sigma-rules

Author	SHA1	Message	Date
Jonhnathan	26d5bad914	[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741 ) * Update persistence_exchange_suspicious_mailbox_right_delegation.toml * fix year	2022-01-31 21:02:02 -03:00
Justin Ibarra	72c64de3f5	[Rule tuning] Update rules based on docs review (#1663 ) * [Rule tuning] Update rule verbiage based on docs review * fix typos Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * revert TI rule changes since it was deprecated Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-28 10:41:22 -09:00
Jonhnathan	189c2b152c	[New Rule] Email Reported by User as Malware or Phish (#1699 ) * Email Reported by User as Malware or Phish Initial Rule * Update initial_access_o365_user_reported_phish_malware.toml * Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-01-27 16:30:46 -03:00
Jonhnathan	f7bc13b437	[New Rule] OneDrive Malware File Upload (#1693 ) * "OneDrive Malware File Upload" Initial Rule * bump severity	2022-01-27 16:19:16 -03:00
Jonhnathan	1676844640	[New Rule] SharePoint Malware File Upload (#1691 ) * "SharePoint Malware File Upload" Initial Rule * s/onedrive/sharepoint * bump severity	2022-01-27 16:12:17 -03:00
Jonhnathan	14252d45ee	[New Rule] Global Administrator Role Assigned (#1686 ) * Initial Global Administrator Role Assigned Rules * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-01-27 09:53:02 -03:00
Jonhnathan	7e4325dd7a	Create credential_access_mfa_push_brute_force.toml (#1682 )	2022-01-27 09:37:49 -03:00
Jonhnathan	38ae64f729	[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718 ) * Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml * Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-01-27 09:31:51 -03:00
Jonhnathan	0a23d820c9	[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules (#1687 ) * Tune rule query * Update credential_access_microsoft_365_potential_password_spraying_attack.toml * Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml * Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml" This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.	2022-01-27 09:22:42 -03:00
Jonhnathan	50c7d5f262	[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683 ) * Inbox Rule Tuning * Add RedirectTo * Update non-ecs-schema.json	2022-01-27 09:20:49 -03:00
Jonhnathan	fdeb8cb1de	[Rule Tuning] Azure Virtual Network Device Modified or Deleted (#1679 ) * Update impact_virtual_network_device_modified.toml * Change case	2022-01-27 09:15:22 -03:00
Jonhnathan	b6d1c1476b	[Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706 ) * Adjust queries and min_stack_version * Update reference to the filebeat module * adjust min_stack_version	2022-01-25 16:51:20 -09:00
Austin Songer	96ada9e223	[New Rule] Azure Suppression Rule Created (#1666 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Moved to correct directory. * Suppression Rule Created * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-20 08:46:24 -03:00
Trevor Miller	101b781bef	[Rule Tuning] O365 Excessive Single Sign-On Logon Errors (#1680 ) * Change event.category to authentication The original had the event.category as "web" the correct value is "authentication" * Changed updated_date to todays date Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-20 08:32:30 -03:00
Jonhnathan	af354dc7e8	[New Rule] Mailbox Audit Logging Bypass (#1702 ) * "Mailbox Audit Logging Bypass" Initial Rule * Add reference * Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-01-13 17:33:08 -03:00
Justin Ibarra	9a60d7a26a	[Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched (#1661 )	2021-12-13 08:59:56 -09:00
Justin Ibarra	14c46f50b9	[Rule Tuning] updates from documentation review for 7.16 (#1645 )	2021-12-07 15:42:58 -09:00
Austin Songer	521f0987ae	[New Rule] Azure Kubernetes Rolebindings Created (#1576 ) * Create azure_kubernetes_rolebinding_created_or_deleted.toml * Update * Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml * Update privilege_escalation_azure_kubernetes_rolebinding_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-11-29 09:16:00 -03:00
Austin Songer	3dd32608a0	[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579 ) * Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-11-17 19:38:12 -03:00
Justin Ibarra	ab17dfcc28	[Bug] Tighten definitions validation patterns (#1396 ) * [Bug] Anchor validation patterns * Deprecate rule with invalid rule_id and duplicate as new one Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-10-26 10:26:20 -05:00
Jonhnathan	4524c175c8	Add missing Integration field (#1537 ) * Add missing Integration field * Bump updated_date * Add test for integration<->path * Fix rule folder * bump updated date in rule Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2021-10-26 12:05:12 -03:00
Austin Songer	89553d84a9	[New Rule] AWS Route Table Created (#1257 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_created.toml * Update persistence_route_table_created.toml * Update rules/persistence_route_table_created.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update persistence_route_table_created.toml * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_created.toml * Update * Update Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-26 10:25:53 -03:00
Justin Ibarra	5bdf70e72c	Add min_stack_comments to metadata schema (#1573 ) * Add min_stack_comments to metadata schema	2021-10-19 20:52:53 -08:00
Austin Songer	3ab67d1562	[New Rule] AWS EventBridge Rule Disabled or Deleted (#1572 ) * Create aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update aws_eventbridge_rule_disabled_or_deleted.toml * Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-18 15:36:21 -03:00
