sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	207d94e51c	[New Rule] Potential Sudo Token Manipulation via Process Injection (#2984 ) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 15:58:25 +02:00
Ruben Groenewoud	7cc841cc87	[New Rule] PE via UID INT_MAX Bug (#2971 ) * [New Rule] PE via UID INT_MAX Bug * changed file name * Should be more decisive * fix * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 15:51:06 +02:00
Ruben Groenewoud	ef1fa94c52	[New BBR] Suspicious Clipboard Activity (#2970 ) * [New BBR] Suspicious Clipboard Activity * Added new line to end of file * Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 15:41:23 +02:00
Ruben Groenewoud	a7ff449fbc	[Rule Tuning] Some Tunings of several 8.9 rules (#2985 ) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml	2023-08-03 15:25:33 +02:00
Ruben Groenewoud	03110fb24c	[New Rule] SUID/SGUID Enumeration Detected (#2956 ) * [New Rule] SUID/SGUID Enumeration Detected * Remove endgame compatibility * readded endgame support after troubleshooting * Update discovery_suid_sguid_enumeration.toml * Update rules/linux/discovery_suid_sguid_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 09:57:30 +02:00
Ruben Groenewoud	716b621af2	[New Rule] Potential Sudo Hijacking Detected (#2966 ) * [New Rule] Potential Sudo Hijacking Detected * Update privilege_escalation_sudo_hijacking.toml	2023-08-03 09:49:14 +02:00
Ruben Groenewoud	18c2214956	[New Rule] Sudo Command Enumeration Detected (#2946 ) * [New Rule] Sudo Command Enumeration Detected * Update discovery_sudo_allowed_command_enumeration.toml * revert endgame support due to unit testing fail * Update discovery_sudo_allowed_command_enumeration.toml * Update discovery_sudo_allowed_command_enumeration.toml * Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 09:39:16 +02:00
Mika Ayenson	3f9e7aced1	[Bug] Strip Non-Public Fields Prior to Uploading Rules (#2986 )	2023-08-02 12:38:48 -05:00
eric-forte-elastic	29fc61d55b	updated pyproject.toml (#2991 )	2023-08-02 10:16:12 -04:00
github-actions[bot]	1cb5c174ce	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2988 ) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 * Update detection_rules/etc/version.lock.json * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-08-01 10:12:29 -04:00
eric-forte-elastic	ea26ea77d7	[FR] Update build-release to support bbr release (#2987 ) * Fixes bug in unit tests * fix rule paths * removed unused import	2023-07-31 15:20:18 -04:00
Ruben Groenewoud	b8bb2da932	[New Rule] Potential Privilege Escalation via OverlayFS (#2974 ) * [New Rule] Privilege Escalation via OverlayFS * Layout change * Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26. * Made rule broader * Update privilege_escalation_overlayfs_local_privesc.toml * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml * Update user.id to strings --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-07-31 19:15:11 +02:00
Jonhnathan	d1db3a0048	[New Rule] Building Block Rules - Part 4 (#2926 ) * [New Rule] Building Block Rules - Part 4 * Update discovery_win_network_connections.toml * Update privilege_escalation_unquoted_service_path.toml * Update rules_building_block/discovery_win_network_connections.toml * Update rules_building_block/privilege_escalation_unquoted_service_path.toml * Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml * Update discovery_net_share_discovery_winlog.toml	2023-07-31 11:03:57 -03:00
Eric	1e769c51b6	Tune Unusual File Activity ADS for Teams weblogs (#2929 ) Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-31 10:41:31 -03:00
Jonhnathan	6966a6df09	[New Rule] Building Block Rules - Part 3 (#2924 ) * [New Rule] Building Block Rules - Part 3 * Update defense_evasion_generic_deletion.toml * Update defense_evasion_generic_deletion.toml * Update defense_evasion_generic_deletion.toml * Apply suggestions from code review * Update rules_building_block/discovery_generic_account_groups.toml * Apply suggestions from code review --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-31 10:28:25 -03:00
Mika Ayenson	3813a08f59	[FR] Add support for BBR rules to the rule loader (#2968 ) --------- Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2023-07-27 11:27:04 -05:00
Mika Ayenson	77b43d16e8	[FR] Generate Prebuilt Rules Reference Page (#2964 )	2023-07-27 11:05:31 -05:00
