2ea674ce84
[Bug] [DaC] Metadata maturity field default mismatch and poor enforcement of rule naming conventions ( #4285 )
...
* Add stub for solution
* Add date and maturity logic
* Add date and maturity logic
* Version Bump
* Remove Date Inheritance
* Remove Datetime import
2025-01-17 12:16:32 -05:00
5162067a51
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C ( #4377 )
...
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'
* updated pyproject patch version
* bump repo version
* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
* updating patch version
* updating patch version
* Adding additional threshold rule
2025-01-15 14:11:58 -05:00
97b3f43870
[New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery ( #4328 )
...
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
2025-01-15 11:53:18 -05:00
32f596629d
Provide Deprecate Warnings for Experimental ML commands ( #4365 )
2025-01-15 21:53:16 +05:30
cc00963fc3
[Bug] [DaC] Actions Connector Defaults to None ( #4376 )
...
* Add explicit calls to pass directories
* Bump Version
2025-01-15 09:31:23 -05:00
ad180777cf
[Maintenance] Repository Config Update ( #4359 )
...
* updating tokens
* bumped patch
* updated navigator gist ID
* updated naming
* Update .github/workflows/manual-backport.yml
* updated navigator url
* updated noreply email
* updated naming
* Update .github/workflows/manual-backport.yml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* updating README
* updated gist token
* replaced guidelines token with GITHUB_TOKEN
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2025-01-09 16:35:18 -05:00
47571956a7
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4347 )
2025-01-07 22:54:34 +05:30
318ab3ffa0
Enhance Readability of KQL validation check failures ( #4329 )
2025-01-06 22:18:05 +05:30
52db5e0361
Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. ( #4332 )
2025-01-06 21:48:11 +05:30
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created ( #4327 )
...
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
* Update detection_rules/etc/non-ecs-schema.json
* Update pyproject.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-06 09:40:26 -03:00
2ff2965cb9
Enhance Readability of validation check failures ( #4299 )
2024-12-13 19:03:47 +05:30
691126cd3d
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4295 )
2024-12-10 21:43:29 +05:30
febdafa1f4
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4291 )
2024-12-09 21:38:33 +05:30
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
d3c05a08cc
Add all historical versions for v8.17.0 and above packages ( #4279 )
2024-12-03 23:36:32 +05:30
86cc61c233
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4274 )
...
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16
* Update detection_rules/etc/version.lock.json
* Update Patch version for version lock changes
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-11-27 09:34:54 -05:00
04e1fc1436
Account for CCS '::' index pattern ( #4258 )
2024-11-13 11:17:08 +05:30
ebb3675ea0
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4267 )
2024-11-11 22:29:22 +05:30
4a7f83e432
Version Lock File Reconcile Ref: #4266
2024-11-11 10:48:43 -05:00
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules ( #4261 )
...
* adding investigation fields to specific aws rules
* updated patch
* removing min-stack requirements
* removed user.name redundancy
* adjusted order of investigation fields
* adding source address
2024-11-08 23:11:18 -05:00
c2e0a9315c
Fix extra new line in ATT&CK-coverage.md ( #4263 )
2024-11-08 20:13:21 +05:30
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
09ea35f33a
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device ( #4210 )
...
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device
New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"
* add serialNumber to non-ecs schema file
* fixed misspelled toml file name
* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-11-05 02:09:05 -05:00
81292aee8a
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 ( #4220 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1
* Update Integrations unit tests
* Update test_all_rules.py
2024-11-04 11:32:22 -03:00
5d2940fa7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4217 )
2024-10-28 21:07:46 +05:30
275c7288a3
Add testcase to check for related_integrations based on index ( #4096 )
2024-10-22 00:17:30 +05:30
c1ce0d43d1
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4159 )
2024-10-16 10:23:33 +05:30
acb01cf9ee
Refresh to fetch latest ECS & Beats schemas, Integration manifests & schemas. ( #4140 )
2024-10-10 11:30:00 +05:30
afbca3ee75
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4147 )
2024-10-09 20:56:57 -05:00
06319b7a13
[Rule Tuning] Add KEEP Command to all ES|QL Rules ( #4146 )
...
