49b660a135
[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS ( #5780 )
...
* [New Rules] New Terms rules for malicious Python/Pickle model activity on macOS
Adds three new_terms SIEM detection rules to close the detection gap identified in ia-trade-team#666 where malicious pickle/PyTorch model files execute arbitrary commands via Python deserialization without triggering existing GenAI-parent-gated endpoint rules.
Co-authored-by: Cursor <cursoragent@cursor.com >
* Address PR feedback: broaden descriptions and simplify process.name
- Update descriptions across all three rules to not over-attribute to
pickle/PyTorch — these rules detect any malicious Python activity
(scripts, compromised dependencies, model deserialization, etc.)
- Simplify process.name from explicit enumeration to python* wildcard
since KQL matching is case-insensitive
- Update investigation guides to reflect broader scope of potential
attack vectors
Made-with: Cursor
* Apply suggestion from @DefSecSentinel
* Apply suggestion from @DefSecSentinel
* Apply suggestion from @DefSecSentinel
---------
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-03-17 10:59:08 -05:00
70d7f2b6b1
Monthly Manifest and Schema Updation ( #5697 )
2026-02-10 09:17:04 +05:30
43d3f3b467
[New] Endpoint Rule Conversion PR ( #5658 )
...
* update
* [New] Endpoint Rule Conversion PR
* fix: replace invalid rule_ids with valid UUIDs
* fix: remove malformed TOML in docker_outbound_connection rule
* fix: rename Security Software Discovery rule to avoid name collision
* fix: remove rule using unsupported 'as event' alias syntax
* fix: add timestamp_override, investigation guides, and fix MITRE mapping
- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'
* Enhance investigation guides for 19 high-severity macOS SIEM rules
Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)
Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression
* Fix investigation guide tests: add Resources tag and fix OAST title
- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
'Network Connection to OAST Domain via Script Interpreter'
* Remove duplicate detection_rules 2 folder from PR
* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule
Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule
Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)
* fix: ESQL formatting and wildcard versioning patterns
- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)
* fix: remove duplicate Script Interpreter rule
Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)
* fix: add timestamp_override to Pbpaste and Gatekeeper rules
- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml
EQL/KQL rules require timestamp_override: event.ingested
* fix: remove perl from Script Interpreter rule
Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.
* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_manual_chromium_extension_loading.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_startup_item_plist_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix ESQL syntax error in AWS S3 connection rule
Remove trailing comma before BY clause in STATS command that caused a parsing_exception.
Co-authored-by: Cursor <cursoragent@cursor.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-02-06 10:53:44 -06:00
80968035bb
MacOS detection rules tuning ( #5667 )
...
* Sync macOS detection rules with endpoint-rules logic
- Fix Bifrost Kerberos query logic (broken parentheses grouping)
- Add authenticate pattern and NinjaRMM exclusion to osascript phishing rule
- Update SCP privacy bypass to use 127.0.0.? loopback pattern
- Add wildcard EndpointSecurity pattern to kext unload rule
* Fix Safari settings rule to use targeted approach
- Change from broad catch-all with exclusions to targeted dangerous settings
- Only detect IncludeDevelopMenu and JavaScript setting changes
- Reduces false positives from benign Safari preference changes
* Add Parallels Desktop exclusion to Hosts File Modified rule
- Excludes /Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd (5,074 alerts in 90 days)
2026-02-05 11:20:16 -06:00
3cba3d7982
[Rule Tuning] Dormant & Deprecated Rule Clean-Up ( #5672 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* Few more deprecations
* ++
* Update unit test syntax fix
* Update bad bytes
* ++
2026-02-05 13:24:21 +01:00
c75fc7e487
[Rule Tuning] Mythic C2 AzureBlob Profile Endpoints ( #5663 )
...
Fixes #5662
2026-02-03 09:38:14 -05:00
fbfc696a86
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml ( #5008 )
2025-08-26 13:03:59 +01:00
c80319d462
[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading ( #4547 )
2025-04-22 21:23:01 +05:30
4ef72457d3
[Tuning] MacOS DR Tuning PR ( #4546 )
...
* [Tuning] MacOS DR Tuning PR
* tunings
* tuning
* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/execution_script_via_automator_workflows.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/credential_access_mitm_localhost_webproxy.toml
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_apple_softupdates_modification.toml
* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* fix
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-04-21 17:32:05 -05:00
3966981dae
Add investigation guides ( #4600 )
2025-04-07 20:55:39 +05:30
753e8d8200
[New] Unusual Network Connection to Suspicious Top Level Domain ( #4563 )
2025-04-03 14:22:41 -05:00
d4b2a35237
[New] Unusual Network Connection to Suspicious Web Service ( #4569 )
...
