8c19e9ff6c
[New Rule] Bitlocker Settings Disabled - Google Workspace ( #2288 )
...
* adding new rule
* adjusted UUID
2022-09-12 16:06:01 -04:00
0358ec9d9a
Release ER Production RTAs to DR ( #2270 )
2022-09-08 12:50:39 -04:00
332ea40100
Cleanup rule survey code ( #1923 )
...
* Cleanup rule survey code
* default to only unique-ing on process name for lucene rules
* fix bug in kibana url parsing by removing redundant port from domain
* update search-alerts columns and nest fields
* fix rule.contents.data.index
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-09-06 15:53:47 -06:00
0fc8006e7a
Update RTA common.py for py3 ( #2287 )
...
* add run-all argument and initial p2 conversion
* remove unicode
* format with black
2022-09-01 09:16:39 -06:00
3ba777c1b1
[Rule Tuning] Disable Windows Firewall Rules via Netsh ( #2231 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 13:10:08 -04:00
6a6ef0ce11
[New Rule] Restrictions for Google Marketplace Modified to Allow Any App - Google Workspace ( #2268 )
...
* adding new rule
* adjusted UUID to address unit testing failures
* adjusted UUID to address unit testing failures
* adjusted references
2022-08-26 12:43:30 -04:00
bd6befb168
[New Rule] Google Drive Ownership Transferred ( #2265 )
...
* adding new rule
* adjusted query format
* adjusted file and rule name to include google workspace
* Update collection_google_drive_ownership_transferred_via_google_workspace.toml
Fixed a couple minor typos
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-08-26 12:41:10 -04:00
18df50443c
[Rule Tuning] Admin Role Assigned to User - Google Workspace ( #2266 )
...
* tuning rule query and att&ck mappings
* adjusted description and query formatting
* Update rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adjusted risk and severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 12:35:44 -04:00
cd2539f1eb
[New Rule] User Group Access Modified to Allow External Access ( #2264 )
...
* adding new rule
* adjusting rule name, file name and description
* adjusted att&ck technique
* adjusted file and rule name to include google workspace
* adjusted references
* Update persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
Fixed minor typo
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-08-26 12:25:29 -04:00
c0a339e277
[New Rule] 2SV Policy Disabled - Google Workspace ( #2271 )
...
* adding new rule
* adjusted file name, query and rule name
2022-08-26 12:22:54 -04:00
e5399bc148
[New Rule] Application Removed from Blocklist - Google Workspace ( #2267 )
...
* adding new rule
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 12:16:41 -04:00
97e42d01d8
[Rule Tuning] SUNBURST Command and Control Activity ( #2232 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 13:11:22 -03:00
d37eac8d9d
Add test that newly introduced build-time fields for a min_stack for … ( #2262 )
...
* add test that newly introduced build-time fields for a min_stack for applicable rules.
* account for rules without min_stack_version
* limit test to >= stack ver
2022-08-25 21:56:16 -06:00
b19a02470b
Add TestRiskScoreMismatch ( #2254 )
2022-08-25 14:29:46 -03:00
5a04aaf671
[Bug] Integrations-Pr Command (Elastic-Package Linting and Version Adjustments) ( #2054 )
...
* started solution for integrations-pr bug
* Update devtools.py
* Update detection_rules/devtools.py
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-24 14:01:30 -04:00
6ff7d2284d
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2261 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4
* adjusting version lock file to increase current version by 100
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
2022-08-24 13:26:35 -04:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
023fbc7bbd
[Rule Tuning] Clearing Windows Event Logs ( #2233 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 21:41:30 -03:00
dfef597794
[Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service ( #2192 )
2022-08-23 10:10:40 -04:00
2204459e73
[Rule Tuning] Finder Sync Plugin Registered and Enabled ( #2172 )
2022-08-23 09:59:43 -04:00
2326b30a87
[Rule Tuning] Suspicious Browser Child Process ( #2138 )
2022-08-23 09:56:23 -04:00
c5ff8511a9
[Rule Tuning] Abnormal Process ID or Lock File Created ( #2113 )
...
* [Rule Tuning] Abnormal Process ID or Lock File Created
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update execution_abnormal_process_id_file_created.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-23 09:59:31 -03:00
6631c4927d
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #2240 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 09:43:09 -03:00
6e2d20362a
[Rule Tuning] Standardizing Risk Score according to Severity ( #2242 )
2022-08-21 22:29:39 -03:00
fbfe1e3530
set typing-inspect requirement to 0.7.1 ( #2248 )
2022-08-17 22:17:16 -04:00
d3420e3386
[Deprecate Rule] Suspicious Process from Conhost ( #2222 )
...
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:32:24 +02:00
8e0ae64a04
[Rule Tuning] Whoami Process Activity ( #2224 )
...
* added Whoami Process Activity
* Update discovery_whoami_command_activity.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:26:10 +02:00
0f7b29918c
[Rule Tuning] Suspicious Execution via Scheduled Task ( #2235 )
...
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
2022-08-15 21:50:23 +02:00
b89d6185b2
[Rule Tuning] Reduce FPs ( #2223 )
...
9 rules tuned to exclude common noisy FP patterns.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-15 09:15:48 -05:00
cb2ca45d56
Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2236 )
...
