3588600d57
[Rule Tuning] 3 tunings to reduce FPs ( #3058 )
...
* [Rule Tuning] 2 tunings to reduce FPs back to 0
* Added one more tune for community issue #3041
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
2023-08-31 17:16:57 +02:00
2eaaf27f1e
[New Rule] Potential Disabling of AppArmor ( #3046 )
...
* [New Rule] Potential Disabling of AppArmor
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 17:06:15 +02:00
d838a3352f
[New Rule] Binary Copied and/or Moved to Suspicious Directory ( #3048 )
...
* [New Rule] Binary Copied and/or Moved to sus dir
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 13:46:41 +02:00
a5b5d513af
[New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 ( #3057 )
...
* [New Rule] Sudo PE via CVE-2019-14287
* Added Elastic Defend Data Source tag
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 13:11:34 +02:00
a395f54054
[New Rules] sus program compilation activity ( #3043 )
2023-08-31 09:30:56 +02:00
32abdb95f7
[New Rules] Linux Tunneling and Port Forwarding ( #3028 )
...
* Removed iodine rule due to new tunneling rule
* [New Rules] Linux Tunneling and Port Forwarding
* added ash
* Fixed description styling
* Changed rule name
* Update command_and_control_linux_suspicious_proxychains_activity.toml
* Added deprecation note & name change
* Changed deprecation status
* Removed deprecation date
* Fixed unit testing
* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-30 22:12:19 +02:00
41a7a36817
Tune rule for new DLL written to Windows Servicing ( #3062 )
2023-08-30 13:51:23 -03:00
6d7df50d78
[New Rule] Suspicious WMI Event Subscription Created ( #1860 )
...
* Suspicious WMI Event Subscription Initial rule
* Use EQL sequence
* Update non-ecs-schema
* Update persistence_sysmon_wmi_event_subscription.toml
* update description
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* update query too look for even code 21 only
* update to case sensitive compare
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 16:42:19 -03:00
7004c99ef5
[New Rule] Unusual Process For MSSQL Service Accounts ( #3040 )
...
* [New Rule] Unusual Process For MSSQL Service Accounts
* Update initial_access_unusual_process_sql_accounts.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update collection_archive_data_zip_imageload.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 09:10:25 -03:00
22931d6afb
Update credential_access_lsass_openprocess_api.toml ( #3047 )
2023-08-28 16:22:08 +01:00
de32287889
[Rule Tuning] High Number of Process and/or Service Terminations ( #2940 )
2023-08-25 19:19:25 -03:00
a1716bd673
[Rule Tuning] Several rule tunings ( #3024 )
...
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-25 14:03:29 +02:00
17d0e5cda8
[Rule Tuning] Threat Intel Hash Indicator Match ( #3031 )
...
* Remove impash matches due to rate of false positives
* Update rules/cross-platform/threat_intel_indicator_match_hash.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-08-25 06:21:16 -03:00
9482bda414
Adding related integrations to ML rules ( #2972 )
...
* Adding related integrations to ML rules
* added adjustments to determine related integrations for ML rules
* fixed lint errors
* Empty commit
* Empty commit
* Empty commit
---------
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box >
2023-08-22 14:39:18 -04:00
2ddcf7817e
[Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing ( #3025 )
...
* adding tuning to ignore windows update
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-22 13:04:25 -04:00
0c3b251208
[Rule Tuning] PowerShell Keylogging Script ( #3023 )
2023-08-22 07:45:00 -03:00
5e801b2edf
[Tuning] Improve Performance ( #2953 )
...
* [Tuning] Improve Performance
Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.
Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)
* Update privilege_escalation_suspicious_dnshostname_update.toml
* ++
* ++
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-21 16:23:34 +01:00
4f33a40f48
[Bug] Duplicate tag on Okta rule ( #3020 )
...
* Fix double tag on rule
* fixed all rules; added unit test
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-21 10:42:47 -04:00
72f15dda6a
[New Rule] PowerShell Kerberos Ticket Dump ( #2967 )
...
