security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,877 Commits 1 Branch 0 Tags
21b559c97f2b53bf28345c337bfa187ed29f5535
Commit Graph

191 Commits

Author SHA1 Message Date
Isai 442435830f [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-22 12:48:31 -05:00
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Isai a0f82c3f12 [Tuning] Update min_stack for container rules new ecs field (#3370) 
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml

update min_stack and comments

* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

update min_stack and comments
 2024-01-05 18:42:42 -05:00
Isai 10b241dcc5 [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241) 
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-05 10:28:24 -05:00
Isai db5e1e5cf2 [New Rule] Mount Launched Inside a Privileged Container (#3245) 
* [New Rule] Mount Launched Inside a Privileged Container

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-05 10:17:55 -05:00
Isai 8e1dad0aeb [New Rule] Potential Container Escape via Modified notify_on_release File (#3244) 
* [New Rule] Potential Container Escape via Modified notify_on_release File

This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
advantage of this feature, which could be used for further privilege escalation and container escapes to the host
machine.

* Apply suggestions from code review

* suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-04 22:14:39 -05:00
Isai 0a37df713b [New Rule] Potential Container Escape via Modified release_agent File (#3242) 
* [New Rule] Potential Container Escape via Modified release_agent File

This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-04 21:24:54 -05:00
Terrance DeJesus 203c228249 [Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345) 
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'

* adjusted query to include like function
 2023-12-18 09:14:10 -05:00
Apoorva Joshi 9a9f5437f2 Update Advanced Analytics config guides (#3302) 
* Updating config guides for Advanced Analytics rules

* More updates

* Update setup instructions for LMD

* Adding more guides

* update TestRuleTiming unit test to ignore advanced analytic rules

* fixed flake error

* Moving config guides under setup instead of note

* Removing leading and trailing whitespace

* Updates as requested by PM

* Updating related integrations, minor updates to setup guides

* fixing unit tests to ignore analytic packages with multiple integration tags

* Update tests/test_all_rules.py

* fixing linting errors

---------

Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-13 07:53:41 -08:00
Terrance DeJesus 631f8841ad updating min-stack for Okta rule (#3318) 2023-12-12 12:27:18 -05:00
Terrance DeJesus 93d71acb91 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-12 10:31:45 -05:00
Terrance DeJesus 5e1546c57c [Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304) 
* tuning rule; adding investigation guide

* updated MITRE ATT&CK

* updated file name

* Updating description

* updated investigation guide

* fixed ATT&CK mappings; updated tags
 2023-12-06 10:35:46 -05:00
Austin Songer 1f47e3c1a9 [New Rule] Okta FastPass Phishing (#2782) 
* Create initial_access_fastpass_phishing.toml

* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-11-28 09:26:16 -05:00
Terrance DeJesus e6fef85899 [New Rule] Okta MFA Bombing Attempt (#3278) 
* new rule 'Potential Okta MFA Bombing via Push Notifications'

* updated naming

* TOML lint

* adjusted duplicate rule ID

* added event category override; added until sequence statement

* added verify authentication success

* moved setup to separate field

* enhanced query optimization
 2023-11-28 09:16:20 -05:00
Terrance DeJesus 69cb2f6fc6 [New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash (#3267) 
* added new rule 'Multiple Okta Users with the Same Device Token Hash'

* moved rule to okta integration folder

* adjusted query to be optimized

* added false positive comment

* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
 2023-11-27 19:23:38 -05:00
Terrance DeJesus 0578bd4caa [New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263) 
* new Okta threshold rules for client addresses and sessions

* adjusting references

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 19:03:06 -05:00
Terrance DeJesus 8eeb95f545 [New Rule] Detection for Okta Sign-In Events via Third-Party IdP (#3259) 
* adding new rule 'Okta Sign-In Events via Third-Party IdP'

* fix creation date

* fixed query efficiency

* added investigation guide

* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 18:31:27 -05:00
Terrance DeJesus 73288af642 adding new rule 'New Okta Identity Provider (IdP) Added by Admin' (#3258) 2023-11-27 18:06:54 -05:00
Terrance DeJesus 8321cfe018 [New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy (#3261) 
* new rule 'First Occurrence of Okta User Session Started via Proxy'

