security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,834 Commits 1 Branch 0 Tags
724e34ba95ffb48d13e18a91c547800986164572
Commit Graph

1322 Commits

Author SHA1 Message Date
Jonhnathan 724e34ba95 [Rule Tuning] Windows DR Tuning - 9 (#3354) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-07 09:49:33 -03:00
Isai a0f82c3f12 [Tuning] Update min_stack for container rules new ecs field (#3370) 
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml

update min_stack and comments

* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

update min_stack and comments
 2024-01-05 18:42:42 -05:00
Isai 10b241dcc5 [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241) 
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-05 10:28:24 -05:00
Isai db5e1e5cf2 [New Rule] Mount Launched Inside a Privileged Container (#3245) 
* [New Rule] Mount Launched Inside a Privileged Container

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-05 10:17:55 -05:00
Isai 8e1dad0aeb [New Rule] Potential Container Escape via Modified notify_on_release File (#3244) 
* [New Rule] Potential Container Escape via Modified notify_on_release File

This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
advantage of this feature, which could be used for further privilege escalation and container escapes to the host
machine.

* Apply suggestions from code review

* suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-04 22:14:39 -05:00
Isai 0a37df713b [New Rule] Potential Container Escape via Modified release_agent File (#3242) 
* [New Rule] Potential Container Escape via Modified release_agent File

This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-04 21:24:54 -05:00
Jonhnathan 7b1215ccf1 [Rule Tuning] Windows DR Tuning - 8 (#3353) 
* [Rule Tuning] Windows DR Tuning - 8

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-03 12:00:29 -03:00
Samirbous b7e21d8c29 [New] Potential Evasion via Windows Filtering Platform (#3356) 
* Create defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update rules/windows/defense_evasion_windows_filtering_platform.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_windows_filtering_platform.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-01-03 12:50:12 +00:00
Terrance DeJesus 7e85854e7b deprecating 'Malicious Remote File Creation' (#3342) 2023-12-20 08:49:45 -05:00
Samirbous 341499a2bc [Deprecate] Potential Process Herpaderping Attempt (#3336) 
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* ++

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-19 15:59:48 -05:00
Jonhnathan 578936d37a [Security Content] Add Windows Investigation Guides (#3257) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
 2023-12-19 12:38:28 -03:00
Jonhnathan 2f468ddcba [Rule Tuning] Windows DR Tuning - 7 (#3344) 
* [Rule Tuning] Windows Rule Tuning -1

* Update command_and_control_ingress_transfer_bits.toml
 2023-12-18 14:27:55 -03:00
Ruben Groenewoud 91a757a018 [Security Content] Add Investigation Guides to Linux C2 Rules (#3247) 
* [Security Content] Add Investigation Guides to Linux C2 Rules

* Applied feedback
 2023-12-18 17:02:40 +01:00
Terrance DeJesus 203c228249 [Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345) 
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'

* adjusted query to include like function
 2023-12-18 09:14:10 -05:00
Ruben Groenewoud 84824c67fd [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-12-18 09:36:21 +01:00
Samirbous 4b183be124 [Tuning] Suspicious Script Object Execution (#3339) 
* Update defense_evasion_suspicious_scrobj_load.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-14 16:49:54 -07:00
Samirbous 07b952b7bc [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-14 16:39:52 -07:00
Justin Ibarra aff7f37b92 [Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331) 
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-12-14 15:04:08 -07:00
Justin Ibarra a7b9a61942 [Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329) 
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-12-14 11:21:46 -07:00
Samirbous 8b2aed4fc0 [Tuning] Suspicious Managed Code Hosting Process (#3338) 
* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update defense_evasion_suspicious_managedcode_host_process.toml
 2023-12-14 17:51:35 +00:00
Samirbous 727c23e3d2 [Tuning] Multiple Logon Failure Followed by Logon Success (#3340) 
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
 2023-12-14 17:41:06 +00:00
Samirbous 7a4f1224dc [Rule Tuning] Account Password Reset Remotely (#3335) 
* [Rule Tuning] Account Password Reset Remotely

- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)

* Update persistence_remote_password_reset.toml
 2023-12-14 17:22:19 +00:00
Apoorva Joshi 9a9f5437f2 Update Advanced Analytics config guides (#3302) 
* Updating config guides for Advanced Analytics rules

* More updates

* Update setup instructions for LMD

* Adding more guides

* update TestRuleTiming unit test to ignore advanced analytic rules

* fixed flake error

* Moving config guides under setup instead of note

* Removing leading and trailing whitespace

* Updates as requested by PM

* Updating related integrations, minor updates to setup guides

* fixing unit tests to ignore analytic packages with multiple integration tags

* Update tests/test_all_rules.py

* fixing linting errors

---------

Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-13 07:53:41 -08:00
Terrance DeJesus 631f8841ad updating min-stack for Okta rule (#3318) 2023-12-12 12:27:18 -05:00
Terrance DeJesus 93d71acb91 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-12 10:31:45 -05:00
Jonhnathan 6f4c323929 [Rule Tuning] Windows DR Tuning - 6 (#3246) 
* [Rule Tuning] Windows DR Tuning - 6

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-12 11:37:54 -03:00
Ruben Groenewoud 6c614eb102 [Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288) 
* [Security Content] Add IGs to Persistence Rules

