6b03cbb54b
[New Rules] cap_setuid/cap_setgid privesc ( #3075 )
...
* [New Rules] cap_setuid/cap_setgid privesc
* Update persistence_setuid_setgid_capability_set.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 6ea11cd9ad
2023-10-18 14:29:35 +00:00
71f4ba024c
[New Rule] Potential SSH-IT SSH Worm Downloaded ( #3121 )
...
* [New Rule]
* Fixed grammar mistake
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
(cherry picked from commit 4190c3a6a7
2023-10-18 14:14:42 +00:00
28c04cbdcf
[New Rule] Pot. Network Scan Executed from Host ( #3070 )
...
(cherry picked from commit 7d674db11e
2023-10-18 13:52:28 +00:00
f82c0b6e0b
[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 ( #3143 )
...
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 3
* Update defense_evasion_invalid_codesign_imageload.toml
* Update defense_evasion_invalid_codesign_imageload.toml
* Update rules_building_block/initial_access_execution_remote_via_msiexec.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/initial_access_xsl_script_execution_via_com.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules_building_block/initial_access_execution_remote_via_msiexec.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit 74222f86eb
2023-10-17 17:22:19 +00:00
7921daeddd
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 ( #3138 )
...
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 2
* Update defense_evasion_unsigned_bits_client.toml
* Update rules_building_block/defense_evasion_suspicious_msiexec_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* .
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 3ea3e5a9fd
2023-10-17 16:55:50 +00:00
d24492678e
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 ( #3131 )
...
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 1
* .
* .
* Update defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
* .
(cherry picked from commit 32002fd89b
2023-10-17 14:42:54 +00:00
118f11daf6
Setup information for Linux Rules - Set7 ( #3190 )
...
(cherry picked from commit 276c0f9cd3
2023-10-17 14:21:37 +00:00
b873968d3a
Setup information for Linux Rules - Set6 ( #3189 )
...
(cherry picked from commit 5a98208b53
2023-10-17 14:09:16 +00:00
a7e83681e3
Setup information for Linux Rules - Set5 ( #3188 )
...
(cherry picked from commit 2a48db0598
2023-10-17 13:46:52 +00:00
95f45de9cc
Setup information for Linux Rules - Set4 ( #3179 )
...
(cherry picked from commit 25b527c149
2023-10-17 13:35:14 +00:00
f99b745866
Setup information for Linux Rules - Set3 ( #3178 )
...
(cherry picked from commit d2c2987d72
2023-10-17 13:13:05 +00:00
34ef0f1752
Setup information for Linux Rules - Set2 ( #3177 )
...
(cherry picked from commit 1801a4ee7e
2023-10-17 13:01:51 +00:00
18dc3b0f73
[New Rule] [BBR] Memory Dump File Rules ( #3122 )
...
* [New Rule] Memory Dump File Rules
* .
* .
* .
(cherry picked from commit a33a124eab
2023-10-17 12:41:28 +00:00
f7a2c9b0b4
[Rule Tuning] Potential Masquerading as Browser Process ( #3180 )
...
* [Rule Tuning] Potential Masquerading as Browser Process
* Update defense_evasion_masquerading_browsers.toml
* Update defense_evasion_masquerading_browsers.toml
(cherry picked from commit 8035516e8e
2023-10-17 11:59:16 +00:00
97ce9d7478
[Rule Tuning] Potential Masquerading as System32 DLL ( #3184 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit e4e68c2dd8
2023-10-17 11:35:05 +00:00
6bc1104f86
[Rule Tuning] Adjust Lucene queries to use Uppercase operators ( #3196 )
...
(cherry picked from commit 82685e36ce
2023-10-16 20:14:08 +00:00
cad094abbd
[New Rule] Adding DGA Rules from Advanced Analytic DGA Package ( #3102 )
...
* Adding DGA rules
* Adding references
* updated rule tags and queries
* Updating min stack version
* added logic to handle ml jobs
* added code comments for clarity
* removing subbed security docs folder
* added event dataset to queries for endpoint; updated note
* removed event dataset
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit a5a606e804
2023-10-16 19:54:30 +00:00
9426d79b1c
[Tuning] Adjusted Rules for Anti-Evasion ( #3163 )
...
