6a1e97cd06
[Rule Tuning] Update AWS rules to account for Agent index ( #256 )
...
* Update AWS rules
* chnage updated date
2020-09-21 09:04:50 -04:00
453553f685
Change the way we get environment variables ( #280 )
...
* Change the way we get environment variables
* Change environ to getenv
* Read from envvar, then config file
* Switch to get_path
* Lint: Remove unused import
* Add --cloud-id/--elasticsearch-url
* Fix comment copy-pasta
2020-09-16 10:23:22 -06:00
9d22970e21
Add EQL rules and schema validation ( #297 )
...
* Add EQL rules and schema validation
* Lint nitpick
* Rename get_schema_from_eql
* Add EQL default language
* Rename parsed_kql to parsed_query
* Fix parsed_kql method call in loader
* Autopopulate dependent values
2020-09-16 08:36:48 -06:00
4041fc8bde
update-okta-rules-for-ingest-manager-compatibility ( #295 )
2020-09-15 15:42:38 -06:00
140091e7b8
[New Rule] Azure Storage Account Key Regenerated ( #188 )
...
* Create credential_access_storage_account_key_regenerated.toml
* Update rules/azure/credential_access_storage_account_key_regenerated.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update credential_access_storage_account_key_regenerated.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 14:08:48 -04:00
040f56ff0c
[New Rule] Azure Network Watcher Deletion ( #232 )
2020-09-04 12:18:18 -04:00
21431101b7
[New Rule] Azure External Guest User Invitation ( #231 )
...
* Create initial_access_external_guest_user_invite.toml
* Update rules/azure/initial_access_external_guest_user_invite.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* update mitre metadata
* lint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 12:11:13 -04:00
0fc78b3c3b
[New Rule] Azure Key Vault Modified ( #230 )
...
* [New Rule] Azure Update to Key Vault
* Update rules/azure/credential_access_key_vault_update.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_key_vault_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-04 11:30:01 -04:00
70cc7fd112
[Rule Tuning] AWS Root Login Without MFA ( #229 )
...
* Update privilege_escalation_root_login_without_mfa.toml
* Update privilege_escalation_root_login_without_mfa.toml
* update index
* Update privilege_escalation_root_login_without_mfa.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 10:57:51 -04:00
e49b69af10
[New Rule] Azure Blob Container Access Level Modification ( #192 )
...
* Create discovery_blob_container_access_mod.toml
* Update rules/azure/discovery_blob_container_access_mod.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* lint
* Update rules/azure/discovery_blob_container_access_mod.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 10:48:21 -04:00
6d3955bd8a
[New Rule] High Number of Okta User Password Reset or Unlock Attempts ( #187 )
...
* new-rule-high-number-of-okta-password-reset-or-unlock-attempts
* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Update ecs_version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Update schedule
* Update FP information and format query for readability
* Update .gitignore
* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml
* Tweak formatting of query
* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Update description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-04 08:38:06 -06:00
230b59dfc9
rule-tuning-user-added-as-owner-for-azure-service-principal ( #258 )
2020-09-04 08:36:20 -06:00
bcd698add2
[New Rule] Azure Event Hub Deletion ( #170 )
...
* Create defense_evasion_event_hub_deletion.toml
* Update rules/azure/defense_evasion_event_hub_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/azure/defense_evasion_event_hub_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* lint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 10:23:43 -04:00
a49d102de3
[New Rule] Azure Event Hub Authorization Rule Created or Updated ( #173 )
...
* Create collection_update_event_hub_auth_rule.toml
* Update rules/azure/collection_update_event_hub_auth_rule.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/collection_update_event_hub_auth_rule.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-04 09:32:30 -04:00
0ac7f3d672
[New Rule] Azure Firewall Policy Deletion ( #169 )
...
* Create defense_evasion_firewall_policy_deletion.toml
* Update rules/azure/defense_evasion_firewall_policy_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 09:28:58 -04:00
9025a7d183
[New Rule] Azure Diagnostic Settings Deletion ( #157 )
...
* Create azure_diagnostic_settings_deletion.toml
* Update azure_diagnostic_settings_deletion.toml
2020-09-04 09:20:13 -04:00
b4a15960cb
[New Rule] Azure Command Execution on Virtual Machine ( #155 )
...
* Create execution_command_virtual_machine.toml
* Update execution_command_virtual_machine.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-03 17:09:40 -04:00
6b04105936
[New Rule] Azure Resource Group Deletion ( #158 )
...
* Create impact_resource_group_deletion.toml
* Update rules/azure/impact_resource_group_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-03 17:06:43 -04:00
1f555c289f
[New Rule] Azure Privileged Identity Management Role Modified ( #238 )
...
* new-rule-azure-pim-role-modified
* Add ATT&CK metadata to rule
* Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml
2020-09-03 15:02:14 -06:00
89db7384a0
[New Rule] Azure Automation Runbook Deleted ( #235 )
...