Jonhnathan	9387a081bc	[Security Content] Add Investigation Guides to Threat Intel rules (#2827 ) * [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules * . * Update threat_intel_indicator_match_hash.toml * Update to include expiring rules, exclude expiring indexes * . * Apply suggestions from code review * Push changes * Update pyproject.toml * Revert "Update pyproject.toml" This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7. * Update pyproject.toml * Update integration-schemas.json.gz * Revert "Update integration-schemas.json.gz" This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d. * Revert integrations-manifests to the one from main * Fix maturity * Update Name * Update ignore_ids with the indicator rules guid * Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml * Make changes to use labels * Update non-ecs-schema.json * Update rules/cross-platform/threat_intel_fleet_integrations.toml * Apply suggestions from code review * Backport to 8.5 * [Security Content] Add Investigation Guides to Threat Intel rules * Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators * Update threat_intel_indicator_match_hash.toml * Update threat_intel_indicator_match_url.toml * Update threat_intel_indicator_match_url.toml * Apply suggestions from review, adds Setup guide * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>	2023-07-27 11:30:14 -03:00
Ruben Groenewoud	bbb24704b6	[New Rule] PE through Writable Docker Socket (#2958 ) * [New Rule] PE through Writable Docker Socket * simplified query * Update privilege_escalation_writable_docker_socket.toml * Update privilege_escalation_writable_docker_socket.toml * Update rules/linux/privilege_escalation_writable_docker_socket.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-27 10:01:29 +02:00
Ruben Groenewoud	0666b594c6	[New Rule] Linux Local Account Brute Force (#2965 )	2023-07-27 09:43:53 +02:00
Jonhnathan	0ff50acfd2	[Rule Tuning] Tune Threat Indicator Match Rules (#2957 ) * [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-26 15:12:28 -03:00
Ruben Groenewoud	b330cf9438	[New Rule] Pspy Process Monitoring Detected (#2945 ) * [New Rule] Pspy Process Monitoring Detected * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 15:58:33 +02:00
Ruben Groenewoud	9cc4b0e348	[New BBR] Potential Suspicious File Edit (#2960 ) * [New BBR] Potential Suspicious File Edit * Added a few more interesting files --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2023-07-26 15:22:56 +02:00
shashank-elastic	6527eb0500	Rule Tuning File Permission Modification in Writable Directory (#2961 )	2023-07-26 17:47:00 +05:30
Eric	d0d99829a2	Correct misspelling of AppDara to AppData (#2952 ) Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 08:10:03 -03:00
Ruben Groenewoud	056db6003e	[Security Content] Added Compatibility note to all IGs (#2943 ) * added investigation guide note * added ig notes * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * implemented note feedback * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 12:54:50 +02:00
Ruben Groenewoud	dbd7ed65a9	[Tuning] Reverse Shell Rules (#2959 ) * [Rule Tuning] Reverse Shell Rule destination.ip tuning * Updated updated_date	2023-07-25 14:55:56 +02:00
shashank-elastic	93845626b7	Potential Cross Site Scripting ( XSS ) (#2922 )	2023-07-20 19:12:00 +05:30
shashank-elastic	8b808b9b83	New Cross Platform BBR Rules (#2920 )	2023-07-19 21:27:23 +05:30
Ruben Groenewoud	8de2684498	[Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868 ) * [Investigation Guide] 10 new Linux IG's 8.9 * Added 4 more IG tags * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * implemented feedback --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-19 17:13:24 +02:00
Samirbous	97d429e314	[New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933 ) * [New] Suspicious Microsoft 365 Mail Access by ClientAppId Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml	2023-07-19 16:05:13 +01:00
shashank-elastic	f920bc6151	New Linux BBR Rules (#2917 )	2023-07-19 20:12:59 +05:30
Jonhnathan	5e714e01e6	[Security Content] Add Windows Investigation Guides (#2825 ) * [Security Content] Add Windows Investigation Guides * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Add IG Tag * Apply suggestions from code review Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-19 08:07:01 -03:00
Jonhnathan	d1491c3ce1	[Rule Tuning] Threat Intel URL Indicator Match (#2902 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-18 20:21:15 -03:00
