* [New] Multiple Alerts in Same ATT&CK Tactic by Host
This rule uses alert data to determine when multiple alerts in the same phase of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_alerts_same_tactic_by_host.toml
* Update rules/cross-platform/multiple_alerts_same_tactic_by_host.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update non-ecs-schema.json
* Update multiple_alerts_same_tactic_by_host.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New] Multiple External EDR Alerts by Host
This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* [Tuning] SMB (Windows File Sharing) Activity to the Internet
converted to new term (history search window set to 5 days by destination.ip) to reduce alerts volume. https://github.com/elastic/detection-rules/issues/5490
* Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
* Update rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
* Update rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New/Tuning] Several New Linux Rules
* Update collection_potential_video_recording_or_screenshot_activity.toml
* Update discovery_dmidecode_system_discovery.toml
* Update rules/linux/collection_potential_audio_recording_activity.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update exfiltration_potential_wget_data_exfiltration.toml
* [New Rule] Linux User or Group Deletion
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 3
* Update rules/linux/credential_access_aws_creds_search_inside_container.toml
* Adjust thresholds and expand event action handling
* Update credential_access_potential_linux_ssh_bruteforce_external.toml
* Increase threshold for SSH brute force detection
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_ssh_backdoor_log.toml
Removed 'auditbeat-*' from the index list.
* Refactor credential access rule for clarity
Removed redundant event.action expansion and filtering logic.
* Refactor ESQL query for SSH brute force detection
Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Add time window truncation to bruteforce rule
* Add time window truncation to SSH brute force rule
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update SSH brute force detection rule to EQL
* Update CIDR match conditions for SSH brute force rule
* Update EQL query for SSH brute force detection
* [Rule Tuning] Linux DR Tuning - 6
* Fix syntax error in discovery_esxi_software_via_grep.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_virtual_machine_fingerprinting.toml
* Revise investigation title for kernel module enumeration
Updated the title of the investigation section to clarify focus on unusual kernel module enumeration.
* Update discovery_port_scanning_activity_from_compromised_host.toml
* Enhance ESQL query for subnet scanning detection
Updated ESQL query to include additional fields and conditions for better analysis of connection attempts from compromised hosts.
* Remove Elastic Endgame data source from rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 8
* Revise investigation guide for THC tool downloads
Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity.
* Update exfiltration_unusual_file_transfer_utility_launched.toml
* Refine ESQL query for brute force malware detection
Updated the query to include additional fields and modified the conditions for filtering events.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 10
* Update persistence_udev_rule_creation.toml
* Refactor ESQL query for Linux process events
* Refactor query in persistence_web_server_sus_command_execution rule
Removed unnecessary fields from the query and added new fields for event dataset and data stream namespace.
* Update persistence_systemd_netcon.toml
* Update persistence_web_server_sus_child_spawned.toml
* Refactor process.parent.name conditions in TOML file
* Update persistence_web_server_unusual_command_execution.toml
* Update persistence_web_server_unusual_command_execution.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New] Suspected Lateral Movement from Compromised Host
Detects potential lateral movement or post-compromise activity by correlating alerts where the host.ip of one alert matches the source.ip of a subsequent alert. This behavior may indicate a compromised host being used to authenticate to another system or resource, including cloud services.
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update multiple_alerts_by_host_ip_and_source_ip.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 9
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Fix formatting in persistence_boot_file_copy.toml
* Update persistence_chkconfig_service_add.toml
* Change user.id values to string format in TOML
* Fix condition for Java process working directory
* Fix logical operator in OpenSSL passwd hash rule
* Fix syntax for working_directory check
* Fix condition for original file name check
* Update persistence_web_server_unusual_command_execution.toml
* Add cloud CLI tools to persistence rules
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New] Multiple Elastic Defend Alerts from Single Process Tree
Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_alerts_edr_elastic_same_process_tree.toml
* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update multiple_alerts_edr_elastic_same_process_tree.toml
* Update multiple_alerts_edr_elastic_same_process_tree.toml
* Update multiple_alerts_edr_elastic_same_process_tree.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* [Rule Tuning] AWS Service Quotas Multi-Region GetServiceQuota Requests
This rule is alerting as expected with very few instances in telemetry (only have data from 1 cluster).
- added more fields for context in the query.
- added metadata fields to query
- reduced execution window
- added highlighted fields
#### screenshot of working query with additional context
* Update rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
This rule is triggering as expected with moderate telemetry volume (high spikes for what looks like expected cleanup jobs) in specific cluster. No changes needed to the rule query.
- updated description, FP and IG
- reduced execution window
- updated highlighted fields
### AWS Config Resource Deletion
- added exclusions for services that perform Config modifications by design, reducing noise by 97% over the last 30 days.
- added success criteria to query as well
- increased severity to medium as this alert should be triaged
- updated description, false positive and investigation guide sections
- reduced execution window
- updated MITRE
- updated tags
- added highlighted fields
### AWS Configuration Recorder Stopped
no major query changes needed for this rule, performing as expected in telemetry with low volume as this is more rare activity.
- updated description, false positive and investigation guide sections
- reduced execution window
- updated MITRE
- updated tags
- added highlighted fields
* [Rule Tunings] AWS Lambda Rules
#### AWS Lambda Layer Added to Existing Function
This rule was missing alerts for the `UpdateFunctionConfiguration` action due to a missing wildcard.
- added missing wildcard to query
- reduced execution window
- updated description, FP and IG sections
- added highlighted fields
#### AWS Lambda Function Policy Updated to Allow Public Invocation
- changed this query to use EQL instead of KQL to optimize wildcard usage
- uses `event.type` as `event_category_override`
- reduced execution window
- updated description, FP and IG sections
- added highlighted fields
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
There was a mistake in the query for this rule. It was looking for `event.provider: eventbridge.amazonaws.com` instead of `events.amazonaws.com`. So we have no existing telemetry for this rule. However, I have tested the behavior properly and ensured the new query does alert as expected. I will monitor this rule in telemetry moving forward to gauge it's performance.
- query change `event.provider: events.amazonaws.com`
- reduced execution window
- updated description, FP and IG sections
- updated tags
- added highlighted fields
Terrance DeJesus