6e8d5f31b8
Bump KQL lib Version ( #3575 )
...
(cherry picked from commit e6f48ade01
2024-04-05 17:46:07 +00:00
354acf7f5a
Update default ( #3574 )
...
(cherry picked from commit fbb6df506e
2024-04-05 00:34:29 +00:00
c6df1d085f
[Bug] KQL fails validation on uppercase keywords ( #3568 )
...
* add todo
* Add a normalize_kql_keywords function to utils
* update rule loader to normalize and warn
* optimized loading
* fix linting
* Moved conversion to kql module.
* Updated unit test
* Refactor KQL parser to normalize keywords via flag
* Fix logic typo
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update lib/kql/kql/__init__.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated to fix unit tests and remove warnings
* linting typo
* Added comments
* remove unused imports
* Update kql.parse default
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1566c29bae
2024-04-04 22:10:16 +00:00
07204987f2
[Bug] New Terms Rule Import Failing ( #3569 )
...
* initial patch
* Update definitions to allow for brackets in name
* Update to prompt for required fields.
* Update detection_rules/cli_utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit fa75876322
2024-04-04 21:44:19 +00:00
d3458a0b7f
[Bug] Add explicit format preserver ( #3566 )
...
(cherry picked from commit c35652c8c8
2024-04-04 20:57:40 +00:00
5066f9203c
[Bug] Threshold Rule Importing Failures ( #3560 )
...
* remove threshold specific req
* fix test event override
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a9cc323d09
2024-04-03 18:22:42 +00:00
2812118000
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 153657029b
2024-04-03 09:35:17 +00:00
502deb1978
Deprecate Releasing to a patch kibana version workflow ( #3552 )
...
(cherry picked from commit 3fbffa24ed
2024-04-03 03:11:19 +00:00
d515a539d4
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3567 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 8d5bd3b0f6
2024-04-02 18:36:59 +00:00
7438c38b29
Fix minstack version for O365 prod rules ( #3565 )
...
(cherry picked from commit 0e2eb5a84c
2024-04-02 16:12:24 +00:00
a3ba0fcda3
[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution ( #3545 )
...
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4ab7c9b178
2024-04-02 14:13:37 +00:00
010e564256
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 69173872da
2024-04-02 13:48:50 +00:00
ece5175894
[New Rule] Suspicious Access to LDAP Attributes ( #2504 )
...
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit f025616cbd
2024-04-02 13:04:54 +00:00
36c6968d71
[Rule Tuning] Potential Application Shimming via Sdbinst ( #3553 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c781376188
2024-04-02 09:42:16 +00:00
d00325f432
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f2490007e8
2024-04-02 04:22:04 +00:00
4eac68bb07
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit b47b91b9ec
2024-04-01 23:52:07 +00:00
9cba1e96e6
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml
(selectively cherry picked from commit 67ca13c1ce
2024-04-01 20:52:24 +00:00
390cb8e2d1
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 400a84628e
2024-04-01 19:09:37 +00:00
aef30b595d
[FR] Add support for investigation_fields ( #3550 )
...
(cherry picked from commit bb907a4d76
2024-04-01 16:59:11 +00:00
a2fd651db3
Fix create PR in release workflow ( #3528 )
...
(cherry picked from commit 8b215eac41
2024-04-01 15:54:13 +00:00
92c5b6ad1b
[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory ( #3477 )
...
* deprecating
* adjusted matury tag; updated dates
(cherry picked from commit d4bf04256d
2024-04-01 15:08:08 +00:00
5ab2090060
[FR] Add required-fields option to import-rules ( #3546 )
...
(cherry picked from commit b6a7e7ebda
2024-03-28 23:36:29 +00:00
24d4cdaf5d
[New Rules] Potential PowerShell Pass-the-Hash/Relay Script ( #3543 )
...
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script
* Update credential_access_posh_relay_tools.toml
* Update execution_posh_hacktool_functions.toml
* Update credential_access_posh_relay_tools.toml
* Update credential_access_posh_relay_tools.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 218c3bead6
2024-03-28 10:15:17 +00:00
f217aed00d
[New Rule] Creation of a DNS-Named Record ( #3539 )
...
* [New Rule] Creation of a DNS-Named Record
* Update credential_access_dnsnode_creation.toml
* Update rules/windows/credential_access_dnsnode_creation.toml
(cherry picked from commit 954a93c3b4
2024-03-27 21:27:49 +00:00
fff1170ffc
[New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation ( #3535 )
...
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation
* Update credential_access_adidns_wildcard.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 67e9ebf8e1
2024-03-27 13:14:33 +00:00
09b2ff76a9
[New] Suspicious Execution via ScreenConnect ( #3541 )
...
* [New] Suspicious Execution via ScreenConnect
- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)
* Update command_and_control_screenconnect_childproc.toml
* Update rules/windows/initial_access_webshell_screenconnect_server.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_screenconnect_childproc.toml
* Update command_and_control_screenconnect_childproc.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit d7aff43621
2024-03-27 12:01:14 +00:00
28b6e2c042
fix typo in lateral_movement_remote_services.toml ( #3538 )
...
