2265717c41
chore: Fix lock version for 9.3.2 Release ( #5634 )
...
* Min stack mv_contains
2026-01-27 22:38:39 -05:00
1ce072a4e5
Prep for Release 9.3 ( #5548 )
2026-01-12 21:07:07 +05:30
34daf12d51
[New Rules] Several GitHub Related Rules ( #5470 )
...
* [New Rules] Several GitHub Related Rules
* Added additional references
* Update defense_evasion_secret_scanning_disabled.toml
* Update persistence_new_pat_created.toml
* Added two more rules
* ++
* Update rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml
* Added github.repository_public to non_ecs
* Update impact_github_repository_activity_from_unusual_ip.toml
* Update rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml
* ++
* Update rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml
* Update rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml
* Update rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml
* ++
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-08 17:19:12 +01:00
57f18a1dcf
[New Rule] GitHub Actions Bot Pushed to Repository for First Time ( #5438 )
...
* [New Rule] GitHub Actions Bot Pushed to Repository for First Time
Fixes #5437
* Update rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml
* Update rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Adjusted rule name
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-12-18 09:58:57 -05:00
f43bf99698
[New Rule] GitHub Actions Workflow Injection Blocked ( #5433 )
...
* [New Rule] GitHub Actions Workflow Injection Blocked
Fixes #5431
* adjusts MITRE ATT&CK mappings
* adjusting file name
* updating GitHub integration schema; fixed MITRE mappings
* revert manifests / schemas to main
* added dynamic github fields to non-ecs file
* Update rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* changed github actor ID reference
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-12-17 14:29:33 -05:00
f4085ad873
[Rule Tuning] New GitHub Self Hosted Action Runner ( #5436 )
...
Fixes #5435
2025-12-10 10:55:47 -05:00
02979fec68
[New/Tuning] NPM Shai-Hulud coverage ( #5368 )
...
* [New/Tuning] NPM Shai-Hulud coverage
https://socket.dev/blog/shai-hulud-strikes-again-v2
* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml
* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml
* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml
* Update credential_access_trufflehog_execution.toml
* Update credential_access_trufflehog_execution.toml
* Update credential_access_trufflehog_execution.toml
* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/cross-platform/execution_register_github_actions_runner.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/cross-platform/execution_via_github_actions_runner.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Create initial_access_github_register_self_hosted_runner.toml
* Update initial_access_github_register_self_hosted_runner.toml
* Update initial_access_github_register_self_hosted_runner.toml
* Update initial_access_github_register_self_hosted_runner.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-12-02 10:57:12 +00:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
53cfeb76e3
Add event dataset for missing rule in Github integration ( #4278 )
2024-12-03 20:32:55 +05:30
5ab7565923
Minstack versions for Okta and Github Integration ( #4273 )
2024-11-27 18:39:41 +05:30
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
442435830f
[New Rules] UEBA GItHub BBRs and Rules ( #3174 )
...
* [New Rules] UEBA GItHub BBRs and Rules
A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.
* Update rules/integrations/github/impact_github_member_removed_from_organization.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* edited BBR rules
-removed newly added member rule
* updated integration manifests and schemas
* Updated min_stack for some rules based on newest GitHub integration schema manifest
* testing min_stack bump to 8.8 for new fields
* removing offending rule to troubleshoot seperately
* added UEBA tags and created UEBA threshold rule
* updated non-ecs-schema to add signal.rule.tags
* updated non-ecs-schema with kibana.alert.workflow_status
* updated rule.threat.tactic
* added user.name to non-ecs-schema
* added quotes to kibana.alert.workflow_status value
* removed trailing space from rule name
* update tags and optimize query for UEBA threshold rule
* removed integration field from Higher-Order rule
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* adjusted new_terms order and rule types based on review feedback
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* remove user.name from detection_rules/etc/non-ecs-schema.json
* fix json formatting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-01-22 12:48:31 -05:00
374c9c6257
[New Rule] New GitHub App Installed ( #3055 )
...
* new rule
* Update rules/integrations/github/execution_new_github_app_installed.toml
* Update rules/integrations/github/execution_new_github_app_installed.toml
edits from review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* change query from event.module to event.dataset
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-10-12 20:10:20 -04:00
ef8f5620e1
[New Rule] New GitHub Owner Added ( #3090 )
...
* [New Rule] New GitHub Owner Added
new rule
* name change
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-10-06 15:57:26 -04:00
9593412847
[New Rule] GitHub Owner Role Granted to User ( #3087 )
...
* [New Rule] GitHub Owner Role Granted to User
new rule
* Update persistence_organization_owner_role_granted.toml
* updated integration schema
* changed timestamp_override
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-10-06 15:44:04 -04:00
9146e0965d
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-14 18:00:25 -04:00
904e37b732
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-14 17:16:51 -04:00
Eric Forte