2ca746c4b4
[FR] Reset package version and push tag via ci ( #4260 )
2024-11-07 12:11:00 -06:00
48a051e3f1
[FR] Fetch history for versioning workflow ( #4259 )
2024-11-07 11:57:33 -06:00
c615df680f
[FR] Update the release versioning process and workflow ( #4257 )
2024-11-07 11:31:54 -06:00
d1b102730c
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 ( #4233 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8
* Update defense_evasion_powershell_windows_firewall_disabled.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-07 12:38:27 -03:00
ef0f96c874
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 ( #4232 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-07 12:27:47 -03:00
d2dfd46b3e
Update credential_access_suspicious_lsass_access_generic.toml ( #4188 )
2024-11-07 13:56:53 +00:00
d9154c698a
[Testing] Update release-drafter.yml ( #4255 )
2024-11-06 16:21:05 -06:00
b2b92b0edc
[Testing] Update release-drafter.yml ( #4254 )
2024-11-06 16:00:18 -06:00
c1ac8f0fae
[FR] DRAFT Release Workflow on PR Merge ( #4253 )
2024-11-06 15:36:09 -06:00
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
6a39009402
Add investigation guide for Amazon Bedrock Rules ( #4247 )
...
* Add investigation guide for Amazon Bedrock Rules
* updated date
* review comments
* review comments
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-06 12:58:02 -05:00
1cc160fe2e
[Rule Tuning] Add Investigation Guides to AWS Rules ( #4249 )
...
* adding investigation guides for existing AWS rules
* removing 'AWS EC2 Instance Interaction with IAM Service' rule tuning
* adding back newline
* adjusted mitre att&ck mapping
* adjusted query and rule name
* updating date
2024-11-06 12:29:14 -05:00
c602042954
[New Rule] Adding Coverage for AWS Discovery API Calls via CLI from a Single Resource ( #4246 )
...
* adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource'
* adjusted name
* adjusted ESQL functions
* changed query comment
* Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml
* adjusted query
* added min-stack
* adjusted query
2024-11-06 12:14:38 -05:00
ef6344f5e6
[Rule Tuning] Tuning AWS STS Temporary Credentials via AssumeRole ( #4228 )
...
* tuning 'AWS STS Temporary Credentials via AssumeRole'
* linted; adjusted OR in quer
* added investigation guide
* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* added new rule 'AWS STS Role Assumption by User'
* adjusted UUID
* Update rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-11-06 12:01:07 -05:00
f486571dc6
[New Rule] Adding Coverage for AWS SSM Command Document Created by Rare User ( #4229 )
...
* new rule 'AWS SSM Command Document Created by Rare User'
* added another reference
* added investigation guide
* removed min-stack
* Update rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
2024-11-06 11:53:51 -05:00
1c9177ef6f
[New Rule] Adding Coverage for AWS IAM Create User via Assumed Role on EC2 Instance ( #4244 )
...
* adding new rule 'AWS IAM Create User via Assumed Role on EC2 Instance'
* adding false-positive note
* changed file name
* added event.provider
* tuned 'AWS EC2 Instance Interaction with IAM Service' to be BBR
* updated query
* added BBR tag
* moved rule to BBR
* fixed BBR query
* moved rule to BBR
2024-11-06 11:28:41 -05:00
d5f36b3619
[New Rule] Adding Coverage for AWS SNS Email Subscription by Rare User ( #4224 )
...
* adding new rule 'AWS SNS Email Subscription by Rare User'
* updated mitre; adjusted non-ecs schema; fixed query
* removed protocol inclusion in query
* fixed risk score
* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-11-06 11:19:30 -05:00
63732436b4
[FR] Update release-drafter.yml ( #4252 )
2024-11-06 09:02:55 -06:00
77f42f1168
[FR] Add Versioning Processes to DR ( #4223 )
2024-11-06 08:14:50 -06:00
6c2dad966a
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9 ( #4234 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9
* .
