4e2a141145
[CI/CD] Create on-demand job to release from Kibana ( #1334 )
...
* Add on-demand job to release to Kibana
* Update the inputs structure
* Archive the artifacts
(cherry picked from commit 5b0f72ffc3
2021-07-12 20:35:11 +00:00
6c15c3c0e7
Add command to unstage incompatible rules from git ( #1317 )
...
* Add devtools unstage-incompatible-rules command
* Create ephemeral GitChangeEntry for R->D+A
* Undo changes to Github job
* Fix typo in comment
* s/previous_path/original_path
(cherry picked from commit cf736046f1
2021-07-08 19:44:23 +00:00
7b9bed72be
Bump the Fleet package version
2021-07-07 21:19:06 -06:00
2f03035342
Lock versions for Fleet package 0.13.2 ( #1330 )
...
(cherry picked from commit 42957129ad
2021-07-07 21:43:57 +00:00
43dd58d11d
[New Rule] Potential PrintNightmare Exploitation rules ( #1326 )
...
* [New Rule] Potential PrintNightmare Exploitation rules
* added Potential PrintNightmare File Modification
* added spoolsv as process name to narrow more the scope
* added Suspicious Print Spooler File Deletion
* removed Suspicious Print Driver Registry Modification cuz of potential noise
* Update privilege_escalation_printspooler_malicious_registry_modification.toml
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted description and added a comment for sysmon compatibility
* added FP note and relinted all files
* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
(cherry picked from commit 89420ae976
2021-07-07 16:56:55 +00:00
dd24dabb0d
[New Rule] Complementary Rules for Recent REvil TTPs ( #1329 )
...
* [New Rule] Complementary Rules for Recent REvil TTPs
* added OFN
* relinted and added T1574.002
* removed new line
* Update defense_evasion_disabling_windows_defender_powershell.toml
* corrected rule name
* added a reference url
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
(cherry picked from commit 9fadc4c1dc
2021-07-07 15:03:09 +00:00
68e7b6bbe3
Make "config" in note field consistent ( #1310 )
...
* Add test to ensure consistent config in note field
* Update inconsistent rule
(cherry picked from commit 63a39665e3
2021-07-06 23:54:18 +00:00
77eaa64bf9
Update the pythonpackage.yml job to only upload artifacts for 'push' ( #1322 )
...
(cherry picked from commit 3120252982
2021-07-06 19:40:55 +00:00
d6cc14d889
[DOCS] Update branching steps ( #1290 )
...
(cherry picked from commit b677264876
2021-07-02 15:48:40 +00:00
df8f4af3fc
Add min_stack_version to rule metadata ( #1173 )
...
* Add min_stack_version to metadata of rule structure
* validate all "stack versions" between defined and current package
* Use master schemas if min_stack_version > current_package
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 781953a0a0
2021-06-30 21:26:45 +00:00
4d54a87f3c
Extend metadata with [metadata.extended] section ( #1306 )
...
* Extend metadata with `[metadata.extended]` section
* Remove whitespace
* Comment that it's a dict
(cherry picked from commit f1476b1637
2021-06-25 23:02:36 +00:00
fd0eee4cc0
Add new ECS and beats schemas ( #1303 )
...
(cherry picked from commit 1099f181f9
2021-06-23 22:08:39 +00:00
102b9ff7d5
[New Rule] AWS RDS Security Group Created ( #1260 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
(cherry picked from commit 8e451f2318
2021-06-23 00:15:15 +00:00
6fd6bb1712
[New Rule] AWS RDS Security Group Deleted ( #1261 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
(cherry picked from commit fe14cd23ed
2021-06-23 00:09:32 +00:00
7749086f3b
[New Rule] AWS RDS Instance Creation ( #1269 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
(cherry picked from commit 9d4574b267
2021-06-23 00:03:06 +00:00
78c75d71b0
[New Rule] AWS RDS Snapshot Export ( #1270 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
(cherry picked from commit ccae1dc841
2021-06-22 23:58:29 +00:00
4823a40d19
[Rule Tuning] Potential password spraying of microsoft 365 user accounts ( #1164 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit c215c44809
2021-06-22 17:36:32 +00:00
ba5f3eed82
Switch from process.ppid to process.parent.pid ( #1255 )
...
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
(cherry picked from commit 31f63e728e
2021-06-22 15:10:59 +00:00
549cc9992d
[Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account ( #1251 )
...
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml
* add authors
(cherry picked from commit d8ef9a81ef
2021-06-22 14:39:09 +00:00
c493c5df67
Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml ( #1225 )
...
(cherry picked from commit a8c9d7174f
2021-06-22 14:22:18 +00:00
74132fbbe9
[New Rule] AWS Route 53 Domain Transferred to Another Account ( #1198 )
...
(cherry picked from commit ea9a23af8d
2021-06-22 06:09:14 +00:00
10d22d9477
[New Rule] AWS Route 53 Domain Transfer Lock Disabled ( #1197 )
...
(cherry picked from commit 2cadee1718
2021-06-22 06:06:10 +00:00
b8a3f43b99
[New Rule] EC2 Full Network Packet Capture Detected ( #1175 )
...
(cherry picked from commit d7e0e37e54
2021-06-22 06:01:05 +00:00
3996e94bfd
[New Rule] Azure Service Principal Credentials Added ( #1169 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
(cherry picked from commit 6986f28af6
2021-06-22 05:50:17 +00:00
045d928daf
Lock versions for 0.13.1 package
2021-06-17 12:38:27 -06:00
1f5820be76
Bump package version to 0.13.1
2021-06-17 07:23:50 -06:00
6fca31c5de
Fix fleet package generation ( #1296 )
...
