6e82ddd307
[Tuning] Suspicious Managed Code Hosting Process ( #3338 )
...
* Update defense_evasion_suspicious_managedcode_host_process.toml
* Update defense_evasion_suspicious_managedcode_host_process.toml
(cherry picked from commit 8b2aed4fc0
2023-12-14 17:57:16 +00:00
362b3291a9
[Tuning] Multiple Logon Failure Followed by Logon Success ( #3340 )
...
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
(cherry picked from commit 727c23e3d2
2023-12-14 17:46:15 +00:00
d5e7f2c958
[Rule Tuning] Account Password Reset Remotely ( #3335 )
...
* [Rule Tuning] Account Password Reset Remotely
- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)
* Update persistence_remote_password_reset.toml
(cherry picked from commit 7a4f1224dc
2023-12-14 17:27:33 +00:00
1f15003bd1
Update Advanced Analytics config guides ( #3302 )
...
* Updating config guides for Advanced Analytics rules
* More updates
* Update setup instructions for LMD
* Adding more guides
* update TestRuleTiming unit test to ignore advanced analytic rules
* fixed flake error
* Moving config guides under setup instead of note
* Removing leading and trailing whitespace
* Updates as requested by PM
* Updating related integrations, minor updates to setup guides
* fixing unit tests to ignore analytic packages with multiple integration tags
* Update tests/test_all_rules.py
* fixing linting errors
---------
Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9a9f5437f2
2023-12-13 15:58:46 +00:00
69f9bb416d
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3319 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit a39a52360a
2023-12-12 18:28:19 +00:00
73e65e14c6
updating min-stack for Okta rule ( #3318 )
...
(cherry picked from commit 631f8841ad
2023-12-12 17:32:32 +00:00
7b7ca3fdc9
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset ( #3265 )
...
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'
* updated non-ecs; linted rule; updated description
* adjusted interval and maxspan
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 93d71acb91
2023-12-12 15:37:32 +00:00
f3d2a73f26
[Rule Tuning] Windows DR Tuning - 6 ( #3246 )
...
* [Rule Tuning] Windows DR Tuning - 6
* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 6f4c323929
2023-12-12 14:43:21 +00:00
908168725a
[FR] 8.12 Release Preparation update Main Branch to 8.13 ( #3313 )
...
* 8.12 Release Prep update Main Branch to 8.13
* Fix typo in integrations
* Updated Schemas
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 90a2043bc4
2023-12-11 20:03:26 +00:00
2303db8486
[Bug] Use integration schemas for required_field types ( #3303 )
...
(cherry picked from commit face95058f
2023-12-11 17:37:43 +00:00
7c4a827fb8
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 ( #3288 )
...
* [Security Content] Add IGs to Persistence Rules
* Cleaned query
* IG description fix
* Added related rules
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6c614eb102
2023-12-11 12:58:41 +00:00
53f924d52e
[FR] Add Support for ES|QL Rule Type and Remote Validation ( #3281 )
...
* add suuport for esql type
* add unit tests
* set clients in RemoteConnector from auth methods
* thread remote rules; add engine test
* Add versions to remote validation results
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 7514c0a206
2023-12-08 19:52:16 +00:00
094f3ead92
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit aeb1f91320
2023-12-08 18:59:53 +00:00
98fe04217b
[Security Content] Add Windows Investigation Guides ( #3095 )
...
* [Security Content] Add Windows Investigation Guides
* Update defense_evasion_rundll32_no_arguments.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update rules/windows/defense_evasion_rundll32_no_arguments.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/execution_ms_office_written_file.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update privilege_escalation_posh_token_impersonation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
(cherry picked from commit eb7c5f6717
2023-12-08 14:36:22 +00:00
ab0c5154a2
[New Rule] Suspicious File Creation via Kworker ( #3237 )
...
* [New Rule] Suspicious File Creation via Kworker
* Update rules/linux/persistence_kworker_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 840958d117
2023-12-07 22:06:53 +00:00
2e585eab84
[New Rule] Out-Of-Tree Kernel Module Load ( #3233 )
...
