7eeca006bc
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 ( #4355 )
2025-01-09 11:38:26 -03:00
e66bca73e0
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 ( #4349 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7
* Update rules/linux/discovery_process_capabilities.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 11:28:21 -03:00
cc889e3bf2
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4 ( #4345 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 10:59:32 -03:00
0fc83fe815
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 ( #4343 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3
* .
* Update rules/linux/command_and_control_ip_forwarding_activity.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 10:35:58 -03:00
d6ceb88558
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 6 ( #4348 )
2025-01-09 10:17:57 -03:00
f4a022c5d2
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 5 ( #4346 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - X
* Update rules/linux/defense_evasion_directory_creation_in_bin.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/linux/defense_evasion_mount_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 09:44:40 -03:00
2af2e1f57b
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 ( #4356 )
2025-01-09 08:29:51 -03:00
4142868956
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 2 ( #4333 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-01-08 15:23:19 -03:00
282f613ddf
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 ( #4330 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1
* min_stack
* Update defense_evasion_doas_configuration_creation_or_rename.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-01-08 14:40:43 -03:00
47571956a7
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4347 )
2025-01-07 22:54:34 +05:30
2edc062b53
Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md ( #4344 )
2025-01-07 22:13:30 +05:30
a2b280a6fd
[New Hunts] Adding Several Hunting PRs into this Main PR ( #4342 )
...
* [New Hunt] Linux PAM Persistence
* Fixed notes
* [New Hunt] Persistence via Dynamic Linker Hijacking
* [New Hunt & Tuning] Persistence via LKMs
* [New Hunt] Persistence via Web Shells
* Update query
* [New Rule] Persistence via DPKG/RPM Package
* [New Hunt] Persistence via Container
* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml
* [Hunt Addition] System User Interactive Session
* Merge branch 'main' into new-hunts-PAM
* Updates
* ++
* Match RTA bin executor
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-01-07 14:29:17 +01:00
d16f56b4e2
[New Rule] SSH via Backdoored System User ( #4336 )
...
* [New Rule] SSH via Backdoored System User
* ++
* Update persistence_ssh_via_backdoored_system_user.toml
* Update persistence_ssh_via_backdoored_system_user.toml
* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-01-07 13:20:36 +01:00
2530c4d376
[New Rule] Pluggable Authentication Module Source Download ( #4301 )
...
* [New Rule] Pluggable Authentication Module Source Download
* Update persistence_pluggable_authentication_module_source_download.toml
* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
2025-01-07 13:04:05 +01:00
1a189a5749
[Python] Ignore Hunting Doc Changes for Version Code Checks ( #4331 )
...
* Ignore hunting docs for version code checks
* added index.md to be ignored
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-07 12:54:27 +01:00
318ab3ffa0
Enhance Readability of KQL validation check failures ( #4329 )
2025-01-06 22:18:05 +05:30
52db5e0361
Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. ( #4332 )
2025-01-06 21:48:11 +05:30
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created ( #4327 )
...
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
* Update detection_rules/etc/non-ecs-schema.json
* Update pyproject.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-06 09:40:26 -03:00
feaeabf60c
[New Rule] Dynamic Linker (ld.so) Creation ( #4306 )
2025-01-03 17:06:38 +01:00
fea5c90ed9
[New Rule] Kernel Object File Creation ( #4325 )
...
* [New Rule] Kernel Object File Creation
* ++
* Update rules/linux/persistence_kernel_object_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-03 16:49:59 +01:00
466097c31e
[Rule Tuning] Potential Persistence via File Modification ( #4310 )
...