* Fix fleet package generation
* Add .lstrip()
* Lint fix
* Add newline
(cherry picked from commit e897a67604
2021-06-17 12:16:27 +00:00
98cb7b00cc
Simplify version locking code and fix 7.13.0 lock ( #1295 )
...
* Update version lock overwrite command
* Fix tooling and restore old version lock
* Lint fix
* Fix tests
* Remove dead code
* Filter to prod+deprecated rules
* Cast set -> list
* Store deprecation info
* Add correct version.lock.json (finally)
* Fix "stack_version" typo
* Remove stack_version
* Back out main.py changes
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f6839e98d1
2021-06-17 00:03:05 +00:00
18765631fb
Fix rules which were note using v2 license ( #1291 )
...
(cherry picked from commit e0fa25ae8e
2021-06-16 14:21:50 +00:00
915c2dea2a
[Bug] Fix ML job IDs that used hyphens ( #1287 )
...
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
(cherry picked from commit 49cb2e8dbf
2021-06-15 17:41:04 +00:00
fb93735c0f
[Rule Tuning] Attempts to Brute Force an Okta User Account ( #1216 )
...
* update rule.threshold field value
* add rule authors
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 177cfc85bf
2021-06-15 16:08:09 +00:00
cce7c126b6
Updating rules to query v2 ( #1254 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 1f7c88c6f4
2021-06-15 14:21:09 +00:00
1fd625d650
[Fleet] Update template and packaging code for fleet packages ( #1280 )
...
* Update template and packaging code for fleet packages
* Fix linting
(cherry picked from commit 61e5b44c44
2021-06-15 13:55:09 +00:00
683621fe62
[Rule Tuning] Update network rule address blocks ( #1227 )
...
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 12577f7380
2021-06-15 13:23:16 +00:00
3d6cefb296
[Rule Tuning] Attempts to brute force a microsoft 365 user account ( #1163 )
...
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 546e43071c
2021-06-15 13:20:40 +00:00
8b3d085f73
Update persistence_suspicious_com_hijack_registry.toml ( #1244 )
...
(cherry picked from commit 13bf55480a
2021-06-14 13:00:39 +00:00
ecbfb8b572
Add KQL support for additional ES field types ( #1247 )
...
(cherry picked from commit c98398f1ef
2021-06-11 04:30:25 +00:00
5d41f2719a
[New Rule] AWS EC2 VM Export Failure ( #1142 )
...
* New Rule: AWS EC2 VM Export Failure
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 6b45186827
2021-06-09 19:03:56 +00:00
1eb36b1a9e
[New Rule] Modification of AmsiEnable Registry Key ( #1248 )
...
* Create defense_evasion_amsienable_key_mod.toml
(cherry picked from commit fce022c275
2021-06-07 17:21:36 +00:00
cc6cc6bd3e
Lock the versions from 7.13.0 ( #1256 )
...
(cherry picked from commit 90c6f24e8f
2021-06-04 22:15:47 +00:00
30644d0d6a
Update problem-child.md ( #1253 )
...
(cherry picked from commit 8bb7218e38
2021-06-03 19:47:15 +00:00
14349b342d
Refactor experimental ML CLI and code ( #1218 )
...
* move github and ml to their own files
* refactor release and ml commands
* update ML readmes
* add unzip_to_dict function
* prompt for model ID in remove-model
* update experimental rule upload process
* update remove-scripts-pipelines to take multiple options
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Apoorva <appujo@gmail.com >
(cherry picked from commit 0ec8d67e78
2021-06-03 04:37:34 +00:00
057d29a8d2
Fix create-rule bug ( #1246 )
...
(cherry picked from commit e46f5e96d3
2021-06-01 16:31:59 +00:00
f91e0facea
Update privilege_escalation_persistence_phantom_dll.toml ( #1228 )
...
(cherry picked from commit 6626cbb943
2021-06-01 13:29:25 +00:00
f9805954ee
[New Rule] Unusual Network Connection via DllHost ( #1232 )
...
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override
(cherry picked from commit c457614e37
2021-05-28 19:09:26 +00:00
acfca54f73
[New Rule] Suspicious Execution from a Mounted Device ( #1230 )
...
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 31e8d03438
2021-05-28 18:44:24 +00:00
4088f6b544
Add a command to create a Kibana PR ( #1208 )
...
* Add a command to create a Kibana PR
* Reformat code
* Fix docstring whitespace
* Make a hidden token prompt
* Fix E501
(cherry picked from commit b0270d059f
2021-05-17 20:57:38 +00:00
fcd29373d5
[Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts ( #1200 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 58ea49b092
2021-05-14 20:05:56 +00:00
afa6f1b541
Update backport.yml ( #1205 )
...
(cherry picked from commit a940c10ead
2021-05-13 22:55:10 +00:00
79cd81288a
Port historical schemas to jsonschema ( #1084 )
...
* Port historical schemas to jsonschema
* Add marshmallow-json dependency
* Mark etc/api_schemas as binary
* Remove gitattributes attempt
* Lint fix
* Apply PR feedback
* Additional PR feedback
* Extract stack version from packages.yml
* Fix the backport schemas
* Cache the schema reads
* Add migration for #1167
* Make a separate 'migration not found' error
(cherry picked from commit eb40c52c7c
2021-05-13 20:27:47 +00:00
Ross Wolf