* [Deprecate Rule] File and Directory Discovery
very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.
* Delete workspace.xml
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP
FPs in certain cases with no room for tuning.
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Remotely Started Services via RPC
excluding noisy FPs by process.executable to be compatible with winlog and endpoint
* Update lateral_movement_remote_services.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Potential Remote Credential Access via Registry
Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)
* Update credential_access_remote_sam_secretsdump.toml
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack
I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions.
* Update persistence_via_update_orchestrator_service_hijack.toml
revert back to eql
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* Create discovery_suspicious_self_subject_review.toml
Adding new rule
* non-ecs-schema fields added and query change to specify fields
added non ecs-schema fields for all coming k8s rules and added specific fields to the query instead of using regex
* Update discovery_suspicious_self_subject_review.toml
* Update rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Pod Created With HostPID
new rule toml for pod created with hostPID and updated non-ecs-schema with all k8s fields
* Update privilege_escalation_pod_created_with_hostpid.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Pod Created With HostNetwork
new rule toml for pod created with hostNetwork and added all k8s fields to non-ecs-schema json
* Update privilege_escalation_pod_created_with_hostnetwork.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Pod Created With HostIPC
new rule toml file for pod created with hostIPC and k8s fields added to non-ecs-schema json
* Rename privilege_escalation_pod_created_with_hostIPC.toml to privilege_escalation_pod_created_with_hostipc.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Exposed Service Created With Type NodePort
new rule toml for exposed service created with type nodeport and added all k8s fields to non-ecs-schema
* Update rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
I'm removing the event.dataset query portion of the rule because this field has been removed from the current mapping so this rule is not triggering with the most updated K8s Integrations.
Mika Ayenson