security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,030 Commits 1 Branch 0 Tags
2d55e67da7f04fbdbe8e3003b1b878e8c306bab2
Commit Graph

1457 Commits

Author SHA1 Message Date
Ruben Groenewoud 2d55e67da7 [Rule Tuning] Systemd Service & Timer (#3728) 
* [Rule Tuning] Systemd Service & Timer

* Update

* Update persistence_systemd_scheduled_timer_created.toml

* Update persistence_systemd_service_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_systemd_service_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit bebf671881)
 2024-06-05 08:04:19 +00:00
Ruben Groenewoud 8eea11e6ab [New Rule & Tuning] (Ana)Cron & At Job Creation (#3726) 
* [New Rule & Tuning] (Ana)Cron & At Job Creation

* Update persistence_at_job_creation.toml

* Update persistence_cron_job_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_at_job_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_cron_job_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 81ee6380ec)
 2024-06-05 07:56:52 +00:00
shashank-elastic 06660cb2e1 Refresh MITRE Attack v15.1.0 (#3725) 
(cherry picked from commit e357a2c050)
 2024-06-04 14:48:18 +00:00
Terrance DeJesus d7db6be0aa [New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager (#3589) 
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'

* updated user identity arn to user.id for cross-service password retrieval

* added investigation guides; bumped dates; adjusted threshold value

* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 59b7e3bde4)
 2024-06-04 13:23:16 +00:00
Ruben Groenewoud b719927d66 [Rule Tuning] Agent Spoofing (#3729) 
(cherry picked from commit 90bb8b53d8)
 2024-06-03 17:31:40 +00:00
Terrance DeJesus 6924fddf65 [New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation (#3632) 
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'

* updated rule UUID

* added investigation guide

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0885032b2c)
 2024-06-03 15:46:31 +00:00
Terrance DeJesus 1b586e7485 [New Rule] AWS Lambda Layer Added to Existing Function (#3631) 
* new rule 'AWS Lambda Layer Added to Existing Function'

* updated query logic; added investigation note

(cherry picked from commit 70469b4cdb)
 2024-06-02 12:44:13 +00:00
Terrance DeJesus 9b487a7ea3 [New Rule] AWS S3 Bucket Policy Added to Share with External Account (#3603) 
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'

* added investigation guide

* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml

(cherry picked from commit 7c82e75cf4)
 2024-06-01 14:34:49 +00:00
Isai 032a8c9623 [New Rule] AWS GetCallerIdentity API Called for the First Time (#3711) 
* [New Rule] AWS GetCallerIdentity API Called for the First Time

issue

* Apply suggestions from code review

name change, false positive additions, remove Setup, change new_terms window from 15d to 10d

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml

fixed missing closing quotes

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 23ce41d8af)
 2024-05-31 21:58:11 +00:00
shashank-elastic 9a92326b0d Remove unwanted backticks (#3724) 
(cherry picked from commit 418a95205e)
 2024-05-31 16:19:24 +00:00
James Valente 444ae196ac Add exceptions to brute force threshold rule. (#3712) 
High volume, machine generated failures or MFA interruptions have been added to the rule.

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 34294fbe6d)
 2024-05-30 08:16:09 +00:00
Gus Carlock e1230b6b26 Update rule setup instructions for UEBA packages (#3652) 
* update detection-rules instructions for UEBA packages

---------

Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>

(cherry picked from commit 8b28a515c1)
 2024-05-28 19:24:45 +00:00
Terrance DeJesus a32759a51f [New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance (#3598) 
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'

* added investigation guide

* changed file name to match tactic

* changed reference

* updated tags

* updated investigation notes

* changed new terms value; adjusted rule name

(cherry picked from commit d5c57463e1)
 2024-05-28 15:26:33 +00:00
Terrance DeJesus 2691273c93 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 527f785a60)
 2024-05-28 14:52:40 +00:00
Ruben Groenewoud 0295db4b6b [New Rule & Tunings] Linux Springtail Backdoor (#3692) 
* [New Rules and Tuning] Springtail backdoor

* consistency formatting

* update

* unit testing formatting change

* Update persistence_systemd_service_started.toml

* Update persistence_systemd_service_started.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