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
 2023-11-27 17:50:13 -05:00
Terrance DeJesus f19506f3a2 [New Rule] Adding Detection for New Okta Authentication Behavior (#3260) 
* new rule 'New Okta Authentication Behavior Detected'

* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 17:39:10 -05:00
Terrance DeJesus 832ee02aed [New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations (#3279) 
* new rule 'Okta User Sessions Started from Different Geolocations'

* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
 2023-11-21 17:32:09 -05:00
Apoorva Joshi a4f9cf4616 [New Rule] Adding Beaconing Rules from Advanced Analytic Beaconing Package (#3128) 
* Adding beaconing rules

* Update rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Update rules/integrations/beaconing/command_and_control_beaconing.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Updating min stack version

* added beaconing to manifests and schemas; updated rules

---------

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-10-30 10:05:24 -04:00
Terrance DeJesus 3d57209705 [Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221) 
* adding adjusted Okta rules

* adding adjusted AWS rules

* adding adjusted AWS rules
 2023-10-24 12:51:59 -04:00
Terrance DeJesus 835be9b245 [New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193) 
* adding new LotL rules

* added endpoint tags; updated technique mapping

* added missing data source tag

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* updated note, references and date

* changed ATT&CK technique to binary proxy execution

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 12:23:56 -04:00
Apoorva Joshi a5a606e804 [New Rule] Adding DGA Rules from Advanced Analytic DGA Package (#3102) 
* Adding DGA rules

* Adding references

* updated rule tags and queries

* Updating min stack version

* added logic to handle ml jobs

* added code comments for clarity

* removing subbed security docs folder

* added event dataset to queries for endpoint; updated note

* removed event dataset

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-10-16 15:48:54 -04:00
Apoorva Joshi 97ff7fb26e [New Rule] Adding Data Exfiltration Rules from Advanced Analytic DED Package (#3126) 
* Adding DED rules

* adding integration manifests and schemas for DED

* Updating min stack version

* updating manifests and schemas to match main

* added setup note; updated references

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-10-14 13:23:48 -04:00
Isai 374c9c6257 [New Rule] New GitHub App Installed (#3055) 
* new rule

* Update rules/integrations/github/execution_new_github_app_installed.toml

* Update rules/integrations/github/execution_new_github_app_installed.toml

edits from review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* change query from event.module to event.dataset

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-12 20:10:20 -04:00
Terrance DeJesus 1e514afa57 [New Rule] Migrate Lateral Movement Detection Rules (#3175) 
* adding LMD rules

* added setup note; updated references

* adds 2.0.0 lmd manifest and schema

* adjusted min-stack for non-ML rules
 2023-10-12 15:02:19 -04:00
Isai ef8f5620e1 [New Rule] New GitHub Owner Added (#3090) 
* [New Rule] New GitHub Owner Added

new rule

* name change

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-10-06 15:57:26 -04:00
Isai 9593412847 [New Rule] GitHub Owner Role Granted to User (#3087) 
* [New Rule] GitHub Owner Role Granted to User

new rule

* Update persistence_organization_owner_role_granted.toml

* updated integration schema

* changed timestamp_override

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-10-06 15:44:04 -04:00
Terrance DeJesus 57c05f0444 removing lmd rules and fixing version lock history (#3159) 2023-10-05 12:16:53 -04:00
Terrance DeJesus 8650b26002 [Rule Tuning] Update LMD Rules Min-Stack to 8.5 (#3142) 
* updating min-stack to 8.5

* updated min stack comments
 2023-09-27 16:17:52 -04:00
Apoorva Joshi 747ee7d593 [New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package (#3119) 
* Adding Lateral Movement Detection rules

* added tags; adjusted tests; updated manifests and schemas

* added default value to build_integrations_schema

* combined analytic and non-dataset packages for related integrations

* adjusted machine learning definitions

* adjusted machine learning definitions

* removed splat for machine learning list due to 3.8 constraints

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-09-27 14:53:38 -04:00
Isai 9146e0965d [New Rule] Github Repository Deleted (#3056) 
* new rule

* Update rules/integrations/github/impact_github_repository_deleted.toml

* Update rules/integrations/github/impact_github_repository_deleted.toml

updates based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-09-14 18:00:25 -04:00
Isai 904e37b732 [New Rule] GitHub Protected Branch Settings Changed (#3054) 
* new rule file

