_drive_ownership_transferred_via_google_workspace.toml
Fixed a couple minor typos
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-08-26 12:41:10 -04:00
18df50443c
[Rule Tuning] Admin Role Assigned to User - Google Workspace ( #2266 )
...
* tuning rule query and att&ck mappings
* adjusted description and query formatting
* Update rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adjusted risk and severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 12:35:44 -04:00
cd2539f1eb
[New Rule] User Group Access Modified to Allow External Access ( #2264 )
...
* adding new rule
* adjusting rule name, file name and description
* adjusted att&ck technique
* adjusted file and rule name to include google workspace
* adjusted references
* Update persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
Fixed minor typo
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-08-26 12:25:29 -04:00
c0a339e277
[New Rule] 2SV Policy Disabled - Google Workspace ( #2271 )
...
* adding new rule
* adjusted file name, query and rule name
2022-08-26 12:22:54 -04:00
e5399bc148
[New Rule] Application Removed from Blocklist - Google Workspace ( #2267 )
...
* adding new rule
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 12:16:41 -04:00
97e42d01d8
[Rule Tuning] SUNBURST Command and Control Activity ( #2232 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 13:11:22 -03:00
d37eac8d9d
Add test that newly introduced build-time fields for a min_stack for … ( #2262 )
...
* add test that newly introduced build-time fields for a min_stack for applicable rules.
* account for rules without min_stack_version
* limit test to >= stack ver
2022-08-25 21:56:16 -06:00
b19a02470b
Add TestRiskScoreMismatch ( #2254 )
2022-08-25 14:29:46 -03:00
5a04aaf671
[Bug] Integrations-Pr Command (Elastic-Package Linting and Version Adjustments) ( #2054 )
...
* started solution for integrations-pr bug
* Update devtools.py
* Update detection_rules/devtools.py
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-24 14:01:30 -04:00
6ff7d2284d
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2261 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4
* adjusting version lock file to increase current version by 100
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
2022-08-24 13:26:35 -04:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
023fbc7bbd
[Rule Tuning] Clearing Windows Event Logs ( #2233 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 21:41:30 -03:00
dfef597794
[Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service ( #2192 )
2022-08-23 10:10:40 -04:00
2204459e73
[Rule Tuning] Finder Sync Plugin Registered and Enabled ( #2172 )
2022-08-23 09:59:43 -04:00
2326b30a87
[Rule Tuning] Suspicious Browser Child Process ( #2138 )
2022-08-23 09:56:23 -04:00
c5ff8511a9
[Rule Tuning] Abnormal Process ID or Lock File Created ( #2113 )
...
* [Rule Tuning] Abnormal Process ID or Lock File Created
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update execution_abnormal_process_id_file_created.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-23 09:59:31 -03:00
6631c4927d
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #2240 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 09:43:09 -03:00
6e2d20362a
[Rule Tuning] Standardizing Risk Score according to Severity ( #2242 )
2022-08-21 22:29:39 -03:00
fbfe1e3530
set typing-inspect requirement to 0.7.1 ( #2248 )
2022-08-17 22:17:16 -04:00
d3420e3386
[Deprecate Rule] Suspicious Process from Conhost ( #2222 )
...
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:32:24 +02:00
8e0ae64a04
[Rule Tuning] Whoami Process Activity ( #2224 )
...
* added Whoami Process Activity
* Update discovery_whoami_command_activity.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:26:10 +02:00
0f7b29918c
[Rule Tuning] Suspicious Execution via Scheduled Task ( #2235 )
...
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
2022-08-15 21:50:23 +02:00
b89d6185b2
[Rule Tuning] Reduce FPs ( #2223 )
...
9 rules tuned to exclude common noisy FP patterns.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-15 09:15:48 -05:00
cb2ca45d56
Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2236 )
...
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-10 09:18:59 -04:00
e7a1afbba0
only run on pull request ( #2237 )
2022-08-09 21:21:30 -04:00
2a3b584433
Prep for 8.5 branch ( #2220 )
...
* adding first commit
* renamed branch
* adjusted packages, stack schema and updated schemas
* updated integrations manifest
* adjusted comments to be a little more organized
* adjusted stack-schema-map
* refreshed ecs and beats schema, adjusted stack schema map accordingly
2022-08-09 17:14:42 -04:00
fc7a384d19
[Security Content] 8.4 - Add Investigation Guides - Windows - 2 ( #2144 )
...
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2
* update date
* Apply suggestions from review
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-08 21:34:05 -03:00
89cdae87c5
only add related_integration if on the correct stack ( #2234 )
2022-08-08 18:41:56 -04:00
7d973a3b07
add new field related_integrations to the post build ( #2060 )
...
* add new field `related_integrations` to the post build
* add exception for endpoint `integration`
* Skip rules without related integrations
* lint
* refactor related_integrations to TOMLRuleContents class
* update to reflect required_fields updates
* add todo
* add new line for linting
* related_integrations updates, get_packaged_integrations returns list of dictionaries, started work on integrations py
* build_integrations_manifest command completed
* initial test completed for post-building related_integrations
* removed get_integration_manifest method from rule, removed global integrations path
* moved integration related methods to integrations.py and fixed flake issues
* adjustments for PipedQuery from eql sequence rules and packages with no integration
* adjusted github client import for integrations.py
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added integration manifest schema, made adjustments
* Update detection_rules/integrations.py
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* removed get_integrations_package to consolidate code
* removed type list return
* adjusted import flake errors
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted indentation error
* adjusted rule.get_packaged_integrations to account for kql.ast.OrExpr if event.dataset is not set
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted find_least_compatible_version in integrations.py
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fixed flake issues
* adjusted get_packaged_integrations
* iterate the ast for literal event.dataset values
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* made small adjustments to address errors during build manifests command
* addressing integrations.find_least_compatible method to return None instead of raise error only
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-08 13:44:36 -04:00
d1bc53e295
[Rule Tuning] Persistence via Folder Action Script ( #2174 )
...
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:36:05 -04:00
4f55e9b05f
[Rule Tuning] Potential Persistence via Login Hook ( #2177 )
...
* Exclude FPs for iMazing Profile Editor and backupd
2022-08-05 14:25:31 -04:00
058f11f650
[Rule Tuning] Sublime Plugin or Application Script Modification ( #2180 )
...
* expand filter to sublime text contents
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:15:28 -04:00
b043695833
Remove ambiguity from impact_modification_of_boot_config.toml ( #2199 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-05 10:38:41 -03:00
73584407d7
[Bug] Opening Issues in this Repo Causes "Run failed: Community - main" ( #2214 )
...
* use ghv6 and catch errors
2022-08-03 14:36:08 -04:00
a76c51ae17
[Deprecation rule] DNS Activity to the Internet ( #2221 )
2022-08-02 20:59:35 -05:00
Isai