2bf4cf0b2a
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4453 )
2025-02-07 21:41:29 +05:30
a650b028f3
Bumping number of versions per rule to 4 in total ( #4451 )
...
* Bumping number of versions per rule to 4 in total
* Add explicit caps
* Simpler comment
* Renaming constants
* Drop to 8.17 again
* Clearer constants
* Drop if condition and extend the comment
* Shorten the lines
* Version bump
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2025-02-07 16:28:36 +01:00
1dfb05ec1c
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4442 )
2025-02-04 00:05:59 +05:30
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
aba793f3e5
Add prerelease version Integration manifests & schemas for sentinel_one_cloud_funnel ( #4438 )
2025-02-03 09:15:14 -05:00
350474b7b4
Refresh ECS & Beats schemas, Integration manifests & schemas ( #4436 )
2025-02-03 19:18:49 +05:30
bf1caf8b5f
[Rule Tuning] December-January AWS Rule Tuning ( #4425 )
...
* [Rule Tuning] AWS Monthly Rule Tunings
* Adding several more AWS tunings
* updating patch version
* updating non-ecs type to boolean
* fixed cloudtrail index
2025-01-31 10:35:18 -05:00
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
8093655f76
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4400 )
2025-01-21 19:35:57 +05:30
2ea674ce84
[Bug] [DaC] Metadata maturity field default mismatch and poor enforcement of rule naming conventions ( #4285 )
...
* Add stub for solution
* Add date and maturity logic
* Add date and maturity logic
* Version Bump
* Remove Date Inheritance
* Remove Datetime import
2025-01-17 12:16:32 -05:00
5162067a51
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C ( #4377 )
...
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'
* updated pyproject patch version
* bump repo version
* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
* updating patch version
* updating patch version
* Adding additional threshold rule
2025-01-15 14:11:58 -05:00
97b3f43870
[New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery ( #4328 )
...
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
2025-01-15 11:53:18 -05:00
32f596629d
Provide Deprecate Warnings for Experimental ML commands ( #4365 )
2025-01-15 21:53:16 +05:30
cc00963fc3
[Bug] [DaC] Actions Connector Defaults to None ( #4376 )
...
* Add explicit calls to pass directories
* Bump Version
2025-01-15 09:31:23 -05:00
ad180777cf
[Maintenance] Repository Config Update ( #4359 )
...
* updating tokens
* bumped patch
* updated navigator gist ID
* updated naming
* Update .github/workflows/manual-backport.yml
* updated navigator url
* updated noreply email
* updated naming
* Update .github/workflows/manual-backport.yml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* updating README
* updated gist token
* replaced guidelines token with GITHUB_TOKEN
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2025-01-09 16:35:18 -05:00
47571956a7
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4347 )
2025-01-07 22:54:34 +05:30
318ab3ffa0
Enhance Readability of KQL validation check failures ( #4329 )
2025-01-06 22:18:05 +05:30
52db5e0361
Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. ( #4332 )
2025-01-06 21:48:11 +05:30
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created ( #4327 )
...
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
* Update detection_rules/etc/non-ecs-schema.json
* Update pyproject.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-06 09:40:26 -03:00
2ff2965cb9
Enhance Readability of validation check failures ( #4299 )
2024-12-13 19:03:47 +05:30
691126cd3d
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4295 )
2024-12-10 21:43:29 +05:30
febdafa1f4
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4291 )
2024-12-09 21:38:33 +05:30
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
d3c05a08cc
Add all historical versions for v8.17.0 and above packages ( #4279 )
2024-12-03 23:36:32 +05:30
86cc61c233
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4274 )
...
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16
* Update detection_rules/etc/version.lock.json
* Update Patch version for version lock changes
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-11-27 09:34:54 -05:00
04e1fc1436
Account for CCS '::' index pattern ( #4258 )
2024-11-13 11:17:08 +05:30
ebb3675ea0
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4267 )
2024-11-11 22:29:22 +05:30
4a7f83e432
Version Lock File Reconcile Ref: #4266
2024-11-11 10:48:43 -05:00
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules ( #4261 )
...
