7be96ec64d
[Rule Tuning] Add Public Snapshot Coverage Regarding AWS EC2 EBS Snapshot Shared or Made Public ( #4335 )
...
* removing detection gap for EBS snapshots that are made public
* reverted logic; added investigation note about public snapshots
2025-01-20 13:15:41 -05:00
01eda44298
[Rule Tuning] Linux Persistence Rules ( #4393 )
...
* [Rule Tuning] Linux Persistence Rules
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
2025-01-20 09:51:49 +01:00
ca3994af0d
[Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts ( #4394 )
...
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'
* adding 'Deprecated - Suspicious JAVA Child Process'
* updated dates
* changed to deprecated maturity
2025-01-17 10:52:13 -05:00
5162067a51
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C ( #4377 )
...
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'
* updated pyproject patch version
* bump repo version
* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
* updating patch version
* updating patch version
* Adding additional threshold rule
2025-01-15 14:11:58 -05:00
c04ae6d444
[New Rule] Adding Coverage for SNS Topic Message Publish by Rare User ( #4350 )
...
* new rule 'SNS Topic Message Publish by Rare User'
* added new terms note
* added investigation guide tag
* fixed tag, added investigation fiedls
* toml lint
* fixed mitre ATT&CK mapping
2025-01-15 13:55:45 -05:00
97b3f43870
[New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery ( #4328 )
...
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
2025-01-15 11:53:18 -05:00
f8312cc5b0
[Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded ( #4334 )
...
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* updating subtechnique ID
* added mitre tag lateral movement
* changing sequence of mitre ATT&CK
2025-01-15 11:12:53 -05:00
f97007f3a8
[New Rule] Adding Coverage for AWS SQS Queue Purge ( #4354 )
...
* new rule 'AWS SQS Queue Purge'
* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml
* added investigation guide tag; fixed file name
2025-01-15 10:52:22 -05:00
f52cfb3729
[Rule: Tuning] - Azure blob permission modification tagging - Correct tags ( #4371 )
...
* Remove `Data Source: Elastic Defend` tag
* Update metadata
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-13 10:40:34 -03:00
466097c31e
[Rule Tuning] Potential Persistence via File Modification ( #4310 )
...
* [Rule Tuning] Potential Persistence via File Modification
* Update persistence_suspicious_file_modifications.toml
* Update persistence_suspicious_file_modifications.toml
2025-01-03 16:19:58 +01:00
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events ( #3533 )
...
* new endpoint security rules for specific alerts
* updated risk scores
* fixed rule names and UUIDs
* changed logic to use message field for detection vs prevention
* reverting changes
* reverting changes
* reverting to old commit
* reverting to old commit
* reverting to old commit
* reverting to old commit
* changed naming to Elastic Defend
* updated rule dates and min-stacks
* linted; adjusted queries
* updated ransomware, memory sig or shellcode risk
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* updated promotion rule
* fixed typos in naming
* updated setup guides
* added intervals
* added MITRE
* added investigation guide for Memory Threat
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update defense_evasion_elastic_memory_threat_prevented.toml
* toml-lint
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co >
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-12-19 13:24:23 -05:00
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules ( #4324 )
...
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-12-19 13:03:50 -05:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
e6012b1db6
Removing ESQL query format error ( #4292 )
2024-12-10 09:27:37 -05:00
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS ( #4277 )
...
* new rule 'AWS IAM Login Profile Added for Root'
* added min-stack
* linted; fixed rule schema errors
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-09 08:55:20 -05:00
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application ( #4283 )
...
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
2024-12-06 17:27:38 -05:00
801efb3d93
Protections for AWS Bedrock ( #4270 )
2024-12-03 21:56:39 +05:30
53cfeb76e3
Add event dataset for missing rule in Github integration ( #4278 )
2024-12-03 20:32:55 +05:30
5ab7565923
Minstack versions for Okta and Github Integration ( #4273 )
2024-11-27 18:39:41 +05:30
2d79494068
new rule 'AWS STS AssumeRoot by Rare User and Member Account' ( #4271 )
2024-11-25 10:28:43 -05:00
f36845318e
[New] First Time Seen User Auth via DeviceCode Protocol ( #4153 )
...
* Create credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update credential_access_first_time_seen_device_code_auth.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-11 13:04:18 +00:00
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules ( #4261 )
...
* adding investigation fields to specific aws rules
* updated patch
* removing min-stack requirements
* removed user.name redundancy
* adjusted order of investigation fields
* adding source address
2024-11-08 23:11:18 -05:00
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
6a39009402
Add investigation guide for Amazon Bedrock Rules ( #4247 )
...
* Add investigation guide for Amazon Bedrock Rules
* updated date
* review comments
* review comments
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-06 12:58:02 -05:00
1cc160fe2e
[Rule Tuning] Add Investigation Guides to AWS Rules ( #4249 )
...
* adding investigation guides for existing AWS rules
* removing 'AWS EC2 Instance Interaction with IAM Service' rule tuning
* adding back newline
* adjusted mitre att&ck mapping
* adjusted query and rule name
* updating date
2024-11-06 12:29:14 -05:00
c602042954
[New Rule] Adding Coverage for AWS Discovery API Calls via CLI from a Single Resource ( #4246 )
...
* adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource'
* adjusted name
* adjusted ESQL functions
* changed query comment
* Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml
* adjusted query
* added min-stack
* adjusted query
2024-11-06 12:14:38 -05:00
ef6344f5e6
[Rule Tuning] Tuning AWS STS Temporary Credentials via AssumeRole ( #4228 )
...
* tuning 'AWS STS Temporary Credentials via AssumeRole'
* linted; adjusted OR in quer
* added investigation guide
* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* added new rule 'AWS STS Role Assumption by User'
* adjusted UUID
* Update rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-11-06 12:01:07 -05:00
f486571dc6
[New Rule] Adding Coverage for AWS SSM Command Document Created by Rare User ( #4229 )
...
* new rule 'AWS SSM Command Document Created by Rare User'
* added another reference
* added investigation guide
* removed min-stack
* Update rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
2024-11-06 11:53:51 -05:00
1c9177ef6f
[New Rule] Adding Coverage for AWS IAM Create User via Assumed Role on EC2 Instance ( #4244 )
...
* adding new rule 'AWS IAM Create User via Assumed Role on EC2 Instance'
* adding false-positive note
* changed file name
* added event.provider
* tuned 'AWS EC2 Instance Interaction with IAM Service' to be BBR
* updated query
* added BBR tag
* moved rule to BBR
* fixed BBR query
* moved rule to BBR
2024-11-06 11:28:41 -05:00
d5f36b3619
[New Rule] Adding Coverage for AWS SNS Email Subscription by Rare User ( #4224 )
...
* adding new rule 'AWS SNS Email Subscription by Rare User'
* updated mitre; adjusted non-ecs schema; fixed query
* removed protocol inclusion in query
* fixed risk score
* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-11-06 11:19:30 -05:00
09ea35f33a
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device ( #4210 )
...
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device
New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"
* add serialNumber to non-ecs schema file
* fixed misspelled toml file name
* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-11-05 02:09:05 -05:00
b6847c7a48
[New Rule] AWS STS Role Chaining ( #4209 )
...
* [New Rule] AWS STS Role Chaining
Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
* adding metadata query fields
* removing index field
2024-10-30 12:18:04 -04:00
123e090e7d
Fix Minstack version for windows integration - Pahse 2 ( #4216 )
2024-10-28 20:25:02 +05:30
be656ae740
Tune Bedrock rule to accept multivalued column ( #4205 )
2024-10-23 20:48:56 +05:30
61b731c300
[Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account ( #4145 )
...
* tuning
* added note about whitelisting user agent
* removed extra new line
2024-10-16 11:41:50 -04:00
06319b7a13
[Rule Tuning] Add KEEP Command to all ES|QL Rules ( #4146 )
...
* updating ES|QL rules to include KEEP command
* fixed some ES|QL rules with typos; added validation for KEEP command
* fixed ES|QL errors from missing fields
* fixed flake errors
* updated date
* added best practices to hunt docs
2024-10-09 21:08:38 -04:00
281926052c
[Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing ( #4126 )
...
* fixed existing rules;added query checks
* fixed flake errors
* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules
* removed valueError and replaced ValidationError
* adjusted validation error output based on feedback
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added space for failure
* updated to use re.compile
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-10-09 15:25:36 -04:00
7674229f49
[New Rule] Successful Application SSO from Rare Unknown Client Device ( #4141 )
...
* new rule 'Successful Application SSO from Rare Unknown Client Device'
* removing extra newlines
* adjusted tags; adjusted risk
2024-10-07 12:11:57 -04:00
45a347580c
[Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request ( #4118 )
...
* fixing single equal operator
* Additional data source tag for consistency
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-10-02 15:50:22 -04:00
ef4e433d97
[Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules ( #4105 )
...
* tuning M365 impossible travel activity rules
* added additional filters for user type logins
* adjusted updated date
2024-09-28 18:13:03 -04:00
ef95a541f4
Fix GenAI Request Model ID Field ( #4111 )
2024-09-27 21:59:02 +05:30
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
0ed6b3f0a2
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time ( #4094 )
...
Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.
2024-09-24 09:32:12 -04:00
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
3e25ea8c2b
[New Rule] AWS Bedrock Detections ( #4072 )
2024-09-13 19:46:47 +05:30
8d27b6069b
[Rule Tuning] M365/Azure Brute-Forcing New Rule and Tuning; Deprecate Similar Rule ( #4057 )
...
* deprecated rule; tuned for single source inclusion
* adjusted query comments
* added min-stack
* updated date
* added Azure-based rule for brute forcing
* added reference to o365spray
* fixed tag
* adjusted query comment
* added rule for repeat source
* adjusted query to use count distinct
* added intervals; adjusted lookback window according to time truncation
2024-09-10 11:26:40 -04:00
0a08f5e677
[New Rule] New Microsoft 365 Impossible Travel Rules and Deprecation ( #4054 )
...
* new impossible travel rules for o365; deprecated development rule
* deleted development rule as it has not lock version
* reverted rule deletion, added note about reliability and related rules
2024-09-05 17:36:56 -04:00
Terrance DeJesus