Jonhnathan	f1ba092864	[Deprecation] Threat Intel Indicator Match - General Rules (#2901 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-18 20:12:53 -03:00
Jonhnathan	7949b8a03e	[New Rule] Building Block Rules - Part 1 (#2912 ) * [New Rule] Building Block Rules - Part 1 * Update defense_evasion_powershell_clear_logs_script.toml * Update discovery_posh_generic.toml * . * Apply suggestions from code review Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-18 20:01:43 -03:00
Jonhnathan	23a133121d	[Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932 )	2023-07-18 08:55:59 -03:00
Isai	80e2b699b6	[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837 ) * [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container new rule * removed priv_esc tag removed priv_esc tag * adjusted tags adjusted tags * updated tags --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 15:03:24 -04:00
Isai	db90345fd5	[Rule Tuning] Kubernetes Anonymous Request Authorized (#2865 ) * rule tuning for exclusions * optimized query --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 13:03:05 -04:00
Isai	0b64638bf7	[New Rule] AWS Credentials Searched For Inside a Container (#2887 ) * new rule toml * Updated query updated query based on review and added additional search queries * updated rule query based on review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 12:29:02 -04:00
Terrance DeJesus	0f5b5a3551	[Rule Tuning] Add Okta Investigation Guides Part 1 (#2899 ) * adding investigation guides for Okta rules * Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added MFA to investigation guide for brute forcing --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 11:47:02 -04:00
Jonhnathan	fca8bcc071	[Rule Tuning] PowerShell Rule Tunings (#2907 ) * [Rule Tuning] PowerShell Rule Tunings * bump	2023-07-14 15:41:36 -03:00
Terrance DeJesus	9f29129585	[FR] Add EQL Rule Type Configuration Fields (#2918 ) * adding initial EQL fields to EQLRuleData * added validation * adjusted validation * fixed flake errors * adjusted type linting; variable names * added a min_compat to EQL Rule fields * Update detection_rules/rule_validators.py * Update detection_rules/rule_validators.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-07-13 11:20:14 -04:00
github-actions[bot]	9414095d96	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2921 ) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 * adding newline to start CI * removing newline --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-07-11 19:57:02 -04:00
shashank-elastic	3ed8c56942	DR Linux Rule Tuning 8.9 (#2859 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-10 20:02:42 +05:30
Remco Sprooten	1283a21fb7	[New Rules] Potential portscan detected (#2817 ) * [New Rules] Potential portscan detected * Updated descriptions * Update rules/network/discovery_potential_syn_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_network_sweep_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * updating integration manifests and schemas --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-07-09 09:49:32 +02:00
Mika Ayenson	90bc760c56	Update README.md to fix etc path (#2913 )	2023-07-06 15:00:45 -04:00
Ruben Groenewoud	e5d6d6e4a7	[New Rule] sus cmds executed by unknown executable (#2858 ) * [New Rule] sus cmds executed by unknown executable * added an event.action filter * Added endgame support, fixed stack version comment * Update execution_suspicious_executable_running_system_commands.toml * Update rules/linux/execution_suspicious_executable_running_system_commands.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_suspicious_executable_running_system_commands.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:32:56 +02:00
Ruben Groenewoud	4e0b7427b7	[New Rules] ftp/rdp bruteforce (#2910 ) * [New Rules] ftp/rdp bruteforce * Update credential_access_potential_successful_linux_ftp_bruteforce.toml * Update credential_access_potential_successful_linux_rdp_bruteforce.toml * Update non-ecs-schema.json * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:16:01 +02:00
Ruben Groenewoud	d5dee5a6c8	[New Rules] sysctl and modprobe enumeration (#2844 ) * [New Rules] sysctl and modprobe enumeration * Update discovery_linux_modprobe_enumeration.toml * Update discovery_linux_sysctl_enumeration.toml * reverted manifest/schema update * updated tags * Update discovery_linux_modprobe_enumeration.toml	2023-07-06 16:46:54 +02:00

1 2 3 4 5 ...

1596 Commits