2708a89f20
[New Rule] AWS IAM User Created Access Keys for Another User ( #3788 )
...
* [New Rule] AWS IAM User Created Access Keys for Another User
...
* updated min_stack and removed index field
* reversed tactic order
* added AWS documentation as reference
* Apply suggestions from code review
updated_date, query format change, removed keep from query
2024-06-25 00:11:48 -04:00
da8f3e4880
[New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor ( #3797 )
...
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'
* adding new rule 'Multiple Okta User Authentication Events with Client Address'
* updating UUIDs
* removed indexes
* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'
* added okta outcome reason 'INVALID_CREDENTIALS' to queries
* updated risk score
* made all rules low risk score
* added user session start to rule
* updated min-stack comments
2024-06-21 13:11:23 -04:00
11aab028dc
[Rule Tuning] Okta User Sessions Started from Different Geolocations ( #3799 )
...
* tuning 'Okta User Sessions Started from Different Geolocations'
* TOML linting
* updated min-stack comments
* added setup
* Removed some blank spaces
2024-06-20 16:52:26 -04:00
51b9717ac0
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
2024-06-19 10:04:41 -04:00
c1dcd21531
Closes #2216 ( #2855 )
...
* Update privilege_escalation_sts_assumerole_usage.toml
* Update privilege_escalation_sts_assumerole_usage.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-06-13 16:52:54 -04:00
89d89f15d2
Update FIM integration Setup sequence ( #3781 )
2024-06-12 16:40:45 +05:30
8baf5dc2d8
Add exceptions to C2 Beaconing Activity ( #3771 )
2024-06-11 18:43:46 +05:30
ec223a4a05
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-11 13:03:20 +02:00
62eea772d0
[New Rule] AWS S3 Bucket Ransom Note Uploaded ( #3604 )
...
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'
* fixed technique mapping
* added investigation guide; added more ransom note extensions
* adjusted lookback and maxspan
* added API call to second sequence
* updating date
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* changed rule to ESQL; updated investigation guide
* changed file name
* removed txt, ecc, and note
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-10 10:47:20 -04:00
e1cbf9f684
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) ( #3735 )
...
* [New Rule] AWS IAM AdministratorAccess Policy Attached to User
issue...
* add source.address and source.geo.location
* fix threat tactic ids
* AdministratorAccess Policy Attached to Group
* AdminstratoAccess Policy Attached to Role
* reduce severity to medium
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-07 18:31:06 -04:00
9f67585332
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-05 10:33:42 -04:00
05ac4e1bd3
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
2024-06-05 10:22:38 -04:00
c77eb1d915
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-05 10:10:53 -04:00
e357a2c050
Refresh MITRE Attack v15.1.0 ( #3725 )
2024-06-04 20:14:58 +05:30
59b7e3bde4
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-04 09:20:04 -04:00
0885032b2c
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-03 11:42:38 -04:00
856c6c5a1f
[New Rule] AWS EC2 EBS Snapshot Shared with Another Account ( #3601 )
...
* new rule 'AWS EC2 EBS Snapshot Shared with Another Account'
* added investigation guide
* updated rule name
* converted to ES|QL
* reverting non-ecs update
2024-06-02 10:30:08 -04:00
70469b4cdb
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
2024-06-02 08:41:04 -04:00
7c82e75cf4
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
2024-06-01 10:31:41 -04:00
23ce41d8af
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-31 17:55:06 -04:00
418a95205e
Remove unwanted backticks ( #3724 )
2024-05-31 21:46:24 +05:30
34294fbe6d
Add exceptions to brute force threshold rule. ( #3712 )
...
High volume, machine generated failures or MFA interruptions have been added to the rule.
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-30 10:12:36 +02:00
8b28a515c1
Update rule setup instructions for UEBA packages ( #3652 )
...
* update detection-rules instructions for UEBA packages
---------
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
2024-05-28 14:21:46 -05:00
d5c57463e1
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance ( #3598 )
...
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'
* added investigation guide
* changed file name to match tactic
* changed reference
* updated tags
* updated investigation notes
* changed new terms value; adjusted rule name
2024-05-28 11:23:17 -04:00
527f785a60
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-05-28 10:49:20 -04:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
58ba0713fe
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3700 )
...
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'
* added investigation guide
* updated query logic
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-21 16:33:17 -05:00
ed0038ee1d
Revert "[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3591 )"
...
This reverts commit 137b74c3aa
2024-05-21 15:53:02 -05:00
137b74c3aa
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3591 )
...
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'
* added investigation guide
* updated query logic
2024-05-20 16:15:46 -04:00
f0b226c2b0
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3677 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-15 18:11:49 +01:00
f07a9e6fbc
[FR] Add max_signal note, unit test, and rule tuning ( #3669 )
2024-05-14 11:15:12 -05:00
2375297879
[New Rule] Route53 Resolver Query Log Configuration Deleted ( #3592 )
...
* new rule 'Route53 Resolver Query Log Configuration Deleted'
* added investigation guide
* adjusted investigation notes
* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-14 10:24:20 -04:00
d505b95f3c
[New Rule] AWS EC2 AMI Shared with Another Account ( #3600 )
...
* new rule 'AWS EC2 AMI Shared with Another Account'
* linted; updated UUID
* added investigation guide
* updated description
* fixed spelling errors
* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* fixed spacing issue
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-14 01:56:26 -04:00
38e0f13e23
[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role ( #3586 )
...
* new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance'
* updated description and name
* added investigation guide; adjusted description
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated query logic
* fixed spacing issue
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-05-13 23:07:39 -04:00
6cc39a538f
[New Rule] Potential PowerShell HackTool Script by Author ( #2472 )
...
* [New Rule] Potential PowerShell HackTool Script by Author
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-09 18:41:56 -07:00
69595a5f69
updated query logic
2024-05-09 18:31:50 -07:00
4396a91b40
[New Rule] Unusual High Confidence Misconduct Blocks Detected ( #3647 )
2024-05-06 07:32:02 -05:00
51268581a8
[Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User ( #3646 )
2024-05-04 08:20:20 -05:00
613457b97f
[New Rules] AWS Bedrock Guardrails Violations ( #3641 )
...
* [New Rules] AWS Bedrock Guardrails Violations
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-03 20:55:27 -06:00
2ffb0e7fe2
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
2024-05-03 18:01:53 -05:00
54ff270c62
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-01 15:00:33 -06:00
7673ba484d
Fix minstack version for 0365 in azure integration rules ( #3612 )
2024-04-22 19:17:49 +05:30
74312797bf
adjust aws rule index patterns and tags ( #3595 )
2024-04-16 10:08:57 -04:00
0e2eb5a84c
Fix minstack version for O365 prod rules ( #3565 )
2024-04-02 21:33:18 +05:30
400a84628e
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-01 15:02:32 -04:00
f6e79944f2
[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' ( #3494 )
...
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'
* reverting lookback window
* missing word in description
2024-03-15 19:08:28 -04:00
a4ecfe3ccf
Beaconing - Add whitelist to rules, with some more processes ( #3497 )
...
* Add whitelist to rules, with some more processes
* Update rules exceptionlist
* Update exceptions
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-03-14 15:51:02 -04:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
Isai