f661eca2eb
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #1741 )
...
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml
* fix year
(cherry picked from commit 26d5bad914
2022-02-01 00:04:37 +00:00
948e484070
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 72c64de3f5
2022-01-28 19:43:39 +00:00
012e88601e
[New Rule] Email Reported by User as Malware or Phish ( #1699 )
...
* Email Reported by User as Malware or Phish Initial Rule
* Update initial_access_o365_user_reported_phish_malware.toml
* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 189c2b152c
2022-01-27 19:33:20 +00:00
c300fce9f7
[New Rule] OneDrive Malware File Upload ( #1693 )
...
* "OneDrive Malware File Upload" Initial Rule
* bump severity
(cherry picked from commit f7bc13b437
2022-01-27 19:22:11 +00:00
b0b52abbd5
[New Rule] SharePoint Malware File Upload ( #1691 )
...
* "SharePoint Malware File Upload" Initial Rule
* s/onedrive/sharepoint
* bump severity
(cherry picked from commit 1676844640
2022-01-27 19:15:20 +00:00
71c382b1f5
[New Rule] Global Administrator Role Assigned ( #1686 )
...
* Initial Global Administrator Role Assigned Rules
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14252d45ee
2022-01-27 12:55:30 +00:00
042f9cfaa1
[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules ( #1687 )
...
* Tune rule query
* Update credential_access_microsoft_365_potential_password_spraying_attack.toml
* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"
This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
(cherry picked from commit 0a23d820c9
2022-01-27 12:25:02 +00:00
51dbef8321
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1683 )
...
* Inbox Rule Tuning
* Add RedirectTo
* Update non-ecs-schema.json
(cherry picked from commit 50c7d5f262
2022-01-27 12:23:36 +00:00
101b781bef
[Rule Tuning] O365 Excessive Single Sign-On Logon Errors ( #1680 )
...
* Change event.category to authentication
The original had the event.category as "web" the correct value is "authentication"
* Changed updated_date to todays date
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-20 08:32:30 -03:00
af354dc7e8
[New Rule] Mailbox Audit Logging Bypass ( #1702 )
...
* "Mailbox Audit Logging Bypass" Initial Rule
* Add reference
* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-13 17:33:08 -03:00
14c46f50b9
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
2021-12-07 15:42:58 -09:00
4524c175c8
Add missing Integration field ( #1537 )
...
* Add missing Integration field
* Bump updated_date
* Add test for integration<->path
* Fix rule folder
* bump updated date in rule
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2021-10-26 12:05:12 -03:00
3303a4e255
[New Rule] Microsoft 365 - Mass download by a single user ( #1348 )
...
* Create impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 16:01:50 -03:00
11fa592c6f
[New Rule] Microsoft 365 - Impossible travel activity ( #1344 )
...
* Create initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Updated Directory
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-12 19:11:32 -03:00
c8ac37957d
[New Rule] Microsoft 365 - User Restricted from Sending Email ( #1345 )
...
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Fix technique
* update description and FP
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-12 18:32:54 -03:00
98c217ece9
[New Rule] Microsoft 365 - Potential ransomware activity ( #1346 )
...
* Create impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* bump to prod
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-12 18:26:17 -03:00
3b0d2006b7
Made these pull requests before the directory restructure. ( #1517 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-05 09:29:40 -03:00
ba9c01be50
Rename new_or_modified_federation_domain.toml to correspond with tactic ( #1511 )
2021-09-30 13:08:35 -08:00
a51ed86851
[New Rule] New or Modified Federation Domain ( #1212 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_new-or-modified-federation-domain.toml
* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update
* Update persistence_new_or_modified_federation_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-29 09:16:17 -03:00
b736d6e748
[Rule Tuning] Rule description tweaks ( #1388 )
2021-07-29 10:56:13 -08:00
1882f4456c
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
2021-07-21 15:24:56 -06:00
Jonhnathan