sigma-rules

Author	SHA1	Message	Date
Terrance DeJesus	3d57209705	[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221 ) * adding adjusted Okta rules * adding adjusted AWS rules * adding adjusted AWS rules	2023-10-24 12:51:59 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Terrance DeJesus	71d93e875e	[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760 ) * [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms * updated new terms	2023-05-03 09:28:59 -04:00
Jonhnathan	38b8311482	[Security Content] Expand Abbreviated Tags (#2414 ) * [Security Content] Expand Abbreviated Tags * . * Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml * Apply suggestions from code review Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Revert changes to deprecated rules * Bump updated_date --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-03-06 17:37:52 -03:00
Jonhnathan	9981cca275	[Security Content] Investigation Guides Line breaks refactor (#2454 ) * [Security Content] Investigation Guides Line breaks refactor (#2412) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key * Remove changes to deprecated rules * Update command_and_control_certutil_network_connection.toml	2023-01-09 13:28:10 -03:00
Terrance DeJesus	b1a689b6fd	Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 ) This reverts commit `d1481e1a88`.	2023-01-09 10:44:54 -05:00
Jonhnathan	d1481e1a88	[Security Content] Investigation Guides Line breaks refactor (#2412 ) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key	2023-01-09 11:56:39 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Terrance DeJesus	ae4e59ec7d	[FR] Update ATT&CK Package to v12.1 (#2422 ) * initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-12-16 12:04:20 -05:00
Jonhnathan	ac01718bb6	[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352 ) * [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py	2022-11-18 12:32:27 -03:00
Xavier G Pich	4615b462be	[New Rule] AWS KMS CMK Disabled or Scheduled for Deletion (#2318 ) * [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion * Fixed double double quotes Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add min_stack metadata Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rule description as per suggestion Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Remove MITRE ATT&CK tactic Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rule_id Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Indent false positive section Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Keep ownership as per suggestion Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rule name Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Fix FPs section * Delete .dccache * Revert "Update rule name" This reverts commit 8611c926dfe312f897399343c19d2a37783ada71. * Revert "Fix FPs section" This reverts commit 14148392dadf9a7870be1b0b4dbacf311dbbb4af. * Update FPs section * Delete .dccache * Update rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-10-20 14:29:08 -03:00
Jonhnathan	ec04a39413	[Security Content] Tag rules with robust Investigation Guides (#2297 )	2022-09-23 14:20:32 -03:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Jonhnathan	91c00fd442	[Security Content] Add Investigation Guides - Cloud - 3 (#2132 ) * [Security Content] Add Investigation Guides - Cloud - 3 * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml * update dates * Apply suggestions from review Co-authored-by: Joe Peeples <joe.peeples@elastic.co>	2022-07-27 15:40:09 -03:00
Terrance DeJesus	e8c39d19a7	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 14:30:34 -04:00
Jonhnathan	7ddae4b493	[Security Content] Add Investigation Guides - Cloud - 2 (#2124 ) * [Security Content] Add Investigation Guides - Cloud - 2 * Replace config/setup * Applies suggestions from review * Update credential_access_aws_iam_assume_role_brute_force.toml * Apply suggestions from code review * Update credential_access_aws_iam_assume_role_brute_force.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-07-22 14:32:42 -03:00
Jonhnathan	d854b943e5	[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104 ) * [Security Content] Add Investigation Guides to Cloud Rules - AWS * Apply suggestion from review * Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from review * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * . * Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-07-20 12:28:58 -03:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Pete Hampton	34655374c1	[New Rule] AWS Redshift Cluster Creation (#1921 ) * Add rule for Redshift data warehouse creation. * Add fp block. * Add AWS integration metadata. * Add timestamp override. * Add note. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update description for redshift instance creation. Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-04-28 14:43:26 -04:00
Jonhnathan	20d2e92cfe	Review & Fix Invalid References (#1936 )	2022-04-26 17:57:15 -03:00
Isai	9640ecb3fe	[Rule Tuning] AWS RDS Instance/Cluster Deletion (#1916 ) * add RDS instance deletion to aws rule I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection. * Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-10 15:33:33 -04:00
Isai	5073ef8be7	[Rule Tuning] AWS Security Group Configuration Change Detection (#1915 ) * Update persistence_ec2_security_group_configuration_change_detection Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'. * update to improve rule coverage I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters. * Revert "update to improve rule coverage" This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.	2022-04-07 14:47:09 -04:00
Stijn Holzhauer	2ed97d2e8c	[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion (#1833 ) * Adding event.provider * Removing new line * Updating updated_date field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-22 20:36:53 -03:00
