security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,108 Commits 1 Branch 0 Tags
461e72cf9c4e1dbf7d53e131fedce5e18a37fa5c
Commit Graph

150 Commits

Author SHA1 Message Date
ar3diu e027efeb53 [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) 
* Add "by host.id" argument to the sequence command in the rule query.

* Update collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 5048bc26bd)
 2024-07-03 14:42:12 +00:00
Terrance DeJesus 0b808211f6 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) 
* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 99a4d629c9)
 2024-07-01 14:34:42 +00:00
github-actions[bot] a1b34e0211 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845) 
(cherry picked from commit aef9fe8ec4)
 2024-06-28 12:22:41 +00:00
Jonhnathan 8bab0df7bf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests

Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml

(selectively cherry picked from commit 54d5b442cf)
 2024-06-26 14:09:43 +00:00
github-actions[bot] 30f5784613 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) 
(cherry picked from commit 6f43d1f535)
 2024-06-25 12:31:41 +00:00
Terrance DeJesus 37ea64baf4 [New Rule] Rapid7 Threat Command CVEs Correlation (#3718) 
* new rule 'Rapid7 Threat Command CVEs Correlation'

* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated threat index and tags

* changed 'indicator match' to 'threat match' for tags

* removed timeline

* updating integrations to match main

* re-adding rapid7 threat command integration manifest and schema

* reverting changes; removing timeline

* changed max signals to 10000

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 020ca4be24)
 2024-06-12 22:04:56 +00:00
github-actions[bot] 24d79f230e Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3778) 
(cherry picked from commit e3a72c6c47)
 2024-06-11 15:30:13 +00:00
Ruben Groenewoud d26951d94e [New Rule] Suspicious File Modification (#3746) 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4a05)
 2024-06-11 11:06:39 +00:00
shashank-elastic 06660cb2e1 Refresh MITRE Attack v15.1.0 (#3725) 
(cherry picked from commit e357a2c050)
 2024-06-04 14:48:18 +00:00
github-actions[bot] 5839b408ca Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3716) 
(cherry picked from commit 259bab7a5a)
 2024-05-29 14:21:29 +00:00
Terrance DeJesus 2691273c93 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 527f785a60)
 2024-05-28 14:52:40 +00:00
shashank-elastic 18fcd83683 Back-porting Version Trimming (#3704) 
(cherry picked from commit 63e91c2f12)
 2024-05-22 19:18:10 +00:00
Jonhnathan 0ab70f13a4 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d023ad66b1)
 2024-05-20 12:59:37 +00:00
Mika Ayenson 06ef471c39 [FR] Normalize yml ext to yaml (#3675) 2024-05-15 17:08:01 -05:00
Mika Ayenson 2d96f10725 [FR] Normalize yml ext to yaml (#3675) 
Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 79f575b33c)
 2024-05-15 20:27:01 +00:00
github-actions[bot] ed48d9fd57 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 (#3676) 
(cherry picked from commit f3585da503)
 2024-05-15 11:41:56 +00:00
shashank-elastic 891da3623d Prepare For Next Elastic Stack 8.15 (#3670) 
Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 50a8b52cd5)
 2024-05-14 19:10:09 +00:00
Mika Ayenson 33e44b29fc [FR] Bundle KQL & Kibana libs into base dependencies (#3662) 
(cherry picked from commit 78837549e8)
 2024-05-13 19:36:55 +00:00
github-actions[bot] 947e8fd965 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3650) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Bumping status checks

* undo bump

---------

Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>

(cherry picked from commit 84437bac03)
 2024-05-06 16:52:30 +00:00
github-actions[bot] 809279b62b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3630) 
(cherry picked from commit ca78f550fd)
 2024-04-30 12:43:58 +00:00
Justin Ibarra 09a7e2e81b Refresh Kibana module with API updates (#3466) 
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

(cherry picked from commit c567d3731a)
 2024-04-26 17:20:37 +00:00
github-actions[bot] dfd261590b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615) 
(cherry picked from commit 374f21fbc4)
 2024-04-23 12:36:46 +00:00
Jonhnathan 608a0ff0c2 [Rule Tuning] Windows BBR Rule Tuning - 1 (#3579) 
* [Rule Tuning] Windows BBR Rule Tuning - 1

* Update non-ecs-schema.json

* Update rules_building_block/command_and_control_certutil_network_connection.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/collection_common_compressed_archived_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_dll_hijack.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit d0dfa479bb)
 2024-04-08 13:46:29 +00:00
Terrance DeJesus a2cb089d12 updated to v14.0 mitre ATT&CK (#3289) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

