* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
* Create persistence_azure_pim_user_added_global_admin.toml
* tweak syntax for readability
* Update additional rule name to match others naming convention
* Delete defense_evasion_azure_diagnostic_settings_deletion.toml
* tweak rule name
* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* update description and lint
* small naming tweak for consistency
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* update event.category for azure rules
* update updated_date field
* update name to include Azure
* Update persistence_user_added_as_owner_for_azure_service_principal.toml
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
* new-rule-azure-conditional-access-policy-modified
* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml
Update maturity to production
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml
* Update query to include result value
* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml
* Update query to search both the Azure audit logs and activity logs
* Optimize formatting of query
* Tweak consent grant attack rule
Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs
* Tweak formatting of query to improve Brent's happiness level
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* new-rule-illicit-consent-grant-attack
* Update initial_access_consent_grant_attack_via_azure_registered_application.toml
Move detailed info and investigation notes to notes field
* Update query to include result field
* Update rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
* new-rule-azure-automation-account-created
* Fix rule name format 😄
* Update rules/azure/persistence_azure_automation_account_created.toml
Update maturity to production
* Update rules/azure/persistence_azure_automation_account_created.toml
Update ecs_version to 1.6.0
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Justin Ibarra