* [New Rule] Out-Of-Tree Kernel Module Load
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 490fa0e1d2
2023-12-07 21:58:26 +00:00
84240c082e
[New BBR] Pot. Persistence Through Systemd-udevd ( #3235 )
...
* [New BBR] Persistence Through Systemd-udevd
* Formatting change
* Update rules_building_block/persistence_udev_rule_creation.toml
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 07b1cab919
2023-12-07 21:47:32 +00:00
07c235988f
[New Rule] UID Elevation from Unknown Executable ( #3239 )
...
* [New Rule] UID Elevation from Unknown Executable
* type change
* bump min stack
* Added additional exclusions
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 9c61231dc6
2023-12-07 21:30:05 +00:00
39c81d157b
[New Rule] Suspicious Kworker UID Elevation ( #3238 )
...
* [New Rule] Suspicious Kworker UID Elevation
* Update privilege_escalation_kworker_uid_elevation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 1071b12f00
2023-12-07 20:04:07 +00:00
315e5e9bca
[New] Rare SMB Connection to the Internet ( #3300 )
...
* Create exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 7070eb3b34
2023-12-07 16:15:40 +00:00
67449e26a5
[Rule Tuning] UEBA new_terms process_executable ( #3268 )
...
* [Rule Tuning] UEBA new_terms process_executable
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 1647a16fab
2023-12-07 15:43:09 +00:00
6c28ba53ad
[Tuning] Small Linux DR Tuning ( #3287 )
...
(cherry picked from commit 38862b89e9
2023-12-07 11:50:11 +00:00
1ae2cdeca5
[New] Process Created with a Duplicated Token ( #3152 )
...
* [New] Process Created with a Duplicated Token
using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 7488c60090
2023-12-07 11:25:37 +00:00
3d40a09531
Fix syntax error in query ( #3285 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a4ad0b6a24
2023-12-07 10:54:00 +00:00
f128070ae5
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash ( #3304 )
...
* tuning rule; adding investigation guide
* updated MITRE ATT&CK
* updated file name
* Updating description
* updated investigation guide
* fixed ATT&CK mappings; updated tags
(cherry picked from commit 5e1546c57c
2023-12-06 15:41:15 +00:00
8e6a01e9ee
[Rule Tuning] Windows DR Tuning - 5 ( #3229 )
...
* [Rule Tuning] Windows DR Tuning - 5
* .
* Revert changes BehaviorOnFailedVerify
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit e5d676797e
2023-12-05 22:25:53 +00:00
f931ba4ef6
[New] Interactive Logon by an Unusual Process ( #3299 )
...
* Create privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
(cherry picked from commit e6df245ff3
2023-12-05 17:39:36 +00:00
7df6661596
Adjust ESQLRuleData to Inherit QueryRuleData Dataclass ( #3297 )
...
* adjusting inheritance of ESQL rule data
* update tests to handle missing index from QueryRuleData
* removed test es|ql rule
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 5358361754
2023-11-30 14:12:26 +00:00
5bceaa3e01
Update QueryRuleData ( #3294 )
...
(cherry picked from commit f7b9a1f8df
2023-11-29 15:48:08 +00:00
53c4ff1fdc
FR] Add Core Support for ES|QL Rule Type ( #3292 )
...
(cherry picked from commit bc39c20eaf
2023-11-28 19:08:40 +00:00
1d05f49436
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3291 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit ba7b2722c2
2023-11-28 17:35:57 +00:00
7a383770bc
[New Rule] Okta FastPass Phishing ( #2782 )
...
* Create initial_access_fastpass_phishing.toml
* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 1f47e3c1a9
2023-11-28 14:31:33 +00:00
e1e8b12f26
[New Rule] Okta MFA Bombing Attempt ( #3278 )
...
