9017653e37
[Rule Tuning] Linux DR Tuning - Part 1 ( #3316 )
...
* [Rule Tuning] Linux DR Tuning - Part 1
* fix
* Update command_and_control_linux_kworker_netcon.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_file_mod_writable_dir.toml
(cherry picked from commit b533642272
2024-01-08 08:55:30 +00:00
e22cc8030e
[Rule Tuning] Windows DR Tuning - 9 ( #3354 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 724e34ba95
2024-01-07 12:56:40 +00:00
92ed682a51
[Tuning] Update min_stack for container rules new ecs field ( #3370 )
...
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml
update min_stack and comments
* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
update min_stack and comments
(cherry picked from commit a0f82c3f12
2024-01-05 23:47:45 +00:00
d7cc37993d
[New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container ( #3241 )
...
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container
This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.
* added references
* Apply suggestions from code review
* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Apply suggestions from code review
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 10b241dcc5
2024-01-05 15:33:31 +00:00
4638fae505
[New Rule] Mount Launched Inside a Privileged Container ( #3245 )
...
* [New Rule] Mount Launched Inside a Privileged Container
This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit db5e1e5cf2
2024-01-05 15:22:59 +00:00
ad85cd74a7
[New Rule] Potential Container Escape via Modified notify_on_release File ( #3244 )
...
* [New Rule] Potential Container Escape via Modified notify_on_release File
This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
advantage of this feature, which could be used for further privilege escalation and container escapes to the host
machine.
* Apply suggestions from code review
* suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8e1dad0aeb
2024-01-05 03:19:42 +00:00
5b4a8172f6
[New Rule] Potential Container Escape via Modified release_agent File ( #3242 )
...
* [New Rule] Potential Container Escape via Modified release_agent File
This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0a37df713b
2024-01-05 02:30:11 +00:00
0ce0bab466
[Rule Tuning] Windows DR Tuning - 8 ( #3353 )
...
* [Rule Tuning] Windows DR Tuning - 8
* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/defense_evasion_via_filter_manager.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/defense_evasion_via_filter_manager.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7b1215ccf1
2024-01-03 15:05:43 +00:00
0033527145
[New] Potential Evasion via Windows Filtering Platform ( #3356 )
...
* Create defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update rules/windows/defense_evasion_windows_filtering_platform.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_windows_filtering_platform.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit b7e21d8c29
2024-01-03 12:55:24 +00:00
0acd802bd0
deprecating 'Malicious Remote File Creation' ( #3342 )
...
(cherry picked from commit 7e85854e7b
2023-12-20 13:55:44 +00:00
87f8e053ba
[Deprecate] Potential Process Herpaderping Attempt ( #3336 )
...
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml
* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml
* ++
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 341499a2bc
2023-12-19 21:05:02 +00:00
4c5b7548a1
[Security Content] Add Windows Investigation Guides ( #3257 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit 578936d37a
2023-12-19 15:44:04 +00:00
51c4e5b413
[Rule Tuning] Windows DR Tuning - 7 ( #3344 )
...
* [Rule Tuning] Windows Rule Tuning -1
* Update command_and_control_ingress_transfer_bits.toml
(cherry picked from commit 2f468ddcba
2023-12-18 17:33:00 +00:00
42fdcbef3e
[Security Content] Add Investigation Guides to Linux C2 Rules ( #3247 )
...
* [Security Content] Add Investigation Guides to Linux C2 Rules
* Applied feedback
(cherry picked from commit 91a757a018
2023-12-18 16:07:52 +00:00
89188034ce
[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule ( #3345 )
...
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'
* adjusted query to include like function
(cherry picked from commit 203c228249
2023-12-18 14:19:17 +00:00
dae8e76cd4
[Tuning & New Rule] Linux Reverse Shell & DR Tuning ( #3254 )
...
* [Rule Tuning & New Rule] Linux Reverse Shell
* [Tuning & New Rule] Linux Reverse Shells
* Name change
* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_shell_via_child_tcp_utility_linux.toml
* Update execution_shell_via_background_process.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 84824c67fd
2023-12-18 08:41:34 +00:00
ea6a0bec59
[Tuning] Suspicious Script Object Execution ( #3339 )
...
