* [Rule Tuning] Kernel Module Load via Built-in Utility
* Apply suggestion from @eric-forte-elastic
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Refine process.args conditions for modprobe
* Refactor notes and references in kernel module load rule
Removed detailed notes and investigation steps related to kernel module loading via insmod utility. Updated note section and added a reference link.
* Update persistence_insmod_kernel_module_load.toml
* Update persistence_insmod_kernel_module_load.toml
* Update kernel module load rule for clarity and tactics
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* Few more deprecations
* ++
* Update unit test syntax fix
* Update bad bytes
* ++
* [New/Tuning] Several New Linux Rules
* Update collection_potential_video_recording_or_screenshot_activity.toml
* Update discovery_dmidecode_system_discovery.toml
* Update rules/linux/collection_potential_audio_recording_activity.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update exfiltration_potential_wget_data_exfiltration.toml
* [New Rule] Linux User or Group Deletion
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 3
* Update rules/linux/credential_access_aws_creds_search_inside_container.toml
* Adjust thresholds and expand event action handling
* Update credential_access_potential_linux_ssh_bruteforce_external.toml
* Increase threshold for SSH brute force detection
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_ssh_backdoor_log.toml
Removed 'auditbeat-*' from the index list.
* Refactor credential access rule for clarity
Removed redundant event.action expansion and filtering logic.
* Refactor ESQL query for SSH brute force detection
Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Add time window truncation to bruteforce rule
* Add time window truncation to SSH brute force rule
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update SSH brute force detection rule to EQL
* Update CIDR match conditions for SSH brute force rule
* Update EQL query for SSH brute force detection
* [Rule Tuning] Linux DR Tuning - 6
* Fix syntax error in discovery_esxi_software_via_grep.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_virtual_machine_fingerprinting.toml
* Revise investigation title for kernel module enumeration
Updated the title of the investigation section to clarify focus on unusual kernel module enumeration.
* Update discovery_port_scanning_activity_from_compromised_host.toml
* Enhance ESQL query for subnet scanning detection
Updated ESQL query to include additional fields and conditions for better analysis of connection attempts from compromised hosts.
* Remove Elastic Endgame data source from rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 8
* Revise investigation guide for THC tool downloads
Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity.
* Update exfiltration_unusual_file_transfer_utility_launched.toml
* Refine ESQL query for brute force malware detection
Updated the query to include additional fields and modified the conditions for filtering events.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 10
* Update persistence_udev_rule_creation.toml
* Refactor ESQL query for Linux process events
* Refactor query in persistence_web_server_sus_command_execution rule
Removed unnecessary fields from the query and added new fields for event dataset and data stream namespace.
* Update persistence_systemd_netcon.toml
* Update persistence_web_server_sus_child_spawned.toml
* Refactor process.parent.name conditions in TOML file
* Update persistence_web_server_unusual_command_execution.toml
* Update persistence_web_server_unusual_command_execution.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 9
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Fix formatting in persistence_boot_file_copy.toml
* Update persistence_chkconfig_service_add.toml
* Change user.id values to string format in TOML
* Fix condition for Java process working directory
* Fix logical operator in OpenSSL passwd hash rule
* Fix syntax for working_directory check
* Fix condition for original file name check
* Update persistence_web_server_unusual_command_execution.toml
* Add cloud CLI tools to persistence rules
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Tuning] Windows BruteForce Rules Tuning
#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)
#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.
* ++
* Update execution_shell_evasion_linux_binary.toml
* Update execution_shell_evasion_linux_binary.toml
* Update defense_evasion_indirect_exec_forfiles.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update persistence_service_windows_service_winlog.toml
* Update credential_access_lsass_openprocess_api.toml
* Update persistence_suspicious_scheduled_task_runtime.toml
* Update impact_hosts_file_modified.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
* Update rules/windows/credential_access_lsass_openprocess_api.toml
* Update rules/windows/credential_access_bruteforce_admin_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update credential_access_lsass_openprocess_api.toml
* Update impact_hosts_file_modified.toml
* Update credential_access_dollar_account_relay.toml
* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New Rule] Pod or Container Creation with Suspicious Command-Line
* Added container domain tag
* Update execution_suspicious_pod_or_container_creation_command_execution.toml
* Refine EQL query for suspicious pod/container creation
* Update rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
* Update execution_suspicious_pod_or_container_creation_command_execution.toml
* Update process name conditions for suspicious execution
Ruben Groenewoud