* add rule type to the rule lock_info
* add check in VersionLock; add type to version.lock
* print changes only on save
(cherry picked from commit 11ec9c230e)
* save changes to top level for route C; verbose prints
* update top level on forked rule without overriding min_stack_version
* add check to ensure previous version !> current
(cherry picked from commit f4c94af994)
* Ensure kql2eql conversion doesnt support `text` fields
* Add unit test cases for`text` not supported in eql
* test `field not recognized` in the rule_validator and output a verbose message.
* use elasticsearch_type_family to lookup text mappings
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 1f015ebe85)
* Adding event.provider
* Removing new line
* Updating updated_date field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
(cherry picked from commit 2ed97d2e8c)
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit 096723b2a1)
* update beats master branch ref to main
* update filename of master beat schema to main
* delete old main beats schema
* rebuilt main beats archive
(cherry picked from commit 84b7ce6582)
* Generate attack layer files and build with package
* add update-navigator-gists command
* add workflow to update navigator gists on pushes to main
* Add coverage readme
* fix keys for links
* update navigator layer names
* purge gist files prior to update; add badge
* Update how the navigator links are displayed
* moved navigator code to dedicated and refactored to dataclasses
* convert gist links to permalink versions
* alphabetize; catch 404 for gist update
(cherry picked from commit 254b4eb23f)
* [New Rule] Potential Remote Credential Access via Registry
4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).
Example of data :
* Delete workspace.xml
* Update credential_access_remote_sam_secretsdump.toml
* Update credential_access_remote_sam_secretsdump.toml
* add non ecs field
* Update non-ecs-schema.json
* Update credential_access_remote_sam_secretsdump.toml
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit a6582351b5)
Jonhnathan