* Update defense_evasion_suspicious_scrobj_load.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 4b183be124
2023-12-14 23:54:57 +00:00
389ac555e2
[Tuning] Remote Scheduled Task Creation ( #3337 )
...
* Update non-ecs-schema.json
* add timestamp override
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 07b952b7bc
2023-12-14 23:45:08 +00:00
74fadb8278
[Rule Tuning] Optimize query for Installation of Custom Shim Databases ( #3331 )
...
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit aff7f37b92
2023-12-14 22:09:21 +00:00
7ffbf19e86
[Rule Tuning] Optimize query for Direct Outbound SMB Connection ( #3329 )
...
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit a7b9a61942
2023-12-14 18:26:56 +00:00
6e82ddd307
[Tuning] Suspicious Managed Code Hosting Process ( #3338 )
...
* Update defense_evasion_suspicious_managedcode_host_process.toml
* Update defense_evasion_suspicious_managedcode_host_process.toml
(cherry picked from commit 8b2aed4fc0
2023-12-14 17:57:16 +00:00
362b3291a9
[Tuning] Multiple Logon Failure Followed by Logon Success ( #3340 )
...
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
(cherry picked from commit 727c23e3d2
2023-12-14 17:46:15 +00:00
d5e7f2c958
[Rule Tuning] Account Password Reset Remotely ( #3335 )
...
* [Rule Tuning] Account Password Reset Remotely
- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)
* Update persistence_remote_password_reset.toml
(cherry picked from commit 7a4f1224dc
2023-12-14 17:27:33 +00:00
1f15003bd1
Update Advanced Analytics config guides ( #3302 )
...
* Updating config guides for Advanced Analytics rules
* More updates
* Update setup instructions for LMD
* Adding more guides
* update TestRuleTiming unit test to ignore advanced analytic rules
* fixed flake error
* Moving config guides under setup instead of note
* Removing leading and trailing whitespace
* Updates as requested by PM
* Updating related integrations, minor updates to setup guides
* fixing unit tests to ignore analytic packages with multiple integration tags
* Update tests/test_all_rules.py
* fixing linting errors
---------
Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9a9f5437f2
2023-12-13 15:58:46 +00:00
73e65e14c6
updating min-stack for Okta rule ( #3318 )
...
(cherry picked from commit 631f8841ad
2023-12-12 17:32:32 +00:00
7b7ca3fdc9
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset ( #3265 )
...
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'
* updated non-ecs; linted rule; updated description
* adjusted interval and maxspan
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 93d71acb91
2023-12-12 15:37:32 +00:00
f3d2a73f26
[Rule Tuning] Windows DR Tuning - 6 ( #3246 )
...
* [Rule Tuning] Windows DR Tuning - 6
* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 6f4c323929
2023-12-12 14:43:21 +00:00
7c4a827fb8
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 ( #3288 )
...
* [Security Content] Add IGs to Persistence Rules
* Cleaned query
* IG description fix
* Added related rules
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6c614eb102
2023-12-11 12:58:41 +00:00
094f3ead92
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit aeb1f91320
2023-12-08 18:59:53 +00:00
98fe04217b
[Security Content] Add Windows Investigation Guides ( #3095 )
...
* [Security Content] Add Windows Investigation Guides
* Update defense_evasion_rundll32_no_arguments.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update rules/windows/defense_evasion_rundll32_no_arguments.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/execution_ms_office_written_file.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update privilege_escalation_posh_token_impersonation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
(cherry picked from commit eb7c5f6717
2023-12-08 14:36:22 +00:00
ab0c5154a2
[New Rule] Suspicious File Creation via Kworker ( #3237 )
...
* [New Rule] Suspicious File Creation via Kworker
* Update rules/linux/persistence_kworker_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 840958d117
2023-12-07 22:06:53 +00:00
07c235988f
[New Rule] UID Elevation from Unknown Executable ( #3239 )
...
* [New Rule] UID Elevation from Unknown Executable
* type change
* bump min stack
* Added additional exclusions
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 9c61231dc6
2023-12-07 21:30:05 +00:00
39c81d157b
[New Rule] Suspicious Kworker UID Elevation ( #3238 )
...