* [New Rule] PowerShell Kerberos Ticket Dump
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-20 17:29:16 -03:00
b5e011a892
[Rule Tuning] Privileges Elevation via Parent Process PID Spoofing ( #2873 )
...
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
* bump date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-17 13:52:26 -03:00
9144dc0448
[New Rule] Building Block Rules - Part 2 ( #2923 )
...
* [New Rule] Building Block Rules - Part 2
* .
* Update rules_building_block/defense_evasion_dll_hijack.toml
* Update rules_building_block/defense_evasion_file_permission_modification.toml
* Update rules_building_block/discovery_posh_password_policy.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-17 13:00:50 -03:00
96e50be5a6
[Rule Tuning] Potential Masquerading as Communication Apps ( #2997 )
...
* [Rule Tuning] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update persistence_run_key_and_startup_broad.toml
* CI
* Revert "CI"
This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
2023-08-16 09:34:21 -03:00
e938ed28a0
[Rule Tuning] added additional event action ( #3008 )
2023-08-10 16:59:07 +02:00
f500cec497
fixing typo in 127.0.0.1 address ( #3004 )
2023-08-08 17:06:26 +02:00
4cbfd7c4ae
[Rule Tuning] Restricted Shell Breakout ( #2999 )
2023-08-04 19:30:18 +02:00
e904ebb760
[New Rule] PE via Container Misconfiguration ( #2983 )
...
* [New Rule] PE via Container Misconfiguration
* fixed boolean comparison unit test error
* Update privilege_escalation_container_util_misconfiguration.toml
* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-04 16:39:40 +02:00
ef49709c7d
[New Rules] Linux Wildcard Injection ( #2973 )
...
* [New Rules] Linux Wildcard Injection
* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-04 16:32:34 +02:00
c6eba3e4e6
[New Rule] Suspicious Symbolic Link Created ( #2969 )
...
* [New Rule] Suspicious Symbolic Link Created
* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* fixed unit testing issues after suggestion commit
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 23:23:23 +02:00
4bcec3397c
[New Rule] Potential Suspicious DebugFS Root Device Access ( #2982 )
...
* [New Rule] Potential DebugFS Privilege Escalation
* Changed rule name
* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 16:13:34 +02:00
207d94e51c
[New Rule] Potential Sudo Token Manipulation via Process Injection ( #2984 )
...
* [New Rule] Sudo Token Access via Process Injection
* [New Rule] Sudo Token Manipulation via Proc Inject
* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
* Update privilege_escalation_sudo_token_via_process_injection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:58:25 +02:00
7cc841cc87
[New Rule] PE via UID INT_MAX Bug ( #2971 )
...
* [New Rule] PE via UID INT_MAX Bug
* changed file name
* Should be more decisive
* fix
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:51:06 +02:00
a7ff449fbc
[Rule Tuning] Some Tunings of several 8.9 rules ( #2985 )
...
* [Rule Tuning] Doing some quick tunings
* updated_date bump
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_sysctl_enumeration.toml
* Update rules/linux/persistence_init_d_file_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_shared_object_creation.toml
* deprecate rule
* deprecate rule
* Update execution_abnormal_process_id_file_created.toml
* Update discovery_kernel_module_enumeration_via_proc.toml
* Update discovery_linux_modprobe_enumeration.toml
* Update execution_remote_code_execution_via_postgresql.toml
* Update discovery_potential_syn_port_scan_detected.toml
* Added 2 tunings, sorry I missed those..
* One more tune
* Update discovery_suspicious_proc_enumeration.toml
2023-08-03 15:25:33 +02:00
03110fb24c
[New Rule] SUID/SGUID Enumeration Detected ( #2956 )
...