(cherry picked from commit 0cb42983c1)
 2024-04-05 18:38:20 +00:00
github-actions[bot] 112ae41cd3 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3567) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 8d5bd3b0f6)
 2024-04-02 18:37:42 +00:00
github-actions[bot] dda6a33f70 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit eaf4658620)
 2024-03-21 15:09:40 +00:00
Mika Ayenson edf52a578c [FR] Update Python Dependency Versions (#3515) 
(cherry picked from commit 5c3523954e)
 2024-03-19 19:15:12 +00:00
github-actions[bot] 59812dac4e Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3491) 
(cherry picked from commit bf3932f384)
 2024-03-06 17:45:52 +00:00
shashank-elastic 7043173371 Prepare For Next Elastic Stack Minor Release (#3490) 
Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit a4094df732)
 2024-03-06 16:03:19 +00:00
github-actions[bot] c772b2a842 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3459) 
(cherry picked from commit 7815d23110)
 2024-02-20 17:32:25 +00:00
github-actions[bot] 10d36f6872 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3431) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

* updated downloadable updates file to reconcile changes

* Removed spacing from downloadable updates file

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 827dfa7327)
 2024-02-06 19:54:15 +00:00
github-actions[bot] df82c11b4a Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3402) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit d093336125)
 2024-01-23 21:42:17 +00:00
Isai cfb4f1a013 [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 442435830f)
 2024-01-22 17:53:42 +00:00
github-actions[bot] b319d0e68b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3358) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit f37d13f29b)
 2024-01-02 17:30:46 +00:00
Samirbous 389ac555e2 [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 07b952b7bc)
 2023-12-14 23:45:08 +00:00
github-actions[bot] 69f9bb416d Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3319) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit a39a52360a)
 2023-12-12 18:28:19 +00:00
Terrance DeJesus 7b7ca3fdc9 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 93d71acb91)
 2023-12-12 15:37:32 +00:00
Eric Forte 908168725a [FR] 8.12 Release Preparation update Main Branch to 8.13 (#3313) 
* 8.12 Release Prep update Main Branch to 8.13

* Fix typo in integrations

* Updated Schemas

Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 90a2043bc4)
 2023-12-11 20:03:26 +00:00
github-actions[bot] 1d05f49436 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3291) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit ba7b2722c2)
 2023-11-28 17:35:57 +00:00
github-actions[bot] b342660c3a Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3270) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 9195eedb9c)
 2023-11-13 19:51:15 +00:00
Apoorva Joshi 9191b3e9f1 [New Rule] Adding Beaconing Rules from Advanced Analytic Beaconing Package (#3128) 
* Adding beaconing rules

* Update rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Update rules/integrations/beaconing/command_and_control_beaconing.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Updating min stack version

* added beaconing to manifests and schemas; updated rules

---------

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a4f9cf4616)
 2023-10-30 14:12:37 +00:00
github-actions[bot] 38bc110dc5 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3223) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit ab6f28a380)
 2023-10-24 18:07:33 +00:00
github-actions[bot] 2062c6c33b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3183) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 2b0735024e)
 2023-10-13 19:17:13 +00:00
Terrance DeJesus 96bc049852 [FR] 8.11 Release Preparation and Update Main Branch to 8.12 (#3182) 
* prepping for 8.12 branch

* added ananlytic manifests and schemas

* fix linting issues

* updated analytic package manifests and schemas

Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit b4f8fc3290)
 2023-10-13 17:43:55 +00:00
Terrance DeJesus 1e514afa57 [New Rule] Migrate Lateral Movement Detection Rules (#3175) 
* adding LMD rules

* added setup note; updated references

* adds 2.0.0 lmd manifest and schema

* adjusted min-stack for non-ML rules
 2023-10-12 15:02:19 -04:00
Terrance DeJesus 3e212e2b74 [FR] Add ML Jobs to Schemas and Unit Test for Validation (#3161) 
* adding machine learning job id validation

* Update rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml

* Update tests/test_all_rules.py

* adding integration manifests and schemas from main

* rebuilt manifests and schemas with lmd

* fixed unit test linting

* adding manifests and schemas for other analytic packages

* updated manifests and schemas; adjusted unit test for verbosity

* sorted imports
 2023-10-12 10:51:12 -04:00
Ruben Groenewoud 4cdf52129a [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-11 09:43:26 +02:00
Isai ef8f5620e1 [New Rule] New GitHub Owner Added (#3090) 
* [New Rule] New GitHub Owner Added

new rule

* name change

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-10-06 15:57:26 -04:00
Terrance DeJesus 57c05f0444 removing lmd rules and fixing version lock history (#3159) 2023-10-05 12:16:53 -04:00
github-actions[bot] 0e2ae5b9ef Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3155) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-03 14:34:22 -04:00