(cherry picked from commit 390629da4e)
 2024-05-24 08:13:21 +00:00
Samirbous 8975b5de18 Update impact_high_freq_file_renames_by_kernel.toml (#3707) 
(cherry picked from commit 603f3c313a)
 2024-05-23 17:03:14 +00:00
shashank-elastic 18fcd83683 Back-porting Version Trimming (#3704) 
(cherry picked from commit 63e91c2f12)
 2024-05-22 19:18:10 +00:00
Terrance DeJesus bc95221e93 [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic

(cherry picked from commit 137b74c3aa)
 2024-05-20 20:23:52 +00:00
Justin Ibarra e7959e88b9 [Bug] Fix test_os_and_platform_in_query test and rules (#3695) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

(cherry picked from commit ce21acef9c)
 2024-05-20 15:51:28 +00:00
Jonhnathan 0ab70f13a4 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d023ad66b1)
 2024-05-20 12:59:37 +00:00
Samirbous 98e0777b34 Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#3691) 
(cherry picked from commit ec27bf8545)
 2024-05-18 04:38:02 +00:00
Samirbous 1d7e597662 [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3677) 
* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit f0b226c2b0)
 2024-05-15 17:20:18 +00:00
Jonhnathan ad7a8afb32 [Rule Tuning] Windows Service Installed via an Unusual Client (#3671) 
* [Rule Tuning] Windows Service Installed via an Unusual Client

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 0eef7f62ff)
 2024-05-15 13:39:59 +00:00
Mika Ayenson ca8af123d2 [FR] Add max_signal note, unit test, and rule tuning (#3669) 
(cherry picked from commit f07a9e6fbc)
 2024-05-14 16:23:18 +00:00
Terrance DeJesus 9dceb36a7e [New Rule] Route53 Resolver Query Log Configuration Deleted (#3592) 
* new rule 'Route53 Resolver Query Log Configuration Deleted'

* added investigation guide

* adjusted investigation notes

* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 2375297879)
 2024-05-14 14:32:44 +00:00
Samirbous cbac37db59 [New] Unusual Execution via Microsoft Common Console File (#3663) 
* [New] Unusual Execution via Microsoft Common Console File

https://www.genians.co.kr/blog/threat_intelligence/facebook

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_initial_access_via_msc_file.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1ef8c9fc0)
 2024-05-14 14:16:02 +00:00
Samirbous 95fd920afe [New] Potential File Download via a Headless Browser (#3660) 
* [New] Potential File Download via a Headless Browser

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_common_webservices.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml

(cherry picked from commit 83462a3087)
 2024-05-14 13:04:35 +00:00
Terrance DeJesus f918f091c3 [New Rule] AWS EC2 AMI Shared with Another Account (#3600) 
* new rule 'AWS EC2 AMI Shared with Another Account'

* linted; updated UUID

* added investigation guide

* updated description

* fixed spelling errors

* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* fixed spacing issue

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit d505b95f3c)
 2024-05-14 06:04:20 +00:00
Terrance DeJesus 727e7ada2e [New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role (#3586) 
* new rule 'First Occurrence of User Identity Sending  Requests to EC2 Instance'

* updated description and name

* added investigation guide; adjusted description

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated query logic

* fixed spacing issue

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 38e0f13e23)
 2024-05-14 03:15:43 +00:00
Jonhnathan 2f88a93d62 [New Rule] Alternate Data Stream Creation at Volume Root Directory (#3517) 
* [New Rule] Alternate Data Stream Creation at Volume Root Directory

* Update defense_evasion_root_dir_ads_creation.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6150f222b2)
 2024-05-13 11:42:34 +00:00
Colson Wilhoit c915b9959d [Tuning] MacOS Comprehensive Detection Rule Tuning (#3435) 
* Update to use new data source