Austin Songer	2c39bb962f	[New Rule] AWS EFS File System or Mount Deleted (#1462 ) * AWS EFS File System or Mount Deleted * Update impact_efs_filesystem_or_mount_deleted.toml * Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:23:07 -03:00
Austin Songer	702524b1f7	[New Rule] AWS Suspicious SAML Activity (#1498 ) * Create privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Add trailing / Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:11:15 -03:00
Austin Songer	50501bb40f	[New Rule] Azure Full Network Packet Capture Detected (#1420 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:06:27 -03:00
Austin Songer	790586fb57	[New Rule] Azure Virtual Network Device Modified or Deleted (#1421 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml * fix description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:11:05 -03:00
Austin Songer	761df5fe84	[New Rule] Azure Kubernetes Pods Deleted (#1309 ) * Create impact_kubernetes_pod_deleted.toml * Update impact_kubernetes_pod_deleted.toml * Update * Update impact_kubernetes_pod_deleted.toml * quote value in query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:07:39 -03:00
Austin Songer	dc980effb0	[New Rule] AWS RDS Snapshot Restored (#1312 ) * Create exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml * Delete exfiltration_rds_snapshot_restored.toml * Create exfiltration_rds_snapshot_restored.toml * Update * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:05:00 -03:00
Austin Songer	3303a4e255	[New Rule] Microsoft 365 - Mass download by a single user (#1348 ) * Create impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:01:50 -03:00
Austin Songer	90504915ad	[New Rule] AWS Route53 hosted zone associated with a VPC (#1365 ) * Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:59:33 -03:00
Austin Songer	d7eab5bbf3	[New Rule] AWS STS AssumeRole Usage (#1214 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:56:10 -03:00
Austin Songer	27ba204f1c	[New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-15 15:42:25 -03:00
Austin Songer	7123d46623	[New Rule] Azure Blob Permissions Modification (#1499 ) * Create defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update description and query (spacing) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-14 06:59:24 -03:00
Austin Songer	3d15c2072d	[New Rule] Azure Kubernetes Events Deleted (#1307 ) * Create defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add quotes to azure query field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-14 06:57:33 -03:00
Austin Songer	11fa592c6f	[New Rule] Microsoft 365 - Impossible travel activity (#1344 ) * Create initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Updated Directory * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-12 19:11:32 -03:00
Austin Songer	c8ac37957d	[New Rule] Microsoft 365 - User Restricted from Sending Email (#1345 ) * Create initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Fix technique * update description and FP Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 18:32:54 -03:00
Austin Songer	98c217ece9	[New Rule] Microsoft 365 - Potential ransomware activity (#1346 ) * Create impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * Update * Update impact_microsoft_365_potential_ransomware_activity.toml * Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * bump to prod Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 18:26:17 -03:00
Austin Songer	82e72a956b	[New Rule] AWS Route Table Modified or Deleted (#1258 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 15:16:48 -03:00
Austin Songer	9508002bb3	[New Rule] AWS ElastiCache Security Group Created (#1363 ) * Create persistence_elasticache_security_group_creation.toml * Update * Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Re-add rule.threat * Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * remove extra space from query Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 14:00:29 -03:00
Austin Songer	3b0d2006b7	Made these pull requests before the directory restructure. (#1517 ) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 09:29:40 -03:00
Austin Songer	0a3c44e8db	[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514 )	2021-10-04 13:31:31 -08:00
Austin Songer	f41714642c	[New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364 ) * Create impact_aws_elasticache_security_group_modified_or_deleted.toml * Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Update * Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-04 15:38:37 -03:00
Jonhnathan	ba9c01be50	Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511 )	2021-09-30 13:08:35 -08:00
Jonhnathan	5e4a7e67df	[Rule Tuning] Small update on rule descriptions (#1508 )	2021-09-30 12:54:15 -08:00
Austin Songer	d28c48f20f	[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393 )	2021-09-29 09:08:09 -08:00
Austin Songer	a51ed86851	[New Rule] New or Modified Federation Domain (#1212 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_new-or-modified-federation-domain.toml * Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update * Update persistence_new_or_modified_federation_domain.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-29 09:16:17 -03:00
Austin Songer	93b8038d7d	[New Rule] AWS STS GetSessionToken Abuse (#1213 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_getsessiontoken_abuse.toml * Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update * Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-22 16:28:02 -03:00
Justin Ibarra	8e3b1d28c4	[Rule Tuning] Fix typos in rule metadata (#1494 ) Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-21 16:31:00 -03:00

1 2

59 Commits