8deeab2c4d
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 4aab1278bf
2021-07-22 17:10:08 +00:00
cae7fac266
Fix metadata.extended ( #1377 )
...
(cherry picked from commit 5ba1c26cf1
2021-07-22 16:30:41 +00:00
600acca704
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
(cherry picked from commit 1882f4456c
2021-07-21 21:25:48 +00:00
6d9997435f
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
(cherry picked from commit 9f3d5328f4
2021-07-21 17:50:36 +00:00
fc2f5866a2
[Rule Tuning] Creation of Hidden Files and Directories ( #1357 )
...
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
(cherry picked from commit 9b559d0cd9
2021-07-21 17:48:37 +00:00
f0270973bb
[Rule Tuning] Update Google Workspace rules to use google_workspace event schema ( #1374 )
...
* use google_workspace event schema
* update to use google_workspace schema
(cherry picked from commit 23626b814c
2021-07-21 17:39:45 +00:00
cb3ceb93da
[New Rule] Windows Defender Exclusions Added via PowerShell ( #1370 )
...
* Added new rule
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Added pwsh.exe to original name
* Added PowerShell MITRE reference
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit fbd4cf2117
2021-07-21 16:55:08 +00:00
07a7784659
Update cardinality field in schema for threshold rules ( #1349 )
...
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array
* Add two new rules to detect agent spoofing
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 163d9e3864
2021-07-21 16:33:59 +00:00
bc82e214c7
[Rule Tuning] Mimikatz powershell module activity detected ( #1297 )
...
* update query
* add indexes
(cherry picked from commit 95e6458c6e
2021-07-21 07:09:02 +00:00
ce66c684b0
[Rule Tuning] Add Filebeat and Auditbeat to Network Rules ( #1282 )
...
* standardized indices and added the from field
(cherry picked from commit 34df7c6b89
2021-07-21 07:00:25 +00:00
324d46ee74
[New Rule] O365 Excessive SSO Logon Errors ( #1215 )
...
(cherry picked from commit 64c3f7cdc5
2021-07-21 06:55:57 +00:00
55d2780a6e
[New Rule] Disable Windows Event and Security Logs ( #1181 )
...
(cherry picked from commit c82790f588
2021-07-21 06:45:33 +00:00
4d69ad4ae6
[Rule Tuning] Suspicious CertUtil Commands ( #1180 )
...
* update name to Suspicious CertUtil Commands
* update description, query, and filename
(cherry picked from commit 4a11ef9514
2021-07-21 06:27:37 +00:00
8916b7dd4b
[Rule Tuning] External IP Lookup from Non-Browser Process ( #1147 )
...
* Added a couple domains
ipapi.co
ip-lookup.net
ipstack.com
(cherry picked from commit 920d973064
2021-07-21 05:48:34 +00:00
adc63cd84b
Add optional integration field to the schema ( #1359 )
...
(cherry picked from commit 816e31cd38
2021-07-19 18:53:54 +00:00
9b9bebbd27
[New Rule] Parent Process PID Spoofing ( #1338 )
...
* [New Rule] Parent Process PID Spoofing
* excluding sihost FPs
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* relinted and added 2 non ecs fields
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 81ab43898c
2021-07-15 20:56:39 +00:00
cfc0fdd5db
Add 7.14 to the list of target backport branches ( #1341 )
...
(cherry picked from commit 809c06ad5f
2021-07-14 22:30:24 +00:00
77c23da1db
[CI] Publish to integrations from on-demand job ( #1340 )
...
* Add command to publish integrations PR
* Add workflow_dispatch job to publish package
* Get working directory dynamically
* Fix the repo settings
* Get the absolute path for local-repo
* Filter out 'main' branch
* Update the description for target_branch
* Fix workflow definition
* Move 'if' into job
* Update ref format
* Remove unnecessary E501 suppression
* Add a link to the full commit hash
* s/partial_args/prefix_args
2021-07-14 16:19:41 -06:00
7ec97e622f
[APM] Adds APM data stream 'traces-apm*' to apm rules ( #105334 ) ( #1335 )
2021-07-13 07:04:58 -06:00
1e6e5ef0a0
[CI] Update backport job to filter out incompatible rules ( #1332 )
...
* Update backport job to filter out incompatible rules
* Make $NEEDS_BACKPORT more honest
2021-07-12 14:41:48 -06:00
5b0f72ffc3
[CI/CD] Create on-demand job to release from Kibana ( #1334 )
...
* Add on-demand job to release to Kibana
* Update the inputs structure
* Archive the artifacts
2021-07-12 14:34:54 -06:00
cf736046f1
Add command to unstage incompatible rules from git ( #1317 )
...
* Add devtools unstage-incompatible-rules command
* Create ephemeral GitChangeEntry for R->D+A
* Undo changes to Github job
* Fix typo in comment
* s/previous_path/original_path
2021-07-08 13:44:04 -06:00
42957129ad
Lock versions for Fleet package 0.13.2 ( #1330 )
2021-07-07 15:43:40 -06:00
89420ae976
[New Rule] Potential PrintNightmare Exploitation rules ( #1326 )
...