* adding investigation fields to specific aws rules
* updated patch
* removing min-stack requirements
* removed user.name redundancy
* adjusted order of investigation fields
* adding source address
2024-11-08 23:11:18 -05:00
c2e0a9315c
Fix extra new line in ATT&CK-coverage.md ( #4263 )
2024-11-08 20:13:21 +05:30
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
09ea35f33a
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device ( #4210 )
...
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device
New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"
* add serialNumber to non-ecs schema file
* fixed misspelled toml file name
* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-11-05 02:09:05 -05:00
81292aee8a
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 ( #4220 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1
* Update Integrations unit tests
* Update test_all_rules.py
2024-11-04 11:32:22 -03:00
5d2940fa7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4217 )
2024-10-28 21:07:46 +05:30
275c7288a3
Add testcase to check for related_integrations based on index ( #4096 )
2024-10-22 00:17:30 +05:30
c1ce0d43d1
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4159 )
2024-10-16 10:23:33 +05:30
acb01cf9ee
Refresh to fetch latest ECS & Beats schemas, Integration manifests & schemas. ( #4140 )
2024-10-10 11:30:00 +05:30
afbca3ee75
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4147 )
2024-10-09 20:56:57 -05:00
06319b7a13
[Rule Tuning] Add KEEP Command to all ES|QL Rules ( #4146 )
...
* updating ES|QL rules to include KEEP command
* fixed some ES|QL rules with typos; added validation for KEEP command
* fixed ES|QL errors from missing fields
* fixed flake errors
* updated date
* added best practices to hunt docs
2024-10-09 21:08:38 -04:00
4edef2ea80
[FR][DAC] Import Rules Verbose Message ( #4093 )
...
* Draft Verbose Message
* Fix Linting
* Made more descriptive
* Updated for readability
2024-10-09 17:19:59 -04:00
281926052c
[Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing ( #4126 )
...
* fixed existing rules;added query checks
* fixed flake errors
* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules
* removed valueError and replaced ValidationError
* adjusted validation error output based on feedback
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added space for failure
* updated to use re.compile
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-10-09 15:25:36 -04:00
50e23ba242
[Hunting] Re-factor Hunting Library Code ( #4085 )
...
* updating python code for hunting library
* fixed okta queries; added MITRE search capability
* fixed hunting unit test imports
* fixed duplicate UUID; fixed duplicate index entry bug
* fixed technique finding sub-technique in search
* added more unit tests
* linted
* flake errors addressed; fixed unit test import; fixed markdown generate bug
* added description for generate-markdown command
* updated README
* adjusted YAML index, adjusted code for index changes
* adjusted relative imports; updated CODEOWNERS
* adding updates; moving to different branch for main dependencies
* finished run-query command; made some code adjustments
* removed some comments
* revised makefile; fixed unit tests; adjusted detection rules pyproject
* updated README
* updated README
* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands
* adjusted package to be more object-oriented
* removed unused variable
* Add simple breakdown stats
* addressed feedback; added keyword option for search
* Update hunting/README.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/etc/test_hunting_cli.bash
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* addressing feedback
* addressed feedback
* added message for unknown index; fixed function call
* fixed search command
* fixed flake error
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-10-03 12:47:40 -04:00
80143b23b2
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4116 )
2024-10-01 18:14:03 +05:30
e2f1fcefa8
Add flag to update the docs/ATT&CK-coverage.md with markdown URL(s) ( #4077 )
2024-09-19 23:12:01 +05:30
5e0fb4a63e
[Tuning] Add logs-panw.panos index to Network rules ( #4089 )
...
* [Tuning] Add logs-panw.panos index to Network rules
https://github.com/elastic/detection-rules/issues/3998
This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.
* add tag and integration
* Update command_and_control_fin7_c2_behavior.toml
* Build Manifest and Schema for panw integration
* Update definitions.py
* Update definitions.py
* Fix definitions declaration
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-09-19 08:01:44 +01:00
df31c002ca
[Bug] Handle formatting empty list ( #4086 )
2024-09-17 13:25:17 -05:00
574064272d
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4082 )
2024-09-16 21:43:16 +05:30
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
eda179bbe1
Skip Development Rules from Security Docs ( #4073 )
2024-09-13 19:57:00 +05:30
github-actions[bot]