4a2e2764cd
[New] Ransomware over SMB ( #3638 )
...
* [New] Ransomware over SMB
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_ransomware_file_rename_smb.toml
* ++
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_ransomware_file_rename_smb.toml
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_high_freq_file_renames_by_kernel.toml
2024-05-07 06:38:14 +01:00
84437bac03
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3650 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Bumping status checks
* undo bump
---------
Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2024-05-06 12:44:32 -04:00
4396a91b40
[New Rule] Unusual High Confidence Misconduct Blocks Detected ( #3647 )
2024-05-06 07:32:02 -05:00
a4a0bc6a7e
[Bug] Query validation failing to capture InSet edge case with ip field types ( #3572 )
...
* Move test case to separate file
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-05-06 07:58:42 -04:00
51268581a8
[Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User ( #3646 )
2024-05-04 08:20:20 -05:00
613457b97f
[New Rules] AWS Bedrock Guardrails Violations ( #3641 )
...
* [New Rules] AWS Bedrock Guardrails Violations
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-03 20:55:27 -06:00
2ffb0e7fe2
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
2024-05-03 18:01:53 -05:00
c8c8c96956
[FR] Add ability to generate hunt index ( #3643 )
2024-05-03 13:43:22 -05:00
00b8a77f50
[FR] Add Hunt Structure and Initial LLM Queries 🚀 ( #3637 )
2024-05-03 09:33:06 -05:00
2668f5f762
[Bug] Fix missing indexes on navigator build ( #3636 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-01 15:50:54 -06:00
54ff270c62
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-01 15:00:33 -06:00
ca78f550fd
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3630 )
2024-04-30 18:06:01 +05:30
e29994c338
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-04-30 13:41:13 +02:00
115c3a6dfd
[Rule Tuning] Linux DRs ( #3628 )
2024-04-30 13:26:09 +02:00
8f6de1c235
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-29 15:10:27 +01:00
c567d3731a
Refresh Kibana module with API updates ( #3466 )
...
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-04-26 11:12:50 -06:00
374f21fbc4
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3615 )
2024-04-23 17:59:01 +05:30
7673ba484d
Fix minstack version for 0365 in azure integration rules ( #3612 )
2024-04-22 19:17:49 +05:30
69d42ecc71
updating performance note ( #3608 )
2024-04-18 16:36:07 -04:00
25dafb68f1
[Rule Tuning] Reverting To Previous Version ( #3607 )
2024-04-18 15:19:27 -04:00
91e69ac322
[Rule Tuning] Tuning Account Password Reset Remotely ( #3478 )
...
* tuning 'Account Password Reset Remotely'
* adjusted note
* fixing description
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated note about performance; toml lint
* bumping min-stack to resolve version lock
* reverting query to main
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-18 12:49:32 -04:00
6ae0902a38
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-18 12:57:35 -03:00
5004ff115c
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-16 13:26:42 -03:00
74312797bf
adjust aws rule index patterns and tags ( #3595 )
2024-04-16 10:08:57 -04:00
c2d1586270
[Rule Tuning] Windows BBR Promotion ( #3577 )
...
* [Rule Tuning] Windows BBR Promotion
* Update non-ecs-schema.json
* Update persistence_netsh_helper_dll.toml
* Update persistence_werfault_reflectdebugger.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"
This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.
* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"
This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.
* Revert "Update discovery_security_software_wmic.toml"
This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-16 09:28:17 -03:00
114db81f07
Bump KQL Version in Init ( #3597 )
2024-04-15 11:06:16 -04:00
919a438257
Update defense_evasion_untrusted_driver_loaded.toml ( #3596 )
...
excluding `errorCode_endpoint:*` status (noisy)
2024-04-15 14:52:39 +01:00
9692e59abb
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
2024-04-11 08:11:28 -03:00
d0dfa479bb
[Rule Tuning] Windows BBR Rule Tuning - 1 ( #3579 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 1
* Update non-ecs-schema.json
* Update rules_building_block/command_and_control_certutil_network_connection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/collection_common_compressed_archived_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_dll_hijack.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 10:38:41 -03:00
c5addae009
[Rule Tuning] Windows BBR Rule Tuning - 3 ( #3581 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 3
* Update non-ecs-schema.json
* Update rules_building_block/execution_settingcontent_ms_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_startup_folder_lnk.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-08 09:47:48 -03:00
1bc59bdc04
[Rule Tuning] Windows BBR Rule Tuning - 2 ( #3580 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 09:34:26 -03:00
109e8a85a5
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition ( #3576 )
...
* [Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Update rules_building_block/discovery_security_software_wmic.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Endgame tag
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-08 08:57:33 -03:00
e125a4e4cf
[Rule Tuning] WRITEDAC Access on Active Directory Object ( #3583 )
2024-04-08 08:43:25 -03:00
aa0cc42ff6
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 07:50:20 -03:00
0cb42983c1
updated to v14.0 mitre ATT&CK ( #3289 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-04-05 14:30:23 -04:00
e6f48ade01
Bump KQL lib Version ( #3575 )
2024-04-05 13:38:54 -04:00
fbb6df506e
Update default ( #3574 )
2024-04-04 20:27:14 -04:00
1566c29bae
[Bug] KQL fails validation on uppercase keywords ( #3568 )
...
* add todo
* Add a normalize_kql_keywords function to utils
* update rule loader to normalize and warn
* optimized loading
* fix linting
* Moved conversion to kql module.
* Updated unit test
* Refactor KQL parser to normalize keywords via flag
* Fix logic typo
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update lib/kql/kql/__init__.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated to fix unit tests and remove warnings
* linting typo
* Added comments
* remove unused imports
* Update kql.parse default
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-04 18:03:30 -04:00
fa75876322
[Bug] New Terms Rule Import Failing ( #3569 )
...
* initial patch
* Update definitions to allow for brackets in name
* Update to prompt for required fields.
* Update detection_rules/cli_utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-04 17:37:13 -04:00
c35652c8c8
[Bug] Add explicit format preserver ( #3566 )
2024-04-04 15:50:48 -05:00
a9cc323d09
[Bug] Threshold Rule Importing Failures ( #3560 )
...
* remove threshold specific req
* fix test event override
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-04-03 14:15:09 -04:00
153657029b
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-03 11:27:31 +02:00
3fbffa24ed
Deprecate Releasing to a patch kibana version workflow ( #3552 )
2024-04-03 08:34:45 +05:30
8d5bd3b0f6
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3567 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-04-02 23:59:42 +05:30
0e2eb5a84c
Fix minstack version for O365 prod rules ( #3565 )
2024-04-02 21:33:18 +05:30
4ab7c9b178
[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution ( #3545 )
...
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-02 11:06:08 -03:00
69173872da
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-02 14:41:10 +01:00
f025616cbd
[New Rule] Suspicious Access to LDAP Attributes ( #2504 )
...
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2024-04-02 13:57:38 +01:00
c781376188
[Rule Tuning] Potential Application Shimming via Sdbinst ( #3553 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-02 06:35:14 -03:00
f2490007e8
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-02 05:15:04 +01:00
Samirbous