(cherry picked from commit 138447221f
2024-03-27 10:45:46 +00:00
155ac20303
[Rule Tuning] Scheduled Task Activity via pwsh ( #3534 )
...
(cherry picked from commit 760b99bcc1
2024-03-26 13:52:17 +00:00
9fa3292200
[New] Suspicious JetBrains TeamCity Child Process ( #3532 )
...
* [New] Suspicious JetBrains TeamCity Child Process
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
(cherry picked from commit fc76a8bcb5
2024-03-25 16:39:58 +00:00
149c78b390
Update sort parameter ( #3531 )
...
(cherry picked from commit 3503786154
2024-03-25 15:53:27 +00:00
981702698c
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3526 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit eaf4658620
2024-03-21 15:08:44 +00:00
ba1158808f
[Bug] Update lock versions dependencies ( #3525 )
...
(cherry picked from commit fc7cc2c06a
2024-03-21 13:43:07 +00:00
7f3799319d
[New Rules] Veeam Credential Access DRs ( #3516 )
...
* [New Rules] Veeam Credential Access DRs
* bump
* Update credential_access_veeam_commands.toml
* Update credential_access_veeam_backup_dll_imageload.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update credential_access_veeam_commands.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 779fa7710d
2024-03-21 13:08:44 +00:00
ce984b8531
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
...
(cherry picked from commit a6028b43b3
2024-03-21 12:55:46 +00:00
b06b730213
Update README.md ( #3524 )
...
(cherry picked from commit e37bc6f781
2024-03-20 18:39:33 +00:00
32ed8f141d
[Rule Tuning] SMTP on Port 26/TCP ( #3521 )
...
(cherry picked from commit 07abc19932
2024-03-19 21:02:22 +00:00
f66da9d350
[FR] Update Python Dependency Versions ( #3515 )
...
(cherry picked from commit 5c3523954e
2024-03-19 19:14:23 +00:00
b19541f0f8
[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' ( #3494 )
...
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'
* reverting lookback window
* missing word in description
(cherry picked from commit f6e79944f2
2024-03-15 23:16:44 +00:00
3354460843
[FR] Independently package kql / kibana and bump to py3.12 ( #3514 )
...
(cherry picked from commit d26981f712
2024-03-15 01:25:26 +00:00
f1542e6ef5
[FR] Add support for dataviews in the rule schema ( #3510 )
...
(cherry picked from commit 8724077a0e
2024-03-14 22:48:17 +00:00
18a34a15ff
[Rule Tuning] Guided Onboarding Rule ( #3502 )
...
* [Rule Tuning] Guided Onboarding Rule
* Update guided_onboarding_sample_rule.toml
* Revert "Update guided_onboarding_sample_rule.toml"
This reverts commit 18721277df7416534440a4708fa3b060f2775a27.
* Update guided_onboarding_sample_rule.toml
* Update guided_onboarding_sample_rule.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit c610e19114
2024-03-14 14:04:20 +00:00
9f234eecc7
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
(cherry picked from commit 4179180fcb
2024-03-13 21:17:57 +00:00
b43003c3f1
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 ( #3501 )
...
* Initial commit
* Date bump
(cherry picked from commit f5254f3b5e
2024-03-13 13:32:43 +00:00
578e86eeae
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Removed changes from:
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml
(selectively cherry picked from commit 9f8638a004
2024-03-13 09:16:15 +00:00
b1989a921b
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml
(selectively cherry picked from commit 458e67918a
2024-03-11 12:14:53 +00:00
5cec5b7f31
[Rule Tuning] DR Performance-Poor Rules ( #3399 )
...
* [Rule Tuning] DR Performance
* .
* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update persistence_startup_folder_scripts.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit edf4da8526
2024-03-11 11:55:35 +00:00
4d071fe48d
fix: correct the provider for the create, delete and modify routes in EC2 VPCs ( #3500 )
...
(cherry picked from commit 709cfddcbe
2024-03-08 19:07:01 +00:00
7c37deafc8
[Tuning] Linux Cross-Platform Tuning - Part 1 ( #3468 )
...
* [Tuning] Linux Cross-Platform Tuning - Part 1
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a438052ff3
2024-03-07 17:25:49 +00:00
2faa844301
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Removed changes from:
- rules/linux/privilege_escalation_dac_permissions.toml
(selectively cherry picked from commit 9c4ba4559d
2024-03-07 17:14:43 +00:00
e18bf43532
[Tuning] Linux BBR Tuning - Part 1 ( #3469 )
...
* [Tuning] Linux BBR Tuning - Part 1
* [Tuning] Linux BBR Tuning - Part 1
* Update defense_evasion_processes_with_trailing_spaces.toml
* Update defense_evasion_processes_with_trailing_spaces.toml
* One more tuning
* Update collection_linux_suspicious_clipboard_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 3fd0358b73
2024-03-07 16:24:05 +00:00
Eric Forte