* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* initial commit with rule changes
* removed rule from version lock file to pass unit testing; adjusted rule file name
* adjusted maturity to development
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update non-ecs-schema.json
* Remove duplicated value on non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* Create defense_evasion_masquerading_space_after_filename.toml
new rule toml
* Update defense_evasion_masquerading_space_after_filename.toml
toml-lint the file
* Moved to cross-platform folder
moved to cross-platform folder
* update query to specify OS
added filter for host OS to query ```host.os.type:("linux","macos")```
* Update rule query: regex and process.executable
update rule query to use regex instead of wildcards and alert on process.executable instead of process.args and process.name to reduce noise.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
* added comprehensive file timeline to Hosts File Modified rule
* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule
* updated rules to have generic instead of comprehensive
* updated several rules with timeline ID and timeline title values
* changed updated_date for threat intel fleet integrations
* added missing templates to timeline_templates dict in definitions.py
* added comprehensive timeline templates to alerts after definitions.py was updated
* updated rules with comprehensive timeline templates and added min stack comments and versions
* removing timeline template changes which is tracked in #1904
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Delete Pipfile
Removing pipfile
* Delete Pipfile.lock
deleting pipfile.lock
* Update rules/windows/execution_command_shell_started_by_svchost.toml
updating title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
Ruben Groenewoud