331d321648
Make threat.technique optional ( #727 )
2020-12-17 20:22:59 -09:00
e272800a5d
Add ATT&CK sub-technique support to CLI ( #614 )
...
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
2020-12-08 21:56:55 -09:00
366e5002e1
[FR] Add experimental ML DGA CLI support ( #361 )
...
* Add DGA model commands
* Add upload/delete ML job command
* Add DGA release management commands
* Add Manifest handling
* Add GithubClient object
2020-12-01 22:25:33 -09:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
a575cf9ff3
[Rule Tuning] Use cidrMatch for eql rules checking multiple IPs ( #431 )
2020-10-29 11:06:24 -08:00
0a992d716a
[Rule Tuning] Update EQL rules for 7.10 ( #399 )
...
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
2020-10-21 12:35:18 -08:00
bf202b6b6c
[New Rule] Initial converted EQL rules ( #304 )
...
* 18 converted eql rules (not all prod)
2020-09-30 21:40:55 -08:00
7c1e9c1ed5
Update package summary extras produced during package generation ( #341 )
...
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
2020-09-30 14:43:45 -08:00
a212008f8c
[Rule Tuning] Remove event.module from rules for compatibility with agent integrations ( #342 )
2020-09-30 09:41:33 -08:00
065bcd8018
Refresh ATT&CK data to v7.2 and expand threat validation ( #330 )
...
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00
6ad3344af3
Collect unique query fields per rule ( #296 )
2020-09-23 14:36:34 -08:00
9d22970e21
Add EQL rules and schema validation ( #297 )
...
* Add EQL rules and schema validation
* Lint nitpick
* Rename get_schema_from_eql
* Add EQL default language
* Rename parsed_kql to parsed_query
* Fix parsed_kql method call in loader
* Autopopulate dependent values
2020-09-16 08:36:48 -06:00
6b7ea7e66c
Fix kibana-diff command ( #198 )
2020-09-02 12:19:17 -05:00
8f5ddbb121
Add better CLI support for handling Kibana exported rules ( #83 )
2020-07-27 23:31:19 -05:00
d15da0ada1
Add versioned schemas with a downgrade path ( #84 )
...
* Add versioned schemas with a downgrade path
* Remove and move unused variables
* Add missing license
* Skip NotField for output_index
* Add strip_additional_properties for kibana import
* Remove stray comment
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-07-23 11:39:35 -06:00
16fb306254
Add command to upload to kibana ( #58 )
...
* Add upload command to kibana
* Restore skipped fields
* Change prefix to DR_
* Add note to manage_versions call
* Reorder requirements.txt to trigger build
2020-07-20 15:58:28 -06:00
1cfb8f92bb
Windows DNS server vulnerability (CVE-2020-1350) rules ( #69 )
2020-07-17 14:32:52 -05:00
7647699e2b
Add support for threshold rules ( #65 )
2020-07-16 19:06:34 -05:00
916917a619
Update rule.py
2020-07-15 09:40:07 -05:00
db4f50d4b8
Improve the validation and testing time ( #61 )
...
* Improve the validation and testing time
* Lint fix
* Cache schema validation
2020-07-15 08:05:55 -06:00
e2d97b0a74
Remove unreachable and legacy code
...
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-30 10:12:23 -06:00
3b305d3003
Add rule loader and dependencies
...
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 23:17:42 -06:00
Ross Wolf