* new rule 'Potential Okta MFA Bombing via Push Notifications'
* updated naming
* TOML lint
* adjusted duplicate rule ID
* added event category override; added until sequence statement
* added verify authentication success
* moved setup to separate field
* enhanced query optimization
(cherry picked from commit e6fef85899
2023-11-28 14:21:18 +00:00
23ef78cb60
[New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash ( #3267 )
...
* added new rule 'Multiple Okta Users with the Same Device Token Hash'
* moved rule to okta integration folder
* adjusted query to be optimized
* added false positive comment
* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
(cherry picked from commit 69cb2f6fc6
2023-11-28 00:28:48 +00:00
c8e4d378ff
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses ( #3263 )
...
* new Okta threshold rules for client addresses and sessions
* adjusting references
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0578bd4caa
2023-11-28 00:07:58 +00:00
fdeeb7bc67
[New Rule] Detection for Okta Sign-In Events via Third-Party IdP ( #3259 )
...
* adding new rule 'Okta Sign-In Events via Third-Party IdP'
* fix creation date
* fixed query efficiency
* added investigation guide
* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8eeb95f545
2023-11-27 23:36:25 +00:00
4d5b8c6f2d
adding new rule 'New Okta Identity Provider (IdP) Added by Admin' ( #3258 )
...
(cherry picked from commit 73288af642
2023-11-27 23:11:58 +00:00
3808d01776
[New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy ( #3261 )
...
* new rule 'First Occurrence of Okta User Session Started via Proxy'
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
(cherry picked from commit 8321cfe018
2023-11-27 22:55:16 +00:00
a6b6f9279f
[New Rule] Adding Detection for New Okta Authentication Behavior ( #3260 )
...
* new rule 'New Okta Authentication Behavior Detected'
* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f19506f3a2
2023-11-27 22:44:18 +00:00
d171b9a442
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 88f752bf8b
2023-11-27 18:42:41 +00:00
0c9509d093
Setup Guide information for MacOS rules ( #3274 )
...
(cherry picked from commit 7854081cc0
2023-11-22 14:53:34 +00:00
4e5ad462c3
[New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations ( #3279 )
...
* new rule 'Okta User Sessions Started from Different Geolocations'
* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
(cherry picked from commit 832ee02aed
2023-11-21 22:37:18 +00:00
61bbcfec52
Add UEBA Tag ( #3277 )
...
(cherry picked from commit 93ad4b0959
2023-11-20 19:56:28 +00:00
dd49bcc535
[Bug] Fix typo in downgrade_contents_from_rule ( #3272 )
...
* Fix missing to_dict()
* Update pyproject.toml
(cherry picked from commit 66c1d7f3b4
2023-11-15 04:11:25 +00:00
337f11fa7c
[Rule Tuning] Fix Menasec Expired Links ( #3271 )
...
(cherry picked from commit f53f46efd5
2023-11-14 13:24:35 +00:00
b342660c3a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3270 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9195eedb9c
2023-11-13 19:51:15 +00:00
8fee26a296
Enhance Setup Guide information ( #3256 )
...
(cherry picked from commit d52546eee5
2023-11-03 13:42:18 +00:00
96f7803431
[Bug] Add Integration Schema Validation to NewTermsRuleData.validate Method ( #3227 )
...
* adjusted validation method to include integration schema checks
* fixed linting errors
* re-factored NewTermsRuleData and added unit testing
(cherry picked from commit 829f5ea885
2023-11-02 20:58:10 +00:00
73c239557b
[New BBR] Segfault Detected ( #3240 )
...
* [New BBR] Segfault Detected
* Update rules_building_block/execution_linux_segfault.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/execution_linux_segfault.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit dff4633dd4
2023-11-02 08:47:06 +00:00
396bfc5bec
[New BBR] Kernel Driver Load ( #3236 )
...
* [New BBR] Kernel Driver Load
* added event.dataset to the query
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 967f6a4c89
2023-11-02 08:39:10 +00:00
Samirbous