* new-rule-azure-automation-runbook-deleted
* Update rules/azure/impact_azure_automation_runbook_deleted.toml
Fix typo in rule description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/impact_azure_automation_runbook_deleted.toml
Remove superfluous parens from query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-03 13:09:40 -06:00
225aba61c9
[New Rule] Multi-Factor Authentication Disabled for an Azure User ( #195 )
...
* new-rule-mfa-disabled-for-an-azure-user
* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml
Update ECS version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-03 12:42:27 -06:00
43204391b6
[New Rule] User Added as Owner for Azure Service Principal ( #194 )
...
* new-rule-user-added-as-owner-for-azure-service-principal
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Add parens to query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Update ECS version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 12:21:44 -06:00
43f657ac4e
[New Rule] User Added as Owner for Azure Application ( #191 )
...
* new-rule-user-added-as-owner-for-azure-application
* Update rule name and description
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Update query to remove superfluous quotes
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Add ATT&CK metadata to rule
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 12:15:33 -06:00
75474387a8
[New Rule] Attempts to Brute Force an Okta User Account ( #186 )
...
* new-rule-attempts-to-brute-force-an-okta-user-account
* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
Update ecs_version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 11:23:56 -06:00
4c431d2408
[New Rule] Azure Automation Webhook Created ( #179 )
...
* new-rule-azure-automation-webhook-created
* Update rules/azure/persistence_azure_automation_webhook_created.toml
Update description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/persistence_azure_automation_webhook_created.toml
Update ecs_version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 11:20:50 -06:00
98f216404a
[New Rule] Azure Automation Runbook Created or Modified ( #178 )
...
* new-rule-azure-automation-runbook-created-or-modified
* Update rules/azure/persistence_azure_automation_runbook_created_or_modified.toml
Update ecs_version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-03 11:16:42 -06:00
85e799b378
[New Rule] Azure Automation Account Created ( #177 )
...
* new-rule-azure-automation-account-created
* Fix rule name format 😄
* Update rules/azure/persistence_azure_automation_account_created.toml
Update maturity to production
* Update rules/azure/persistence_azure_automation_account_created.toml
Update ecs_version to 1.6.0
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-09-03 11:08:38 -06:00
6e931959bb
Update pythonpackage.yml ( #242 )
2020-09-02 12:59:33 -08:00
b8e0c379c5
Update packages.yml
2020-09-02 14:10:46 -05:00
6b7ea7e66c
Fix kibana-diff command ( #198 )
2020-09-02 12:19:17 -05:00
464d5e645a
Fix kibana-upload and remove cumbersome dataclasses ( #216 )
...
* Fix kibana-upload and remove cumbersom dataclasses
* Linting fixes
2020-09-01 05:47:27 -06:00
aec3ec31b9
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
779a3a5b0d
Build all branches
2020-08-27 17:35:13 -06:00
4ffdc46ba7
Lock rule versions ( #207 )
2020-08-27 17:47:29 -05:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
d955ad275e
Add help wanted label to contrib ( #219 )
2020-08-27 10:05:20 -06:00
5310ec722a
Fix NOTICE.txt typo
2020-08-24 08:06:58 -06:00
be08536880
Increase lookback for endpoint rules ( #200 )
2020-08-21 12:23:43 -05:00
1fccc39699
Change verbiage around Elastic license
2020-08-19 11:47:10 -06:00
28c869fb5f
Expand documentation on CLI and workflows ( #130 )
2020-08-18 14:27:51 -05:00
9b70383898
Refresh ecs master and add beats v7.8.1 schemas ( #156 )
2020-08-17 12:33:20 -05:00
08e500e44e
Merge locked versions from 7.9
2020-08-04 13:35:25 -06:00
69a5b7e409
Lock versions for 7.9 release
2020-08-04 13:35:14 -06:00
cb1c401e27
Merge branch '7.9' into main
2020-08-03 15:20:36 -06:00
01b1e8be26
[Rule Tuning] Update Tags for Cloud Rules ( #99 )
...
* [Rule Tuning] Update Tags for Cloud Rules
* commenting out specifying alphabetical tag order in rule formatter
* Update rule_formatter.py
* py lint
* Lint fix comments
* update modified dates
* Update credential_access_secretsmanager_getsecretvalue.toml
* adding Continuous Monitoring tag
* update tags
* fixed and in tags
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-08-03 17:15:15 -04:00
a99b7c96fe
Merge branch '7.9' into main
2020-08-03 14:03:15 -06:00
7efe33e01d
[Rule Tuning] Update Index Pattern for Detection Engine Rules ( #101 )
...
* [Rule Tuning] Update Index Pattern for Detection Engine Rules
* update indices
2020-08-03 15:46:57 -04:00
83e33e70bb
Rename slack channel
2020-07-30 19:44:02 -06:00
0455307577
Downgrade rule version before uploading to Kibana ( #97 )
...
* Downgrade version before uploading to Kibana
* Update downgrade exception format
* Update s/siem/detection
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-07-28 11:03:47 -06:00
3c4a383947
Add list_id to exceptions_list and remove endgame:* from external alerts ( #98 )
2020-07-28 07:30:48 -06:00
Brent Murphy