* updating ES|QL rules to include KEEP command
* fixed some ES|QL rules with typos; added validation for KEEP command
* fixed ES|QL errors from missing fields
* fixed flake errors
* updated date
* added best practices to hunt docs
2024-10-09 21:08:38 -04:00
4edef2ea80
[FR][DAC] Import Rules Verbose Message ( #4093 )
...
* Draft Verbose Message
* Fix Linting
* Made more descriptive
* Updated for readability
2024-10-09 17:19:59 -04:00
281926052c
[Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing ( #4126 )
...
* fixed existing rules;added query checks
* fixed flake errors
* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules
* removed valueError and replaced ValidationError
* adjusted validation error output based on feedback
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added space for failure
* updated to use re.compile
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-10-09 15:25:36 -04:00
50e23ba242
[Hunting] Re-factor Hunting Library Code ( #4085 )
...
* updating python code for hunting library
* fixed okta queries; added MITRE search capability
* fixed hunting unit test imports
* fixed duplicate UUID; fixed duplicate index entry bug
* fixed technique finding sub-technique in search
* added more unit tests
* linted
* flake errors addressed; fixed unit test import; fixed markdown generate bug
* added description for generate-markdown command
* updated README
* adjusted YAML index, adjusted code for index changes
* adjusted relative imports; updated CODEOWNERS
* adding updates; moving to different branch for main dependencies
* finished run-query command; made some code adjustments
* removed some comments
* revised makefile; fixed unit tests; adjusted detection rules pyproject
* updated README
* updated README
* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands
* adjusted package to be more object-oriented
* removed unused variable
* Add simple breakdown stats
* addressed feedback; added keyword option for search
* Update hunting/README.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/etc/test_hunting_cli.bash
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* addressing feedback
* addressed feedback
* added message for unknown index; fixed function call
* fixed search command
* fixed flake error
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-10-03 12:47:40 -04:00
80143b23b2
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4116 )
2024-10-01 18:14:03 +05:30
e2f1fcefa8
Add flag to update the docs/ATT&CK-coverage.md with markdown URL(s) ( #4077 )
2024-09-19 23:12:01 +05:30
5e0fb4a63e
[Tuning] Add logs-panw.panos index to Network rules ( #4089 )
...
* [Tuning] Add logs-panw.panos index to Network rules
https://github.com/elastic/detection-rules/issues/3998
This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.
* add tag and integration
* Update command_and_control_fin7_c2_behavior.toml
* Build Manifest and Schema for panw integration
* Update definitions.py
* Update definitions.py
* Fix definitions declaration
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-09-19 08:01:44 +01:00
df31c002ca
[Bug] Handle formatting empty list ( #4086 )
2024-09-17 13:25:17 -05:00
574064272d
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4082 )
2024-09-16 21:43:16 +05:30
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
eda179bbe1
Skip Development Rules from Security Docs ( #4073 )
2024-09-13 19:57:00 +05:30
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
8618b1ad73
Support toml lint for investigate transforms ( #4066 )
2024-09-11 20:45:36 +05:30
6a1ba19f7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4050 )
2024-09-03 17:40:44 +05:30
0c38662cf3
[FR] [DAC] Add Support for Known Types to Auto-generated Schemas ( #3985 )
...
* Add support for autogen known type
* Add support for ML packages
* rename known_type to field_type
2024-08-28 10:48:00 -04:00
f7b7a04d53
[FR] Add Better Error Handling for CUSTOM_RULES_DIR ( #3990 )
...
* Add better error handling for CUSTOM_RULES_DIR
* Update detection_rules/config.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-08-28 10:30:45 -04:00
ba76c20b3d
Update import rules to repo help text. ( #4013 )
2024-08-26 10:20:32 -04:00
589aa33508
[Bug] Add historical Rules as Default when Build Package ( #4003 )
...
* Add historical Rules as Default
* Update num latest rule versions
* Update split for parsing
* Update saved version
* Remove if else
* write historical rules with versions
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-08-21 18:00:02 -04:00
c77356c0f2
Refresh Integration Manifest and Schema ( #4001 )
2024-08-21 22:24:05 +05:30
fbe47298cf
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3997 )
2024-08-20 23:46:25 +05:30
Eric Forte