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 24b0aa5c63
2023-10-16 17:02:08 +00:00
ef715864f4
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
(cherry picked from commit f584fb6e31
2023-10-15 21:18:03 +00:00
2f7471e749
[New Rule] Adding Data Exfiltration Rules from Advanced Analytic DED Package ( #3126 )
...
* Adding DED rules
* adding integration manifests and schemas for DED
* Updating min stack version
* updating manifests and schemas to match main
* added setup note; updated references
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 97ff7fb26e
2023-10-14 17:29:24 +00:00
045de05e46
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3183 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 2b0735024e
2023-10-13 19:16:31 +00:00
685cc8f628
[FR] 8.11 Release Preparation and Update Main Branch to 8.12 ( #3182 )
...
* prepping for 8.12 branch
* added ananlytic manifests and schemas
* fix linting issues
* updated analytic package manifests and schemas
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit b4f8fc3290
2023-10-13 17:43:21 +00:00
3351e87789
Improve exsisting setup configurations for Linux ( #3141 )
...
(cherry picked from commit 15718ea09e
2023-10-13 08:15:12 +00:00
094ad60ff6
[New Rule] New GitHub App Installed ( #3055 )
...
* new rule
* Update rules/integrations/github/execution_new_github_app_installed.toml
* Update rules/integrations/github/execution_new_github_app_installed.toml
edits from review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* change query from event.module to event.dataset
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 374c9c6257
2023-10-13 00:16:30 +00:00
d72996c401
[New Rule] Migrate Lateral Movement Detection Rules ( #3175 )
...
* adding LMD rules
* added setup note; updated references
* adds 2.0.0 lmd manifest and schema
* adjusted min-stack for non-ML rules
(cherry picked from commit 1e514afa57
2023-10-12 19:07:54 +00:00
0308e32ea0
[FR] Add ML Jobs to Schemas and Unit Test for Validation ( #3161 )
...
* adding machine learning job id validation
* Update rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
* Update tests/test_all_rules.py
* adding integration manifests and schemas from main
* rebuilt manifests and schemas with lmd
* fixed unit test linting
* adding manifests and schemas for other analytic packages
* updated manifests and schemas; adjusted unit test for verbosity
* sorted imports
(cherry picked from commit 3e212e2b74
2023-10-12 14:57:00 +00:00
788f2ce884
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
...
(cherry picked from commit 3f2a709370
2023-10-11 21:03:44 +00:00
7c563fb834
[New Rule] File Compressed or Archived into Common Format ( #3173 )
...
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 7f8a9849c4
2023-10-11 18:40:16 +00:00
f67291561e
[FR] Only supporting known compatible rule file types ( #3167 )
...
* Only supporting known compatible file types
* Add --ignore-invalid-files flag
* Added support to ignore invalid rule files
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/main.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* reverting main
* add punctuation
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9f61ce4923
2023-10-11 15:49:41 +00:00
c9a1edd9fc
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit 89cfdcd440
2023-10-11 14:48:20 +00:00
f66b82c0ec
[Tuning] Windows Execution Rule Tuning for UEBA ( #3107 )
...
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Mostly updated Execution tags, also new_terms conv
* removed index
* Removed index
* WMIPrvSE tuning
* Additional tuning
* Tuning & changes
* Additional tuning
* Applied unit test optimization
* Addressed feedback
* Update rules/windows/execution_command_shell_started_by_svchost.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* caseless unit testing fix
* fixed caseless executable unit test
* unit testing fix
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
* Added user ids to new terms
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/execution_unsigned_service_executable.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update execution_unsigned_service_executable.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit c2822e175c
2023-10-11 08:21:37 +00:00
d4d794b586
[Tuning] Windows Discovery Rule Tuning for UEBA ( #3097 )
...
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 4cdf52129a
2023-10-11 07:49:08 +00:00
bd7d94c1f3
[New Rule] Pot. Rev. Shell via Background Process ( #3114 )
...
(cherry picked from commit a46797b987
2023-10-06 21:20:37 +00:00
281d02e5d2
[New Rule] New GitHub Owner Added ( #3090 )
...
* [New Rule] New GitHub Owner Added
new rule
* name change
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ef8f5620e1
2023-10-06 20:03:14 +00:00
e9ecac7c75
[New Rule] GitHub Owner Role Granted to User ( #3087 )
...
* [New Rule] GitHub Owner Role Granted to User
new rule
* Update persistence_organization_owner_role_granted.toml
* updated integration schema
* changed timestamp_override
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9593412847
2023-10-06 19:50:02 +00:00
5152ea9c6f
[Tuning] CVE-2023-4911 ( #3160 )
...