* [New Rule] Suspicious Kworker UID Elevation
* Update privilege_escalation_kworker_uid_elevation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 1071b12f00
2023-12-07 20:04:07 +00:00
315e5e9bca
[New] Rare SMB Connection to the Internet ( #3300 )
...
* Create exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 7070eb3b34
2023-12-07 16:15:40 +00:00
67449e26a5
[Rule Tuning] UEBA new_terms process_executable ( #3268 )
...
* [Rule Tuning] UEBA new_terms process_executable
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 1647a16fab
2023-12-07 15:43:09 +00:00
6c28ba53ad
[Tuning] Small Linux DR Tuning ( #3287 )
...
(cherry picked from commit 38862b89e9
2023-12-07 11:50:11 +00:00
1ae2cdeca5
[New] Process Created with a Duplicated Token ( #3152 )
...
* [New] Process Created with a Duplicated Token
using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 7488c60090
2023-12-07 11:25:37 +00:00
3d40a09531
Fix syntax error in query ( #3285 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a4ad0b6a24
2023-12-07 10:54:00 +00:00
f128070ae5
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash ( #3304 )
...
* tuning rule; adding investigation guide
* updated MITRE ATT&CK
* updated file name
* Updating description
* updated investigation guide
* fixed ATT&CK mappings; updated tags
(cherry picked from commit 5e1546c57c
2023-12-06 15:41:15 +00:00
8e6a01e9ee
[Rule Tuning] Windows DR Tuning - 5 ( #3229 )
...
* [Rule Tuning] Windows DR Tuning - 5
* .
* Revert changes BehaviorOnFailedVerify
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit e5d676797e
2023-12-05 22:25:53 +00:00
f931ba4ef6
[New] Interactive Logon by an Unusual Process ( #3299 )
...
* Create privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
(cherry picked from commit e6df245ff3
2023-12-05 17:39:36 +00:00
7a383770bc
[New Rule] Okta FastPass Phishing ( #2782 )
...
* Create initial_access_fastpass_phishing.toml
* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 1f47e3c1a9
2023-11-28 14:31:33 +00:00
e1e8b12f26
[New Rule] Okta MFA Bombing Attempt ( #3278 )
...
* new rule 'Potential Okta MFA Bombing via Push Notifications'
* updated naming
* TOML lint
* adjusted duplicate rule ID
* added event category override; added until sequence statement
* added verify authentication success
* moved setup to separate field
* enhanced query optimization
(cherry picked from commit e6fef85899
2023-11-28 14:21:18 +00:00
23ef78cb60
[New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash ( #3267 )
...
* added new rule 'Multiple Okta Users with the Same Device Token Hash'
* moved rule to okta integration folder
* adjusted query to be optimized
* added false positive comment
* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
(cherry picked from commit 69cb2f6fc6
2023-11-28 00:28:48 +00:00
c8e4d378ff
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses ( #3263 )
...
* new Okta threshold rules for client addresses and sessions
* adjusting references
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0578bd4caa
2023-11-28 00:07:58 +00:00
fdeeb7bc67
[New Rule] Detection for Okta Sign-In Events via Third-Party IdP ( #3259 )
...
* adding new rule 'Okta Sign-In Events via Third-Party IdP'
* fix creation date
* fixed query efficiency
* added investigation guide
* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8eeb95f545
2023-11-27 23:36:25 +00:00
4d5b8c6f2d
adding new rule 'New Okta Identity Provider (IdP) Added by Admin' ( #3258 )
...
(cherry picked from commit 73288af642
2023-11-27 23:11:58 +00:00
3808d01776
[New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy ( #3261 )
...
* new rule 'First Occurrence of Okta User Session Started via Proxy'
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
(cherry picked from commit 8321cfe018
2023-11-27 22:55:16 +00:00
a6b6f9279f
[New Rule] Adding Detection for New Okta Authentication Behavior ( #3260 )
...
* new rule 'New Okta Authentication Behavior Detected'
* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f19506f3a2
2023-11-27 22:44:18 +00:00
d171b9a442
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 88f752bf8b
2023-11-27 18:42:41 +00:00
Ruben Groenewoud