608e02e27e
[New Rule] Linux Telegram API Request ( #4677 )
2025-05-06 21:53:19 +05:30
944428d81e
[New Rule] Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments ( #4685 )
2025-05-06 21:21:58 +05:30
fdc6b09d54
[New Rule] System Binary Symlink to Suspicious Location ( #4682 )
2025-05-06 17:46:47 +05:30
25dc8498ae
[New Rule] Suspicious Named Pipe Creation ( #4681 )
2025-05-06 17:30:38 +05:30
8b08795e00
[New Rule] Suspicious Kernel Feature Activity ( #4676 )
2025-05-06 17:13:24 +05:30
0193af2842
[New Rule] Potential Data Exfiltration Through Curl ( #4678 )
2025-05-06 16:57:59 +05:30
4030de9295
[New/Tuning] Potential Hex Payload Execution via Command-Line ( #4675 )
2025-05-06 16:29:03 +05:30
eb3520a63b
[New Rule] Potential Backdoor Execution Through PAM_EXEC ( #4674 )
2025-05-06 16:13:23 +05:30
403e20c2c6
[New Rule] Git Repository or File Download to Suspicious Directory ( #4663 )
2025-05-06 15:05:27 +05:30
3f9e2edcb5
[New Rule] Manual Mount Discovery via /etc/exports ( #4662 )
2025-05-06 14:48:55 +05:30
a9e8a78c09
[New Rule] Docker Release File Creation ( #4661 )
2025-05-06 14:31:52 +05:30
13cf424ef5
[New Rule] Manual Memory Dumping via Proc Filesystem ( #4660 )
2025-05-06 14:16:15 +05:30
c9c41747fc
[FN Tuning] Suspicious /proc/maps Discovery ( #4659 )
2025-05-06 13:59:44 +05:30
1150271372
[New Rule] Suspicious Path Mounted ( #4664 )
2025-05-06 13:43:00 +05:30
e4856d3c2c
Refresh ecs, beats, integration manifests & schemas ( #4699 )
2025-05-05 23:06:40 +05:30
18e1103c51
[New Rule] Potential Linux Tunneling and/or Port Forwarding via SSH Option ( #4658 )
2025-05-05 09:59:08 +02:00
3eed0f5b6a
[Rule Tuning] SSH Authorized Keys File Deletion ( #4591 )
...
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-15 12:16:03 -03:00
3b1f780435
[D4C Conversion] Converting Compatible D4C Rules to DR ( #4532 )
...
* [D4C Conversion] Converting Compatible D4C Rules to DR
* added host.os.type
* Rename
* Update rules/linux/execution_container_management_binary_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-10 14:26:40 +02:00
05c9f6bbdb
[FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… ( #4529 )
...
* [FN Tuning] Shared Object Created or Changed by Previously Unknown Process
* Update process exclusions in TOML file
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2025-04-08 18:19:18 +02:00
3966981dae
Add investigation guides ( #4600 )
2025-04-07 20:55:39 +05:30
9577d53284
[Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules ( #4592 )
...
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-07 12:00:14 -03:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
d7d8c414ec
[New Rule] File Creation in /var/log via Suspicious Process ( #4528 )
...
* [New Rule] File Creation in /var/log via Suspicious Process
* ++
* ++
2025-03-12 12:50:48 +01:00
561ab703de
[New Rule] Uncommon Destination Port Connection by Web Server ( #4515 )
2025-03-06 22:01:33 +05:30
fe0a9f4935
[New/Tuning] Docker Socket Enumeration ( #4510 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-06 17:07:10 +01:00
8dfa5da3bf
[New Rules] Potential Port/Subnet Scanning Activity from Compromised Host ( #4509 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-06 16:57:33 +01:00
fe06843636
[New Rule] Unusual Process Spawned from Web Server Parent ( #4513 )
2025-03-06 16:46:12 +01:00
7ce6aaf566
[New Rule] Unusual Command Execution from Web Server Parent ( #4512 )
...
* [New Rule] Unusual Command Execution from Web Server Parent
* ++
2025-03-06 16:25:38 +01:00
b9e8115c2f
[New Rule] Python Site or User Customize File Creation ( #4500 )
...
* [New Rule] Python Site or User Customize File Creation
* Update persistence_site_and_user_customize_file_creation.toml
* Update persistence_site_and_user_customize_file_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-03 15:30:33 +01:00
d948279af6
[New Rule] Python Path File (pth) Creation ( #4499 )
...
* [New Rule] Python Path File (pth) Creation
* ++
* Update persistence_pth_file_creation.toml
* Update persistence_pth_file_creation.toml
* Update persistence_pth_file_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-03 15:20:00 +01:00
f70eafb8e7
[New Rule] Successful SSH Authentication from Unusual User ( #4481 )
...