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-10 09:18:59 -04:00
e7a1afbba0
only run on pull request ( #2237 )
2022-08-09 21:21:30 -04:00
2a3b584433
Prep for 8.5 branch ( #2220 )
...
* adding first commit
* renamed branch
* adjusted packages, stack schema and updated schemas
* updated integrations manifest
* adjusted comments to be a little more organized
* adjusted stack-schema-map
* refreshed ecs and beats schema, adjusted stack schema map accordingly
2022-08-09 17:14:42 -04:00
fc7a384d19
[Security Content] 8.4 - Add Investigation Guides - Windows - 2 ( #2144 )
...
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2
* update date
* Apply suggestions from review
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-08 21:34:05 -03:00
89cdae87c5
only add related_integration if on the correct stack ( #2234 )
2022-08-08 18:41:56 -04:00
7d973a3b07
add new field related_integrations to the post build ( #2060 )
...
* add new field `related_integrations` to the post build
* add exception for endpoint `integration`
* Skip rules without related integrations
* lint
* refactor related_integrations to TOMLRuleContents class
* update to reflect required_fields updates
* add todo
* add new line for linting
* related_integrations updates, get_packaged_integrations returns list of dictionaries, started work on integrations py
* build_integrations_manifest command completed
* initial test completed for post-building related_integrations
* removed get_integration_manifest method from rule, removed global integrations path
* moved integration related methods to integrations.py and fixed flake issues
* adjustments for PipedQuery from eql sequence rules and packages with no integration
* adjusted github client import for integrations.py
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added integration manifest schema, made adjustments
* Update detection_rules/integrations.py
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* removed get_integrations_package to consolidate code
* removed type list return
* adjusted import flake errors
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted indentation error
* adjusted rule.get_packaged_integrations to account for kql.ast.OrExpr if event.dataset is not set
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted find_least_compatible_version in integrations.py
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fixed flake issues
* adjusted get_packaged_integrations
* iterate the ast for literal event.dataset values
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* made small adjustments to address errors during build manifests command
* addressing integrations.find_least_compatible method to return None instead of raise error only
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-08 13:44:36 -04:00
d1bc53e295
[Rule Tuning] Persistence via Folder Action Script ( #2174 )
...
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:36:05 -04:00
4f55e9b05f
[Rule Tuning] Potential Persistence via Login Hook ( #2177 )
...
* Exclude FPs for iMazing Profile Editor and backupd
2022-08-05 14:25:31 -04:00
058f11f650
[Rule Tuning] Sublime Plugin or Application Script Modification ( #2180 )
...
* expand filter to sublime text contents
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:15:28 -04:00
b043695833
Remove ambiguity from impact_modification_of_boot_config.toml ( #2199 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-05 10:38:41 -03:00
73584407d7
[Bug] Opening Issues in this Repo Causes "Run failed: Community - main" ( #2214 )
...
* use ghv6 and catch errors
2022-08-03 14:36:08 -04:00
a76c51ae17
[Deprecation rule] DNS Activity to the Internet ( #2221 )
2022-08-02 20:59:35 -05:00
ecd10b672a
[Rule Tuning] Execution with Explicit Credentials via Scripting ( #2190 )
...
* add case sensitive Python process name and T1548
2022-08-02 14:21:00 -04:00
d8e0c0fee3
[Rule Tuning] Suspicious Calendar File Modification ( #2187 )
...
* exclude fps for Mail.app
2022-08-02 14:06:57 -04:00
50bb821708
[Rules Tuning] Add support for Sysmon ImageLoad Events ( #2215 )
...
* [Rules Tuning] Add support for Sysmon ImageLoad Events
added correct event.category and event.action to rules using library events to support sysmon eventid 7.
`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`
`dll.name` --> `file.name`
* added Suspicious RDP ActiveX Client Loaded
* Delete workspace.xml
2022-08-02 18:40:26 +02:00
b15f0de9a4
[Rules Tuning] Diverse Windows Rules - FPs reduction ( #2213 )
...
* [Rules Tuning] 7 diverse Windows rules
Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.
* Update initial_access_suspicious_ms_exchange_process.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update execution_psexec_lateral_movement_command.toml
* Update persistence_remote_password_reset.toml
* Update non-ecs-schema.json
* Update persistence_remote_password_reset.toml
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
2022-08-02 18:37:07 +02:00
a046dc0d29
[Deprecate rule] Whitespace Padding in Process Command Line ( #2218 )
...
very noisy and will require frequent tuning with very low TP rate.
2022-08-02 18:30:57 +02:00
e5ee8e024f
[Deprecate Rule] File and Directory Discovery ( #2217 )
...
* [Deprecate Rule] File and Directory Discovery
very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.
* Delete workspace.xml
2022-08-02 17:57:28 +02:00
19d9a7eb87
Rule tuning as part of Linux Detection Rules Review ( #2210 )
2022-08-02 17:46:57 +05:30
04dcf09c03
[Rule Tuning] Suspicious Process Creation CallTrace ( #2207 )
...
Excluding some FPs by process.parent.executable and process.parent.args.
2022-08-01 19:00:13 +02:00
1f21c5c57f
[Rule Tuning] Unusual Service Host Child Process - Childless Service ( #2208 )
...
Excluding some noisy unique processes.
2022-08-01 18:40:45 +02:00
Terrance DeJesus