4adad703fc
[CI] Add GitHub actions workflow to lock versions across branches ( #1456 )
...
* Start job to lock versions
* Update lock-versions workflow
* Call lock-multiple script
* Fix script
* Add the lock file to staging
* pass branches to the job
* Fetch all branches and tags
* Push the branch first
* Push with upstream
* Change PR params
* Remove protections machine token
* Add 7.14.0 to the lock for min_stack_version=7.14.0
* Fix branch prefix
* Add trailing newline
* Trailing newline
* Restrict to main branch
2021-08-26 14:17:34 -06:00
675e870a30
Set min stack to 7.15 for Behavior Protection promotion
2021-08-26 08:53:02 -06:00
227b67e636
Small update to docs ( #1442 )
2021-08-25 22:40:39 -08:00
3b338baab0
[New Rule] Endpoint Security Behavior Protection ( #1440 )
...
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-08-25 09:56:59 -06:00
0d47cb324a
Track multiple stacks in lock ( #1434 )
...
* Save the stack versions in the lock file
* Support tracking of multiple stacks in the lock
* Update the version locking logic
* Fix bugs and test lock file
* Restore version lock
* Fix lint errors
* Call both click.echo and verbose echo separately
* Change when the change_rules message is output
2021-08-24 16:56:11 -06:00
8ddffc298b
[New rule] Webshell Detection ( #1448 )
...
* [new-rule] Webshell Detection
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Added FP note section
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-08-24 15:17:28 -05:00
8099e1c733
[Rule Tuning] Add technique T1005 to 2 rules ( #1405 )
2021-08-20 00:19:11 -08:00
11c443ba26
Fix encoding of 'Any' type in jsonschema ( #1438 )
2021-08-19 10:15:21 -06:00
2d517432e3
Bump package versions ( #1418 )
...
* Bump package versions
* Add 7.14 migration; use master schema map if one does not exist
* add test to ensure an entry exists in the stack-schema-map for the current package version
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-08-18 21:25:53 -08:00
d647c7b809
Skip etc/packages.yml from backport: auto ( #1437 )
2021-08-18 16:55:21 -06:00
3b29498907
[Rule Tuning] AWS Security Group Configuration Change Detection ( #1426 )
...
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration
2021-08-14 20:34:13 -08:00
ddec37b731
Fix typos discovered by codespell ( #1430 )
2021-08-14 20:29:10 -08:00
4a3bacae48
Remove labeling from community workflow ( #1432 )
2021-08-14 02:43:34 -08:00
f63a72f1ac
Add revised workflow for community label ( #1431 )
2021-08-14 02:18:53 -08:00
006cb0e702
Add label workflow for community issues and pulls ( #1406 )
...
* Add label workflow for community issues and pulls
* run on label changes
2021-08-13 22:36:59 -08:00
5c8029ad55
Add botelastic workflow for stale issues and PRs ( #1414 )
2021-08-13 22:24:55 -08:00
75d6d76926
Add paths-labeller workflow ( #1407 )
...
* add botelastic workflow
2021-08-13 22:13:34 -08:00
b27a20fc3a
Pull latest ECS+beats schemas and update schema-map ( #1417 )
2021-08-12 13:08:12 -08:00
67ba66c8e7
[New Rule] AWS EC2 Security Group Configuration Change Detection ( #1144 )
2021-08-12 11:36:50 -08:00
14493689b9
[New Rule] Whitespace Padding in Process Command Line ( #1392 )
...
* Create defense_evasion_whitespace_padding_in_command_line.toml
* add newline
* update description
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-08-11 10:15:01 -06:00
95486ecfdf
[Bug] Flatten method improperly added subtechniques ( #1404 )
2021-08-05 11:15:07 -08:00
17bf3c1e16
Add RuleCollection.load_git_branch ( #1403 )
2021-08-05 01:15:39 -06:00
7be58b7b09
Adding docs for URL Spoofing ( #1400 )
...
