0e0b2ea1a4
Update schema for threshold rule type for 7.12 ( #976 )
...
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
2021-03-05 14:35:50 -09:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
61deed3fd2
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules ( #948 )
...
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
e272800a5d
Add ATT&CK sub-technique support to CLI ( #614 )
...
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
2020-12-08 21:56:55 -09:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
d3226c72c9
Add test for tactic in rule filename ( #398 )
2020-10-20 14:48:33 -08:00
a212008f8c
[Rule Tuning] Remove event.module from rules for compatibility with agent integrations ( #342 )
2020-09-30 09:41:33 -08:00
8a5e0dd441
[New Rule] AWS Management Console Attempted Root Login Brute Force ( #88 )
...
* Create initial_access_root_console_failure_brute_force.toml
* bumping threshold value to 10
* Update rules/aws/initial_access_root_console_failure_brute_force.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/aws/initial_access_root_console_failure_brute_force.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update initial_access_root_console_failure_brute_force.toml
* Update rules/aws/initial_access_root_console_failure_brute_force.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update initial_access_root_console_failure_brute_force.toml
* update with FP info
* update threshold field
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-28 13:37:22 -04:00
6a1e97cd06
[Rule Tuning] Update AWS rules to account for Agent index ( #256 )
...
* Update AWS rules
* chnage updated date
2020-09-21 09:04:50 -04:00
70cc7fd112
[Rule Tuning] AWS Root Login Without MFA ( #229 )
...
* Update privilege_escalation_root_login_without_mfa.toml
* Update privilege_escalation_root_login_without_mfa.toml
* update index
* Update privilege_escalation_root_login_without_mfa.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-04 10:57:51 -04:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
01b1e8be26
[Rule Tuning] Update Tags for Cloud Rules ( #99 )
...
* [Rule Tuning] Update Tags for Cloud Rules
* commenting out specifying alphabetical tag order in rule formatter
* Update rule_formatter.py
* py lint
* Lint fix comments
* update modified dates
* Update credential_access_secretsmanager_getsecretvalue.toml
* adding Continuous Monitoring tag
* update tags
* fixed and in tags
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-08-03 17:15:15 -04:00
978a8d9df8
[Bug] Set threshold.field to empty string instead of null ( #87 )
2020-07-22 19:31:09 -04:00
e08ff6c55d
[Rule Tuning] Update Cloud rules with note field ( #79 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-21 12:27:42 -04:00
4784342723
[New Rule] AWS IAM Brute Force of Assume Role Policy ( #67 )
...
* Create credential_access_aws_iam_assume_role_brute_force.toml
* Update maturity to production
* Update formatting for query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rule name
* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rule description
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update note field in rule
... to inform users that AWS Filebeat module must be enabled to use this rule.
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* lint rule
* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-07-20 12:43:26 -06:00
676be30199
[New rule] AWS Secrets Manager and System Manager
...
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-08 12:48:04 -06:00
c577426510
Update Lookback Interval for AWS Rules
2020-07-08 08:50:01 -06:00
316be47e27
Rename AWS to aws
2020-07-08 08:43:30 -06:00
94974c3895
Detect DeleteRule events with AWS WAF Deletion
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com >
2020-07-07 15:44:11 -06:00
ee82874c24
[New Rule] AWS Config Service Tampering
...
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com >
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com >
2020-07-07 15:43:22 -06:00
cae5fee025
[New Rule] Add AWS Password Recovery Requested
2020-07-07 15:38:52 -06:00
8052a1ea1f
[New Rule] Add rule for AWS UpdateAssumeRolePolicy
...
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-07-07 15:38:18 -06:00
c1a1cf6854
[New Rule] AWS Root Login Without MFA
...
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-07-07 15:07:17 -06:00
5fcece8416
Populate rules/ directory.
...
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com >
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com >
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 22:57:03 -06:00
Justin Ibarra