* Exclude FPs

* Update logic

* Exclude FPs

* Update to match ER logic

* Exclude FP

* Update to match endpoint rule and reduce FPs

* Update logic to reduce FPs

* Update logic to reduce FPs

* Exclude FPs

* Update logic to remove FPs

* Update logic to reduce FPs

* Update logic and min stack version to reduce FPs

* Exclude FP

* Remove FPs

* Update logic and min stack to reduce FPs

* Exclude FPs

* Update logic and min stack to exclude FPs

* Update logic and min stack to exclude FPs

* Update logic to be more efficient

* Update logic

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/credential_access_credentials_keychains.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Fix

* Fix

* Fix

* Update min stack comments

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Remove field

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1fb58e1b61)
 2024-05-11 17:59:28 +00:00
Jonhnathan 2e270cf78c [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit f85d7482fd)
 2024-05-09 16:08:45 +00:00
Samirbous ae6bb88edb [Tuning] Component Object Model Hijacking (#3655) 
* [Tuning] Component Object Model Hijacking

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 7a61070e08)
 2024-05-08 16:52:11 +00:00
Samirbous 4bbb8c2642 [New] Ransomware over SMB (#3638) 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e2764cd)
 2024-05-07 05:46:07 +00:00
Ruben Groenewoud d3faf0d0d6 [New Rule] Shell Configuration Modification (#3629) 
* [New Rule] Shell Configuration Modification

* description update

* uuid update

* query update

* query update

* Update rules/linux/persistence_shell_configuration_modification.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit e29994c338)
 2024-04-30 11:48:38 +00:00
Ruben Groenewoud f7215a7ced [Rule Tuning] Linux DRs (#3628) 
(cherry picked from commit 115c3a6dfd)
 2024-04-30 11:33:56 +00:00
Samirbous 55a17e12db [New] Potential privilege escalation via CVE-2022-38028 (#3616) 
* [New] Potential privilege escalation via CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 8f6de1c235)
 2024-04-29 14:18:06 +00:00
shashank-elastic 868ab80c63 Fix minstack version for 0365 in azure integration rules (#3612) 
(cherry picked from commit 7673ba484d)
 2024-04-22 13:55:15 +00:00
Terrance DeJesus bda38d6f27 updating performance note (#3608) 
(cherry picked from commit 69d42ecc71)
 2024-04-18 20:43:50 +00:00
Jonhnathan fea73c9686 [New Rule] Potential Windows Session Hijacking via CcmExec (#3602) 
* [New Rule] Potential Windows Session Hijacking via CcmExec

* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 6ae0902a38)
 2024-04-18 16:05:03 +00:00
Jonhnathan 4562d694b0 [Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 5004ff115c)
 2024-04-16 16:34:23 +00:00
Terrance DeJesus f3d95cccce adjust aws rule index patterns and tags (#3595) 
(cherry picked from commit 74312797bf)
 2024-04-16 14:16:36 +00:00
Jonhnathan e33d80804f [Rule Tuning] Windows BBR Promotion (#3577) 
* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c2d1586270)
 2024-04-16 12:36:20 +00:00
Samirbous f291aa105d Update defense_evasion_untrusted_driver_loaded.toml (#3596) 
excluding `errorCode_endpoint:*` status (noisy)

(cherry picked from commit 919a438257)
 2024-04-15 14:00:51 +00:00
Samirbous 52e86dc8e8 [Tuning] Connection to Commonly Abused Web Services (#3587) 
excluding top noisy patterns :

- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download

(cherry picked from commit 9692e59abb)
 2024-04-11 11:18:52 +00:00
Jonhnathan 74d428b09e [Rule Tuning] Svchost spawning Cmd (#3578) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit aa0cc42ff6)
 2024-04-08 10:57:52 +00:00
Mirko Bez a6ea41cae0 Add filebeat-* index pattern to rules based on system.auth dataset (#3561) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 153657029b)
 2024-04-03 09:36:00 +00:00
shashank-elastic 4e88c2d024 Fix minstack version for O365 prod rules (#3565) 
(cherry picked from commit 0e2eb5a84c)
 2024-04-02 16:13:40 +00:00
Jonhnathan eca9b72a2c [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution (#3545) 
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 4ab7c9b178)
 2024-04-02 14:15:05 +00:00
Samirbous 6cf92b25d3 [Tuning] Connection to Commonly Abused Web Services (#3425) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 69173872da)
 2024-04-02 13:49:39 +00:00