* [New Rule] SUID/SGUID Enumeration Detected
* Remove endgame compatibility
* readded endgame support after troubleshooting
* Update discovery_suid_sguid_enumeration.toml
* Update rules/linux/discovery_suid_sguid_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:57:30 +02:00
716b621af2
[New Rule] Potential Sudo Hijacking Detected ( #2966 )
...
* [New Rule] Potential Sudo Hijacking Detected
* Update privilege_escalation_sudo_hijacking.toml
2023-08-03 09:49:14 +02:00
18c2214956
[New Rule] Sudo Command Enumeration Detected ( #2946 )
...
* [New Rule] Sudo Command Enumeration Detected
* Update discovery_sudo_allowed_command_enumeration.toml
* revert endgame support due to unit testing fail
* Update discovery_sudo_allowed_command_enumeration.toml
* Update discovery_sudo_allowed_command_enumeration.toml
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:39:16 +02:00
b8bb2da932
[New Rule] Potential Privilege Escalation via OverlayFS ( #2974 )
...
* [New Rule] Privilege Escalation via OverlayFS
* Layout change
* Revert "[New Rule] Privilege Escalation via OverlayFS"
This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.
* Made rule broader
* Update privilege_escalation_overlayfs_local_privesc.toml
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
* Update user.id to strings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-07-31 19:15:11 +02:00
1e769c51b6
Tune Unusual File Activity ADS for Teams weblogs ( #2929 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-31 10:41:31 -03:00
9387a081bc
[Security Content] Add Investigation Guides to Threat Intel rules ( #2827 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* [Security Content] Add Investigation Guides to Threat Intel rules
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
* Apply suggestions from review, adds Setup guide
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
2023-07-27 11:30:14 -03:00
bbb24704b6
[New Rule] PE through Writable Docker Socket ( #2958 )
...
* [New Rule] PE through Writable Docker Socket
* simplified query
* Update privilege_escalation_writable_docker_socket.toml
* Update privilege_escalation_writable_docker_socket.toml
* Update rules/linux/privilege_escalation_writable_docker_socket.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-27 10:01:29 +02:00
0666b594c6
[New Rule] Linux Local Account Brute Force ( #2965 )
2023-07-27 09:43:53 +02:00
0ff50acfd2
[Rule Tuning] Tune Threat Indicator Match Rules ( #2957 )
...
* [Rule Tuning] Tune Threat Indicator Match Rules
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-26 15:12:28 -03:00
b330cf9438
[New Rule] Pspy Process Monitoring Detected ( #2945 )
...
* [New Rule] Pspy Process Monitoring Detected
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 15:58:33 +02:00
6527eb0500
Rule Tuning File Permission Modification in Writable Directory ( #2961 )
2023-07-26 17:47:00 +05:30
d0d99829a2
Correct misspelling of AppDara to AppData ( #2952 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 08:10:03 -03:00
056db6003e
[Security Content] Added Compatibility note to all IGs ( #2943 )
...
* added investigation guide note
* added ig notes
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* implemented note feedback
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 12:54:50 +02:00
dbd7ed65a9
[Tuning] Reverse Shell Rules ( #2959 )
...
* [Rule Tuning] Reverse Shell Rule destination.ip tuning
* Updated updated_date
2023-07-25 14:55:56 +02:00
8de2684498
[Security Content] Add Investigation Guides to Linux DRs 8.9 ( #2868 )
...
* [Investigation Guide] 10 new Linux IG's 8.9
* Added 4 more IG tags
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* implemented feedback
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-19 17:13:24 +02:00
97d429e314
[New] Suspicious Microsoft 365 Mail Access by ClientAppId ( #2933 )
...
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId
Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
2023-07-19 16:05:13 +01:00
5e714e01e6
[Security Content] Add Windows Investigation Guides ( #2825 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Add IG Tag
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-19 08:07:01 -03:00
d1491c3ce1
[Rule Tuning] Threat Intel URL Indicator Match ( #2902 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-07-18 20:21:15 -03:00
Ruben Groenewoud