* Adding docs for urlspoof
* Fixing typo in readme
* Editing documentation to reflect rule upload process
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-08-04 17:13:10 -07:00
d31ea6253e
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
2021-08-04 14:16:10 -08:00
f8f643041a
[Rule tuning] Revise rule description and other text ( #1398 )
2021-08-03 13:07:47 -08:00
d2365783fa
[Rule Tuning] NTDS or SAM Database File Copied ( #1378 )
...
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-08-03 12:28:17 -08:00
06a9ba6463
Update Host Risk Score docs ( #1397 )
2021-08-02 20:52:12 -08:00
c283d2a2f3
Adding host risk score docs ( #1390 )
...
* Adding host risk score docs
* Highlighting caveats around hostname
* Update host-risk-score.md
* Adding host risk score to the experimental detections readme
2021-08-02 13:43:27 -08:00
b736d6e748
[Rule Tuning] Rule description tweaks ( #1388 )
2021-07-29 10:56:13 -08:00
2e8f7cd13f
[CI] Add missing clone for Fleet on-demand job ( #1387 )
2021-07-27 16:55:28 -06:00
92937a1ad1
[CI] Fix kibana PR command again ( #1386 )
2021-07-27 16:29:50 -06:00
64977b01bd
Fix kibana_pr for click.Context ( #1385 )
2021-07-27 16:03:28 -06:00
c31a344593
Disable missing rule check for the version lock ( #1384 )
2021-07-27 13:48:28 -06:00
5eccaf0cd5
Update the version lock for 7.14.0 and 0.13.3 ( #1383 )
2021-07-27 12:25:12 -06:00
7759fa2500
Ensure EQL rules with maxspan have a long enough lookback window ( #1361 )
...
* Add the following properties to EQLRuleData:
- max_span
- look_back
- interval_ratio
* Add the following tests:
- test_eql_lookback
- test_eql_interval_to_maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-22 13:53:13 -08:00
7b62fe296d
[Rule Tuning] Remove \Program Files*\ style wildcards ( #1369 )
...
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
2021-07-22 11:55:22 -06:00
4aab1278bf
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-22 09:08:58 -08:00
5ba1c26cf1
Fix metadata.extended ( #1377 )
2021-07-22 10:29:30 -06:00
1882f4456c
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
2021-07-21 15:24:56 -06:00
9f3d5328f4
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
2021-07-21 11:49:32 -06:00
9b559d0cd9
[Rule Tuning] Creation of Hidden Files and Directories ( #1357 )
...
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
2021-07-21 11:47:40 -06:00
23626b814c
[Rule Tuning] Update Google Workspace rules to use google_workspace event schema ( #1374 )
...
* use google_workspace event schema
* update to use google_workspace schema
2021-07-21 11:38:43 -06:00
fbd4cf2117
[New Rule] Windows Defender Exclusions Added via PowerShell ( #1370 )
...
* Added new rule
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Added pwsh.exe to original name
* Added PowerShell MITRE reference
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-07-21 11:54:11 -05:00
163d9e3864
Update cardinality field in schema for threshold rules ( #1349 )
...
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array
* Add two new rules to detect agent spoofing
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-21 08:32:54 -08:00
95e6458c6e
[Rule Tuning] Mimikatz powershell module activity detected ( #1297 )
...
* update query
* add indexes
2021-07-20 23:08:04 -08:00
34df7c6b89
[Rule Tuning] Add Filebeat and Auditbeat to Network Rules ( #1282 )
...
* standardized indices and added the from field
2021-07-20 22:59:22 -08:00
64c3f7cdc5
[New Rule] O365 Excessive SSO Logon Errors ( #1215 )
2021-07-20 22:55:00 -08:00
c82790f588
[New Rule] Disable Windows Event and Security Logs ( #1181 )
2021-07-20 22:44:35 -08:00
4a11ef9514
[Rule Tuning] Suspicious CertUtil Commands ( #1180 )
...
* update name to Suspicious CertUtil Commands
* update description, query, and filename
2021-07-20 22:26:36 -08:00
920d973064
[Rule Tuning] External IP Lookup from Non-Browser Process ( #1147 )
...
* Added a couple domains
ipapi.co
ip-lookup.net
ipstack.com
2021-07-20 21:47:39 -08:00
Ross Wolf