Jonhnathan	1c50f35aed	[Security Content] Update rules based on docs review (#1803 ) * Adds suggestions from security-docs * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-03-01 21:39:30 -03:00
Justin Ibarra	72c64de3f5	[Rule tuning] Update rules based on docs review (#1663 ) * [Rule tuning] Update rule verbiage based on docs review * fix typos Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * revert TI rule changes since it was deprecated Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-28 10:41:22 -09:00
Justin Ibarra	14c46f50b9	[Rule Tuning] updates from documentation review for 7.16 (#1645 )	2021-12-07 15:42:58 -09:00
Justin Ibarra	ab17dfcc28	[Bug] Tighten definitions validation patterns (#1396 ) * [Bug] Anchor validation patterns * Deprecate rule with invalid rule_id and duplicate as new one Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-10-26 10:26:20 -05:00
Jonhnathan	4524c175c8	Add missing Integration field (#1537 ) * Add missing Integration field * Bump updated_date * Add test for integration<->path * Fix rule folder * bump updated date in rule Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2021-10-26 12:05:12 -03:00
Austin Songer	89553d84a9	[New Rule] AWS Route Table Created (#1257 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_created.toml * Update persistence_route_table_created.toml * Update rules/persistence_route_table_created.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update persistence_route_table_created.toml * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_created.toml * Update * Update Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-26 10:25:53 -03:00
Austin Songer	3ab67d1562	[New Rule] AWS EventBridge Rule Disabled or Deleted (#1572 ) * Create aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update aws_eventbridge_rule_disabled_or_deleted.toml * Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-18 15:36:21 -03:00
Austin Songer	2c39bb962f	[New Rule] AWS EFS File System or Mount Deleted (#1462 ) * AWS EFS File System or Mount Deleted * Update impact_efs_filesystem_or_mount_deleted.toml * Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:23:07 -03:00
Austin Songer	702524b1f7	[New Rule] AWS Suspicious SAML Activity (#1498 ) * Create privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Add trailing / Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:11:15 -03:00
Austin Songer	dc980effb0	[New Rule] AWS RDS Snapshot Restored (#1312 ) * Create exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml * Delete exfiltration_rds_snapshot_restored.toml * Create exfiltration_rds_snapshot_restored.toml * Update * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:05:00 -03:00
Austin Songer	90504915ad	[New Rule] AWS Route53 hosted zone associated with a VPC (#1365 ) * Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:59:33 -03:00
Austin Songer	d7eab5bbf3	[New Rule] AWS STS AssumeRole Usage (#1214 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:56:10 -03:00
Austin Songer	82e72a956b	[New Rule] AWS Route Table Modified or Deleted (#1258 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 15:16:48 -03:00
Austin Songer	9508002bb3	[New Rule] AWS ElastiCache Security Group Created (#1363 ) * Create persistence_elasticache_security_group_creation.toml * Update * Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Re-add rule.threat * Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * remove extra space from query Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 14:00:29 -03:00
Austin Songer	0a3c44e8db	[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514 )	2021-10-04 13:31:31 -08:00
Austin Songer	f41714642c	[New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364 ) * Create impact_aws_elasticache_security_group_modified_or_deleted.toml * Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Update * Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-04 15:38:37 -03:00
Jonhnathan	5e4a7e67df	[Rule Tuning] Small update on rule descriptions (#1508 )	2021-09-30 12:54:15 -08:00
Austin Songer	93b8038d7d	[New Rule] AWS STS GetSessionToken Abuse (#1213 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_getsessiontoken_abuse.toml * Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update * Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-22 16:28:02 -03:00
Justin Ibarra	8e3b1d28c4	[Rule Tuning] Fix typos in rule metadata (#1494 ) Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-21 16:31:00 -03:00
dstepanic17	9ff3873ee7	[rule-tuning] Adding more context with triage/investigation (#1481 ) * [rule-tuning] Adding more context with triage/investigation * Adding mimikatz rule * Fixed updated date on mimikatz rule * Adding Defender update * Adding scheduled task * Adding AdFind * Adding rare process * Adding cloudtrail country * Adding cloudtrail spike * Adding threat intel * Fixed minor spelling/syntax * Fixed minor spelling/syntax p2 * Update rules/cross-platform/threat_intel_module_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_rare_process_by_host_windows.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Removed MITRE link, added Microsoft * Update ml_cloudtrail_error_message_spike.toml * Update ml_cloudtrail_rare_method_by_country.toml * Update ml_rare_process_by_host_windows.toml * Update credential_access_mimikatz_powershell_module.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update discovery_adfind_command_activity.toml * Update lateral_movement_dns_server_overflow.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-15 20:07:21 -05:00
Austin Songer	3b29498907	[Rule Tuning] AWS Security Group Configuration Change Detection (#1426 ) * move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration	2021-08-14 20:34:13 -08:00
Justin Ibarra	f8f643041a	[Rule tuning] Revise rule description and other text (#1398 )	2021-08-03 13:07:47 -08:00
Ross Wolf	1882f4456c	[Fleet] Track integrations in folder and metadata (#1372 ) * Track integrations in folder and metadata * Remove duplicate entry * Update note and tests	2021-07-21 15:24:56 -06:00

46 Commits