* [New Rule] Potential PrintNightmare Exploitation rules
* added Potential PrintNightmare File Modification
* added spoolsv as process name to narrow more the scope
* added Suspicious Print Spooler File Deletion
* removed Suspicious Print Driver Registry Modification cuz of potential noise
* Update privilege_escalation_printspooler_malicious_registry_modification.toml
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted description and added a comment for sysmon compatibility
* added FP note and relinted all files
* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-07-07 18:56:39 +02:00
9fadc4c1dc
[New Rule] Complementary Rules for Recent REvil TTPs ( #1329 )
...
* [New Rule] Complementary Rules for Recent REvil TTPs
* added OFN
* relinted and added T1574.002
* removed new line
* Update defense_evasion_disabling_windows_defender_powershell.toml
* corrected rule name
* added a reference url
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-07-07 17:02:40 +02:00
63a39665e3
Make "config" in note field consistent ( #1310 )
...
* Add test to ensure consistent config in note field
* Update inconsistent rule
2021-07-06 15:54:01 -08:00
c82e89ad34
Add min_stack_version to 7.14+ only rules ( #1321 )
2021-07-06 13:42:09 -06:00
3120252982
Update the pythonpackage.yml job to only upload artifacts for 'push' ( #1322 )
2021-07-06 13:40:39 -06:00
b677264876
[DOCS] Update branching steps ( #1290 )
2021-07-02 09:48:25 -06:00
781953a0a0
Add min_stack_version to rule metadata ( #1173 )
...
* Add min_stack_version to metadata of rule structure
* validate all "stack versions" between defined and current package
* Use master schemas if min_stack_version > current_package
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-06-30 13:26:27 -08:00
f1476b1637
Extend metadata with [metadata.extended] section ( #1306 )
...
* Extend metadata with `[metadata.extended]` section
* Remove whitespace
* Comment that it's a dict
2021-06-25 17:02:11 -06:00
1099f181f9
Add new ECS and beats schemas ( #1303 )
2021-06-23 14:08:23 -08:00
8e451f2318
[New Rule] AWS RDS Security Group Created ( #1260 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:14:56 -08:00
fe14cd23ed
[New Rule] AWS RDS Security Group Deleted ( #1261 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:09:15 -08:00
9d4574b267
[New Rule] AWS RDS Instance Creation ( #1269 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:02:48 -08:00
ccae1dc841
[New Rule] AWS RDS Snapshot Export ( #1270 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 15:58:13 -08:00
c215c44809
[Rule Tuning] Potential password spraying of microsoft 365 user accounts ( #1164 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-22 13:36:13 -04:00
31f63e728e
Switch from process.ppid to process.parent.pid ( #1255 )
...
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
2021-06-22 09:10:28 -06:00
d8ef9a81ef
[Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account ( #1251 )
...
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml
* add authors
2021-06-22 08:38:49 -06:00
a8c9d7174f
Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml ( #1225 )
2021-06-22 10:22:01 -04:00
ea9a23af8d
[New Rule] AWS Route 53 Domain Transferred to Another Account ( #1198 )
2021-06-21 22:08:59 -08:00
2cadee1718
[New Rule] AWS Route 53 Domain Transfer Lock Disabled ( #1197 )
2021-06-21 22:05:53 -08:00
d7e0e37e54
[New Rule] EC2 Full Network Packet Capture Detected ( #1175 )
2021-06-21 22:00:48 -08:00
6986f28af6
[New Rule] Azure Service Principal Credentials Added ( #1169 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-06-21 21:49:45 -08:00
119cd60f4e
Lock versions for 0.13.1 package
2021-06-17 12:39:57 -06:00
1ff659a634
Update the package version to 0.14.0-dev.0
2021-06-17 07:25:41 -06:00
e897a67604
Fix fleet package generation ( #1296 )
...
* Fix fleet package generation
* Add .lstrip()
* Lint fix
* Add newline
2021-06-17 06:16:09 -06:00
f6839e98d1
Simplify version locking code and fix 7.13.0 lock ( #1295 )
...
* Update version lock overwrite command
* Fix tooling and restore old version lock
* Lint fix
* Fix tests
* Remove dead code
* Filter to prod+deprecated rules
* Cast set -> list
* Store deprecation info
* Add correct version.lock.json (finally)
* Fix "stack_version" typo
* Remove stack_version
* Back out main.py changes
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-06-16 18:02:47 -06:00
e41fe620e6
[New Rule] Add detection rules for auth ML jobs ( #1283 )
...
* Adding detection rules for auth ML jobs
* name prefix
added the prefix "auth" to the file names
* Added descriptions
* Adding new lines and updating license
* FP text
added FP metadata
Co-authored-by: Craig <mailredirector36@gmail.com >
2021-06-16 16:00:17 -07:00
e0fa25ae8e
Fix rules which were note using v2 license ( #1291 )
2021-06-16 08:21:30 -06:00
Justin Ibarra