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-05 15:39:32 -03:00
a743b9c8c4
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6 ( #4231 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6
* Update credential_access_cmdline_dump_tool.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Revert "Update defense_evasion_powershell_windows_firewall_disabled.toml"
This reverts commit d2df2a848290425ebfe0bb5157332ad0611f726f.
* Update lateral_movement_via_wsus_update.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-05 15:00:43 -03:00
d5b5ba387d
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 ( #4230 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5
* Update collection_winrar_encryption.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-05 14:46:10 -03:00
63956a6f51
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 ( #4225 )
2024-11-05 14:22:14 -03:00
09ea35f33a
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device ( #4210 )
...
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device
New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"
* add serialNumber to non-ecs schema file
* fixed misspelled toml file name
* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-11-05 02:09:05 -05:00
2b6116e0ce
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 ( #4222 )
2024-11-04 11:55:04 -03:00
80841b5619
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 ( #4221 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2
* Update rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-11-04 11:47:43 -03:00
81292aee8a
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 ( #4220 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1
* Update Integrations unit tests
* Update test_all_rules.py
2024-11-04 11:32:22 -03:00
581ef73bc0
[FR] [DAC] Add id support ( #4208 )
2024-11-01 07:47:34 -04:00
b6847c7a48
[New Rule] AWS STS Role Chaining ( #4209 )
...
* [New Rule] AWS STS Role Chaining
Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
* adding metadata query fields
* removing index field
2024-10-30 12:18:04 -04:00
1278c27967
Sync RTA Attempt to Fix Sensor Regex Error ( #4213 )
2024-10-28 22:50:12 +05:30
5d2940fa7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4217 )
2024-10-28 21:07:46 +05:30
123e090e7d
Fix Minstack version for windows integration - Pahse 2 ( #4216 )
2024-10-28 20:25:02 +05:30
92fe46b8ff
Fix Minstack version for windows integration ( #4214 )
2024-10-28 19:28:10 +05:30
9e4fce6586
[Rule Tuning] Potential Linux Hack Tool Launched ( #4191 )
2024-10-25 17:23:48 +02:00
b0bba39007
[Rule Tuning] Linux User Added to Privileged Group ( #4206 )
2024-10-25 14:21:20 +02:00
5d9b295bb6
Sync RTA Potential Mining Pool Command Detection ( #4204 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-24 21:47:17 +05:30
ae2adc766d
Sync RTA Renice or Ulimit Execution from Unusual Parent ( #4203 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-24 21:38:49 +05:30
4d41496e1d
Sync RTA Linux Powershell Egress Network Connection ( #4202 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-24 20:35:15 +05:30
933020a5c1
Sync RTA Suspicious Execution from Foomatic-rip or Cupsd Parent ( #4201 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-24 19:49:15 +05:30
6ec5c5b04b
Sync RTA Foomatic-rip Shell Execution ( #4200 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-24 19:13:38 +05:30
be656ae740
Tune Bedrock rule to accept multivalued column ( #4205 )
2024-10-23 20:48:56 +05:30
77f0ee85d9
react_sync_rta_updates_4215 Network Connection by Foomatic-rip Child ( #4196 )
2024-10-23 19:18:36 +05:30
a54f83981e
Sync RTA File Downloaded via Curl or Wget to Hidden Directory ( #4197 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 19:01:17 +05:30
0ef122632e
Sync RTA Shared Object Load via LoLBin ( #4198 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 18:48:11 +05:30
f8d08f92f3
Sync RTA Suspicious Kernel Feature Activity ( #4199 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 18:40:21 +05:30
faafc4f19d
Sync RTA Potential Proxy Execution via PHP ( #4195 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 16:07:32 +05:30
c336e30dee
Sync RTA Suspicious Download and Redirect by Web Server ( #4194 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 15:55:10 +05:30
6a740a6a61
Sync RTA File Downloaded and Piped to Interpreter by Web Server ( #4193 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 15:45:45 +05:30
c5b108400c
Sync RTA File Downloaded from Suspicious Source by Web Server ( #4192 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 15:15:56 +05:30
91fbc39084
Sync RTA MSR Write Access Enabled ( #4189 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-23 14:13:47 +05:30
Mika Ayenson