* testing query change

* query changed back

* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml

updates based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* updated integration manifests with github schema

* Update defense_evasion_github_protected_branch_settings_changed.toml

added event.dataset to query

* added timestamp_override

* changed timestamp_override to @timestamp

* changed timestamp_override

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-09-14 17:16:51 -04:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Steve Ross 4f33a40f48 [Bug] Duplicate tag on Okta rule (#3020) 
* Fix double tag on rule

* fixed all rules; added unit test

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-21 10:42:47 -04:00
Samirbous 97d429e314 [New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933) 
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId

Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml
 2023-07-19 16:05:13 +01:00
Isai 80e2b699b6 [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837) 
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container

new rule

* removed priv_esc tag

removed priv_esc tag

* adjusted tags

adjusted tags

* updated tags

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 15:03:24 -04:00
Isai db90345fd5 [Rule Tuning] Kubernetes Anonymous Request Authorized (#2865) 
* rule tuning for exclusions

* optimized query

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 13:03:05 -04:00
Isai 0b64638bf7 [New Rule] AWS Credentials Searched For Inside a Container (#2887) 
* new rule toml

* Updated query

updated query based on review and added additional search queries

* updated rule query based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 12:29:02 -04:00
Terrance DeJesus 0f5b5a3551 [Rule Tuning] Add Okta Investigation Guides Part 1 (#2899) 
* adding investigation guides for Okta rules

* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added MFA to investigation guide for brute forcing

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 11:47:02 -04:00
Ruben Groenewoud 8703c65f87 [Tuning] Azure Network Packet Capture Detected (#2888) 2023-06-28 16:32:56 +02:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 082e92c95c [Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion (#2854) 
* adding new rule for Okta ThreatInsight threat suspected

* added promotion tag

* removed new rule and tuned existing

* added promotion tag

* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-21 09:47:27 -04:00
Terrance DeJesus 7f249e6cc4 [Security Content] Add Google Workspace Investigation Guides (#2540) 
* adding google workspace investigation guides

* updated 'Google Workspace Custom Gmail Route Created or Modified' guide

* updated 'Google Workspace Custom Gmail Route Created or Modified' guide

* updated 'Application Removed from Blocklist in Google Workspace'

* updated 'Domain Added to Google Workspace Trusted Domains'

* updated 'Google Workspace Bitlocker Setting Disabled'

* updated 'Google Workspace Admin Role Deletion'

* updated 'Application Added to Google Workspace Domain'

* updated 'Google Workspace Admin Role Assigned to a User'

* updated 'Google Workspace Role Modified'

* updated 'Google Workspace Custom Admin Role Created'

* updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority'

* updated 'Google Workspace Password Policy Modified'

* updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App'

* updated 'Google Workspace User Organizational Unit Changed'

* reverted 'Google Workspace User Group Access Modified to Allow External Access'

* removed new lines

* added 'Investigation Guide' tags

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed duplicate file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
 2023-05-18 10:16:20 -04:00
Isai 0eed8ce27f [New Rule] SSH Process Launched From Inside A Container (#2794) 
* [New Rule] SSH Process Launched From Inside A Container

new toml rule file

* changed "not" query

changed query to !=

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-05-16 17:32:58 -04:00
Isai b0838cc2cb [New Rule] SSH Connection Established Inside A Running Container (#2793) 
* [New Rule] SSH Connection Established Inside A Running Container

new rule toml

* Update initial_access_ssh_connection_established_inside_a_container.toml

moved order of tactics

* Apply suggestions from code review

updated spacing based on code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-16 16:56:52 -04:00
Isai 515d393828 [New Rule] SSH Authorized Keys File Modified Inside a Container (#2792) 
* [New Rule] SSH Authorized Keys File Modified Inside a Container

new rule toml

* toml file name change

changed duplicate toml file name

* Update persistence_ssh_authorized_keys_modification_inside_a_container.toml

added time intervals

* removed redundant event.type

removed event.type fields

* added back event.type and removed event.action per reviewer suggestion

removed redundant event.action fields
 2023-05-16 16:30:17 -04:00