* [Rule Tuning] Potential Persistence via File Modification
* Update persistence_suspicious_file_modifications.toml
* Update persistence_suspicious_file_modifications.toml
2025-01-03 16:19:58 +01:00
53ca51b20c
[New Rule] Simple HTTP Web Server Connection ( #4309 )
2025-01-03 16:06:28 +01:00
e26e4e40b4
[New Rule] Simple HTTP Web Server Creation ( #4308 )
2025-01-03 15:54:25 +01:00
0273997581
[New Rule] Loadable Kernel Module Configuration File Creation ( #4307 )
2025-01-03 15:33:31 +01:00
7e775a6c95
[New Rule] Unusual Preload Environment Variable Process Execution ( #4305 )
2025-01-03 15:23:41 +01:00
9424a57207
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration ( #4304 )
2025-01-03 15:05:05 +01:00
c9c8e3501e
[New Rule] Unusual SSHD Child Process ( #4303 )
...
* [New Rule] Unusual SSHD Child Process
* Update persistence_unusual_sshd_child_process.toml
2025-01-03 14:50:43 +01:00
c7fe940206
[New Rule] Pluggable Authentication Module Creation in Unusual Directory ( #4302 )
...
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory
* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
2025-01-03 14:35:08 +01:00
5384191934
[New Rule] PAM Version Discovery ( #4300 )
...
* [New Rule] PAM Version Discovery
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update rules/linux/discovery_pam_version_discovery.toml
2025-01-03 14:25:38 +01:00
aca416a779
[Rule Tuning] Windows misc Rule Tuning ( #4298 )
2025-01-02 07:44:01 -03:00
c99cf9279d
[Tuning] Uncommon Registry Persistence Change ( #4286 )
...
* Update persistence_registry_uncommon.toml
Add registry rules for additional SMSS persistence vectors
* Update persistence_registry_uncommon.toml
* Update persistence_registry_uncommon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-12-25 19:06:58 -03:00
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events ( #3533 )
...
* new endpoint security rules for specific alerts
* updated risk scores
* fixed rule names and UUIDs
* changed logic to use message field for detection vs prevention
* reverting changes
* reverting changes
* reverting to old commit
* reverting to old commit
* reverting to old commit
* reverting to old commit
* changed naming to Elastic Defend
* updated rule dates and min-stacks
* linted; adjusted queries
* updated ransomware, memory sig or shellcode risk
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* updated promotion rule
* fixed typos in naming
* updated setup guides
* added intervals
* added MITRE
* added investigation guide for Memory Threat
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update defense_evasion_elastic_memory_threat_prevented.toml
* toml-lint
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co >
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-12-19 13:24:23 -05:00
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules ( #4324 )
...
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-12-19 13:03:50 -05:00
2ff2965cb9
Enhance Readability of validation check failures ( #4299 )
2024-12-13 19:03:47 +05:30
28ffebbf5c
[New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User ( #4280 )
...
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'
* updated version
* updating markdown
* bumping version
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-12 14:56:20 -05:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
3fa3349216
Update versioning support for 8.17 ( #4296 )
2024-12-10 23:43:04 +05:30
691126cd3d
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4295 )
2024-12-10 21:43:29 +05:30
f0291b440a
Minstack endpoint rules with process.group.id fields ( #4294 )
2024-12-10 21:03:32 +05:30
e6012b1db6
Removing ESQL query format error ( #4292 )
2024-12-10 09:27:37 -05:00
febdafa1f4
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4291 )
2024-12-09 21:38:33 +05:30
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS ( #4277 )
...
* new rule 'AWS IAM Login Profile Added for Root'
* added min-stack
* linted; fixed rule schema errors
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-09 08:55:20 -05:00
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application ( #4283 )
...
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
2024-12-06 17:27:38 -05:00
d3c05a08cc
Add all historical versions for v8.17.0 and above packages ( #4279 )
2024-12-03 23:36:32 +05:30
801efb3d93
Protections for AWS Bedrock ( #4270 )
2024-12-03 21:56:39 +05:30
53cfeb76e3
Add event dataset for missing rule in Github integration ( #4278 )
2024-12-03 20:32:55 +05:30
86cc61c233
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4274 )
...
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16
* Update detection_rules/etc/version.lock.json
* Update Patch version for version lock changes
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-11-27 09:34:54 -05:00
5ab7565923
Minstack versions for Okta and Github Integration ( #4273 )
2024-11-27 18:39:41 +05:30
Jonhnathan