* [New] Unusual Network Connection to Suspicious Web Service
* Update rule threat order
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-03 14:02:03 -05:00
5155f47b86
[Rule Tuning] Event Aggregation - Fix event.action & event.type conditions ( #4445 )
...
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions
* .
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-07 18:42:28 -03:00
ab89dfb98d
[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS ( #4447 )
2025-02-05 15:09:27 -03:00
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
3e831b82c3
Update credential_access_suspicious_web_browser_sensitive_file_access.toml ( #4029 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-28 16:33:44 +01:00
e357a2c050
Refresh MITRE Attack v15.1.0 ( #3725 )
2024-06-04 20:14:58 +05:30
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
ce21acef9c
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-20 08:43:30 -07:00
ec27bf8545
Update credential_access_suspicious_web_browser_sensitive_file_access.toml ( #3691 )
2024-05-17 21:30:16 -07:00
1fb58e1b61
[Tuning] MacOS Comprehensive Detection Rule Tuning ( #3435 )
...
* Update to use new data source
* Exclude FPs
* Update logic
* Exclude FPs
* Update to match ER logic
* Exclude FP
* Update to match endpoint rule and reduce FPs
* Update logic to reduce FPs
* Update logic to reduce FPs
* Exclude FPs
* Update logic to remove FPs
* Update logic to reduce FPs
* Update logic and min stack version to reduce FPs
* Exclude FP
* Remove FPs
* Update logic and min stack to reduce FPs
* Exclude FPs
* Update logic and min stack to exclude FPs
* Update logic and min stack to exclude FPs
* Update logic to be more efficient
* Update logic
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
* Update persistence_folder_action_scripts_runtime.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/credential_access_credentials_keychains.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Fix
* Fix
* Fix
* Update min stack comments
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/discovery_users_domain_built_in_commands.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Remove field
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-11 12:52:18 -05:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
1c10c37468
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-01-17 14:14:38 -05:00
7854081cc0
Setup Guide information for MacOS rules ( #3274 )
2023-11-22 20:18:22 +05:30
a568c56bc1
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
2023-10-30 16:53:04 +05:30
6400bb3237
[Tuning] Access to Stored Browser Credentials ( #3066 )
...
* Exclude FPs
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-10-27 15:10:09 -05:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
7df801f5c2
[Rule Tuning] Add missing techniques ( #2482 )
...
* tune for missing techniques
-added missing techniques to rules
* added same missing techniques to another rule
- updated_date for all files - added missing techniques to a 3rd rule
* added T1057 technique
added T1057 technique for Process discovery
2023-02-10 15:07:19 -05:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
be884a1cf3
[Rule Tuning] Screensaver Plist File Modified by Unexpected Process ( #2413 )
2022-12-22 10:27:10 -05:00
c1dd3c57ad
Adds commands to manage ATT&CK mappings ( #2343 )
...
* add att&ck commands; fix 2 rule mappings
* update message to stdout
* updated date for rule changes
* unrelated click bug fix
* add type hinting
2022-11-01 13:14:40 -06:00
b00de3e445
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test ( #2321 )
...
* added unit test for duplicate rule names
* adjusted macos file name and updated date values
* removed unit test and added assertion error in rule loader
* addressed flake errors
* addressed flake errors
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
2022-09-26 10:04:38 -04:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
dfef597794
[Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service ( #2192 )
2022-08-23 10:10:40 -04:00
2204459e73
[Rule Tuning] Finder Sync Plugin Registered and Enabled ( #2172 )
2022-08-23 09:59:43 -04:00
2326b30a87
[Rule Tuning] Suspicious Browser Child Process ( #2138 )
2022-08-23 09:56:23 -04:00
6e2d20362a
[Rule Tuning] Standardizing Risk Score according to Severity ( #2242 )
2022-08-21 22:29:39 -03:00
d1bc53e295
[Rule Tuning] Persistence via Folder Action Script ( #2174 )
...
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:36:05 -04:00
4f55e9b05f
[Rule Tuning] Potential Persistence via Login Hook ( #2177 )
...
* Exclude FPs for iMazing Profile Editor and backupd
2022-08-05 14:25:31 -04:00
058f11f650
[Rule Tuning] Sublime Plugin or Application Script Modification ( #2180 )
...
* expand filter to sublime text contents
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:15:28 -04:00
Colson Wilhoit