* [New Rule] Succesful SSH Authentication from Unusual User
* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml
* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml
* Update initial_access_successful_ssh_authentication_by_unusual_user.toml
* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-03-03 11:55:27 +01:00
06002cd9ac
[New Rule] Kill Command Execution ( #4485 )
...
* [New Rule] Kill Command Execution
* Update defense_evasion_kill_command_executed.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 11:26:50 +01:00
9bb3b9f204
[New Rule] Unusual File Transfer Utility Launched ( #4487 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 11:15:21 +01:00
029fd45bb1
[New Rule] Base64 Decoded Payload Piped to Interpreter ( #4488 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 11:01:52 +01:00
a2a120858f
[New Rule] Unusual Base64 Encoding/Decoding Activity ( #4486 )
...
* [New Rule] Unusual Base64 Encoding/Decoding Activity
* Update defense_evasion_base64_decoding_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 10:09:48 +01:00
8c250db3c3
[New Rule] Successful SSH Authentication from Unusual IP-Address ( #4482 )
...
* [New Rule] Successful SSH Authentication from Unusual IP-Address
* Apply suggestions from code review
* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 09:55:35 +01:00
89f79c6e4f
[New Rule] Successful SSH Authentication from Unusual SSH Public Key ( #4478 )
...
* [New Rule] First Time Public Key Authentication
* Update initial_access_first_time_public_key_authentication.toml
* Update initial_access_first_time_public_key_authentication.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 09:44:51 +01:00
fe48309daf
[New Rule] Linux User Account Credential Modification ( #4484 )
...
* [New Rule] Linux User Account Credential Modification
* Update rules/linux/persistence_user_credential_modification_via_echo.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 16:42:11 +01:00
342e18075b
[New Rule] SSH Authorized Keys File Deletion ( #4483 )
...
* [New Rule] Authorized Keys File Deletion
* Apply suggestions from code review
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 16:29:51 +01:00
a614da5900
[New Rule] Remote File Creation in World Writeable Directory ( #4475 )
...
* [New Rule] Remote File Creation in World Writeable Directory
* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
* Update lateral_movement_remote_file_creation_world_writeable_dir.toml
* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
2025-02-26 10:11:55 +01:00
59473f09ac
[New Rule] Potential Malware-Driven SSH Brute Force Attempt ( #4474 )
...
* [New Rule] Potential Malware-Driven SSH Brute Force Attempt
* Update impact_potential_bruteforce_malware_infection.toml
* Update rules/linux/impact_potential_bruteforce_malware_infection.toml
* Update impact_potential_bruteforce_malware_infection.toml
2025-02-26 10:00:31 +01:00
758e155231
[New Rule] High Number of Egress Network Connections from Unusual Executable ( #4473 )
...
* [New Rule] High Number of Egress Network Connections from Unusual Executable
* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml
* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml
* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-02-26 09:43:54 +01:00
8a221325e9
[New Rule] Unusual Remote File Creation ( #4476 )
...
* [New Rule] Unusual Remote File Creation
* Description update
* ++
* ++
* Update rules/linux/lateral_movement_unusual_remote_file_creation.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-02-26 09:30:47 +01:00
5155f47b86
[Rule Tuning] Event Aggregation - Fix event.action & event.type conditions ( #4445 )
...
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions
* .
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-07 18:42:28 -03:00
0268daa17d
[Rule Tuning] Tighten Up Elastic Defend Indexes - Linux ( #4446 )
2025-02-05 15:25:45 -03:00
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
8d29a1f7d5
[New Rule] Process Backgrounded by Unusual Parent ( #4431 )
...
* [New Rule] Process Backgrounded by Unusual Parent
* Update execution_process_backgrounded_by_unusual_parent.toml
* Update execution_process_backgrounded_by_unusual_parent.toml
2025-02-03 14:17:15 +01:00
14c648598e
[Rule Tuning] Linux DR Tuning - Part 6 ( #4423 )
...
* [Rule Tuning] Linux DR Tuning - Part 6
* Update privilege_escalation_ld_preload_shared_object_modif.toml
* Update privilege_escalation_ld_preload_shared_object_modif.toml
2025-02-03 14:05:26 +01:00
6b84542093
[Rule Tuning] Linux DR Tuning - Part 5 ( #4422 )
...
* [Rule Tuning] Linux DR Tuning - Part 5
* Update rules/linux/persistence_xdg_autostart_netcon.toml
2025-02-03 13:53:53 +01:00
53b9b53467
[Rule Tuning] Linux DR Tuning - Part 4 ( #4421 )
...
* [Rule Tuning] Linux DR Tuning - Part 4
* [Rule Tuning] Linux DR Tuning - Part 4
* Update persistence_etc_file_creation.toml
2025-02-03 13:31:00 +01:00
Ruben Groenewoud