* Cleaned query

* IG description fix

* Added related rules

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-11 13:53:06 +01:00
Jonhnathan aeb1f91320 [Security Content] Introduce Investigate Plugin in Investigation Guides (#3080) 
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-08 11:54:40 -07:00
Jonhnathan eb7c5f6717 [Security Content] Add Windows Investigation Guides (#3095) 
* [Security Content] Add Windows Investigation Guides

* Update defense_evasion_rundll32_no_arguments.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update privilege_escalation_posh_token_impersonation.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update rules/windows/defense_evasion_rundll32_no_arguments.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/execution_ms_office_written_file.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update privilege_escalation_posh_token_impersonation.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
 2023-12-08 11:31:16 -03:00
Ruben Groenewoud 840958d117 [New Rule] Suspicious File Creation via Kworker (#3237) 
* [New Rule] Suspicious File Creation via Kworker

* Update rules/linux/persistence_kworker_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 23:02:00 +01:00
Ruben Groenewoud 9c61231dc6 [New Rule] UID Elevation from Unknown Executable (#3239) 
* [New Rule] UID Elevation from Unknown Executable

* type change

* bump min stack

* Added additional exclusions

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 22:25:01 +01:00
Ruben Groenewoud 1071b12f00 [New Rule] Suspicious Kworker UID Elevation (#3238) 
* [New Rule] Suspicious Kworker UID Elevation

* Update privilege_escalation_kworker_uid_elevation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-07 20:59:07 +01:00
Samirbous 7070eb3b34 [New] Rare SMB Connection to the Internet (#3300) 
* Create exfiltration_smb_rare_destination.toml

* Update exfiltration_smb_rare_destination.toml

* Update exfiltration_smb_rare_destination.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 13:10:20 -03:00
Ruben Groenewoud 1647a16fab [Rule Tuning] UEBA new_terms process_executable (#3268) 
* [Rule Tuning] UEBA new_terms process_executable

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 16:38:08 +01:00
Ruben Groenewoud 38862b89e9 [Tuning] Small Linux DR Tuning (#3287) 2023-12-07 12:45:24 +01:00
Samirbous 7488c60090 [New] Process Created with a Duplicated Token (#3152) 
* [New] Process Created with a Duplicated Token

using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-07 08:20:30 -03:00
Eric a4ad0b6a24 Fix syntax error in query (#3285) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 07:49:18 -03:00
Terrance DeJesus 5e1546c57c [Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304) 
* tuning rule; adding investigation guide

* updated MITRE ATT&CK

* updated file name

* Updating description

* updated investigation guide

* fixed ATT&CK mappings; updated tags
 2023-12-06 10:35:46 -05:00
Jonhnathan e5d676797e [Rule Tuning] Windows DR Tuning - 5 (#3229) 
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-05 19:20:40 -03:00
Samirbous e6df245ff3 [New] Interactive Logon by an Unusual Process (#3299) 
* Create privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml
 2023-12-05 17:34:10 +00:00
Austin Songer 1f47e3c1a9 [New Rule] Okta FastPass Phishing (#2782) 
* Create initial_access_fastpass_phishing.toml

* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-11-28 09:26:16 -05:00
Terrance DeJesus e6fef85899 [New Rule] Okta MFA Bombing Attempt (#3278) 
* new rule 'Potential Okta MFA Bombing via Push Notifications'

* updated naming

* TOML lint

* adjusted duplicate rule ID

* added event category override; added until sequence statement

* added verify authentication success

* moved setup to separate field

* enhanced query optimization
 2023-11-28 09:16:20 -05:00
Terrance DeJesus 69cb2f6fc6 [New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash (#3267) 
* added new rule 'Multiple Okta Users with the Same Device Token Hash'

* moved rule to okta integration folder

* adjusted query to be optimized

* added false positive comment

* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
 2023-11-27 19:23:38 -05:00
Terrance DeJesus 0578bd4caa [New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263) 
* new Okta threshold rules for client addresses and sessions

* adjusting references

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 19:03:06 -05:00
Terrance DeJesus 8eeb95f545 [New Rule] Detection for Okta Sign-In Events via Third-Party IdP (#3259) 
* adding new rule 'Okta Sign-In Events via Third-Party IdP'

* fix creation date

* fixed query efficiency

* added investigation guide

* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 18:31:27 -05:00
Terrance DeJesus 73288af642 adding new rule 'New Okta Identity Provider (IdP) Added by Admin' (#3258) 2023-11-27 18:06:54 -05:00
Terrance DeJesus 8321cfe018 [New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy (#3261) 
* new rule 'First Occurrence of Okta User Session Started via Proxy'

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
 2023-11-27 17:50:13 -05:00
Terrance DeJesus f19506f3a2 [New Rule] Adding Detection for New Okta Authentication Behavior (#3260) 
* new rule 'New Okta Authentication Behavior Detected'

* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 17:39:10 -05:00
Samirbous 88f752bf8b [New] First Time Seen NewCredentials Lgon Process (#3276) 
* Create privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 18:37:15 +00:00
shashank-elastic 7854081cc0 Setup Guide information for MacOS rules (#3274) 2023-11-22 20:18:22 +05:30