* Add whitespace checking for KQL parse
* Add unit test for blank space check
* Bump patch version
* Add test cases for newline blank space
* Add additional unit tests
* Update to only walk tree once
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Bump Version
* updated
* Bump patch version
* Optimization should only occur on single values
* Wildcard semantically equivalent to query_string*
* Add unit test for optimization
* Move code-checks to yml
* Add tests path to code-checks
* Add lib path for code-checks
* Install deps from local
* Update DSL optimization unit test
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* first pass
* Adding a dedicated code checking workflow
* Type fixes
* linting config and python version bump
* Type hints
* Drop incorrect config option
* More fixes
* Style fixes
* CI adjustments
* Pyproject fixes
* CI & pyproject fixes
* Proper version bump
* Tests formatting
* Resolve cirtular dependency
* Test fixes
* Make sure the tests are formatted correctly
* Check tweaks
* Bumping python version in CI images
* Pin marshmallow do 3.x because 4.x is not supported
* License fix
* Convert path to str
* Making myself a codeowner
* Missing kwargs param
* Adding a missing kwargs to `set_score`
* Update .github/CODEOWNERS
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Dropping unnecessary raise
* Dropping skipped test
* Drop unnecessary var
* Drop unused commented-out func
* Disable typehinting for the whole func
* Update linting command
* Invalid type hist on the input param
* Incorrect field type
* Incorrect value used fix
* Stricter values check
* Simpler function call
* Type condition fix
* TOML formatter fix
* Simpligy output conditions
* Formatting
* Use proper types instead of aliases
* MITRE attack fixes
* Using pathlib.Path for an argument
* Use proper method to update a set from a dict
* First round of `ruff` fixes
* More fixes
* More fixes
* Hack against cyclic dependency
* Ignore `PLC0415`
* Remove unused markers
* Cleanup
* Fixing the incorrect condition
* Update .github/CODEOWNERS
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Set explicit default values for optional fields
* Update the guidelines
* Adding None Defaults
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
* Delete RTAs
* Delete RTA-related orchestration code
* Drop RTAs from tests
* Remove RTAs from README
* Further cleanup
* Readme update
* Version bump and no more RTAs
* Styling fixes
* Drop RTAs from config files
* Drop `rule-mapping.yaml`
* Bring back event collector / normalizer
* Drop rta mention
* Cleanup rta leftovers
* Style fix
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags
* Format & order
* Update pyproject.toml
* Update credential_access_cookies_chromium_browsers_debugging.toml
* add description to hunting schema; change queries to be a list
* update createremotethreat by process hunt
* update dll hijack and masquerading as MSFT library
* remove sysmon specific dDLL hijack via masquerading MSFT library
* updated Masquerading Attempts as Native Windows Binaries
* updates Rare DLL Side-Loading by Occurrence
* updates Rare LSASS Process Access Attempts
* update DNS Queries via LOLBins with Low Occurence Frequency
* updated Low Occurrence of Drivers Loaded on Unique Hosts
* updates Excessive RDP Network Activity by Host and User
* updates Excessive SMB Network Activity by Process ID
* updated Executable File Creation by an Unusual Microsoft Binary
* Frequency of Process Execution and Network Logon by Source Address
* updates Frequency of Process Execution and Network Logon by Source Address
* updated Execution via Remote Services by Client Address
* updated Startup Execution with Low Occurrence Frequency by Unique Host
* updated Low Frequency of Process Execution via WMI by Unique Agent
* updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent
* updated Low Occurence of Process Execution via Windows Services with Unique Agent
* Updated High Count of Network Connection Over Extended Period by Process
* update Libraries Loaded by svchost with Low Occurrence Frequency
* updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent
* updated Network Discovery via Sensitive Ports by Unusual Process
* updated PE File Transfer via SMB_Admin Shares by Agent or User
* updated Persistence via Run Key with Low Occurrence Frequency
* updates Persistence via Startup with Low Occurrence Frequency by Unique Host
* updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source
* updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon"
* updates "Egress Network Connections with Total Bytes Greater than Threshold"
* updates "Rundll32 Execution Aggregated by Command Line"
* updates "Scheduled tasks Creation by Action via Registry"
* updates "Scheduled Tasks Creation for Unique Hosts by Task Command"
* updates "Suspicious Base64 Encoded Powershell Command"
* updates "Suspicious DNS TXT Record Lookups by Process"
* updates "Unique Windows Services Creation by Service File Name"
* Updates "Unique Windows Services Creation by Service File Name"
* updates "Windows Command and Scripting Interpreter from Unusual Parent Process"
* updates "Windows Logon Activity by Source IP"
* updates "Suspicious Network Connections by Unsigned Mach-O"
* updates LLM hunting queries
* re-generated markdown files; updated generate markdown py file
* updated test_hunt_data
* Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* updated missing integrations
* updated MD docs according to recent hunting changes
* Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* added enrichment policy link to rule
* Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/index.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Mika Ayenson, PhD