(cherry picked from commit c3cc01333a
2023-10-06 11:18:47 +00:00
138b46a423
removing lmd rules and fixing version lock history ( #3159 )
...
(cherry picked from commit 57c05f0444
2023-10-05 16:22:34 +00:00
b6da24629e
[New Rule] PE via CVE-2023-4911 (Looney Tunables) ( #3158 )
...
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
(cherry picked from commit f4ad1f28e3
2023-10-05 14:47:09 +00:00
2b22d066fd
[Rule Tuning] Add filebeat Compatibility to Network Rules ( #2925 )
...
* add beats compatability to NPC rules
* added filebeat compatibility to 'Accepted Default Telnet Port Connection'
* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'
* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'
* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'
* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'
* added filebeat compatibility to 'Halfbaked Command and Control Beacon'
* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'
* added filebeat compatibility to 'SMTP on Port 26/TCP'
* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'
* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'
* removed extra space in query
* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'
* added filebeat compatibility to 'Abnormally Large DNS Response'
* fixed missing ending parenthesis
* added auditbeat to compatible rules
* addressed feedback
* removed filebeat and auditbeat due to incompatibility
* Update rules/network/command_and_control_cobalt_strike_beacon.toml
* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit b8ae2218f8
2023-10-03 19:11:07 +00:00
e38cb6ee58
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3155 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 0e2ae5b9ef
2023-10-03 18:40:36 +00:00
54303f84fc
adjusting minimum stack version for version control ( #3154 )
...
(cherry picked from commit 8d2b730bc5
2023-10-03 17:41:45 +00:00
5e5ac212ae
Updated common.requires_os calls ( #3109 )
...
(cherry picked from commit bba8cd3b57
2023-10-03 14:53:42 +00:00
dd080b7850
[New BBR] Sus. Process Started via tmux or screen ( #3071 )
...
* [New BBR] Sus. Process Started via tmux or screen
* [New BBR] Unix Socket Connection
* Revert "[New BBR] Unix Socket Connection"
This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9.
* Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 8f122197bb
2023-09-30 11:02:39 +00:00
add7ce9508
[Bug] Updated os.path calls to pathlib ( #3110 )
...
* Updated os.path calls to pathlib
* fixed typo
* os.join replacement typo
* additional join typo
* updated os directory functions
* exist_ok typo
* cleanup
* Updated for cleanliness
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 16550b7144
2023-09-28 20:38:34 +00:00
3b2a09d55c
[Bug] Create Rule CLI Crashes on Required Arg ( #3127 )
...
(cherry picked from commit e4b66c23dc
2023-09-28 19:33:57 +00:00
89a8bdfd0c
[FR] Added asset tag to expected tags ( #3115 )
...
* Added asset tag to expected tags
* removed *
* Add regex wildcard tag support
* Updated tag format test location
* Updated to use env variable
* fixed typo
(cherry picked from commit 4828ae07df
2023-09-28 18:15:12 +00:00
fadd7fe320
[Rule Tuning] Update LMD Rules Min-Stack to 8.5 ( #3142 )
...
* updating min-stack to 8.5
* updated min stack comments
(cherry picked from commit 8650b26002
2023-09-27 20:23:45 +00:00
116a7de890
[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package ( #3119 )
...
* Adding Lateral Movement Detection rules
* added tags; adjusted tests; updated manifests and schemas
* added default value to build_integrations_schema
* combined analytic and non-dataset packages for related integrations
* adjusted machine learning definitions
* adjusted machine learning definitions
* removed splat for machine learning list due to 3.8 constraints
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 747ee7d593
2023-09-27 18:59:55 +00:00
7cb4c5216d
[New Rule] [BBR] File with Suspicious Extension Downloaded ( #3139 )
...
* [New Rule] [BBR] File with Suspicious Extension Downloaded
* Update defense_evasion_download_susp_extension.toml
(cherry picked from commit f77bec8552
2023-09-27 15:43:02 +00:00
07d80c2b70
[New RTA] Privesc via OverlayFS ( #3003 )
...
* [New RTA] Privesc via OverlayFS
* Update rta/overlayfs_privesc.py
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 6f7e419f1e
2023-09-27 08:51:15 +00:00
Ruben Groenewoud