9482bda414
Adding related integrations to ML rules ( #2972 )
...
* Adding related integrations to ML rules
* added adjustments to determine related integrations for ML rules
* fixed lint errors
* Empty commit
* Empty commit
* Empty commit
---------
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box >
2023-08-22 14:39:18 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
c60e1a61a9
Updating some rule names ( #2744 )
...
* Changing some rule names
* Updating the date
2023-04-25 09:01:06 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
38b8311482
[Security Content] Expand Abbreviated Tags ( #2414 )
...
* [Security Content] Expand Abbreviated Tags
* .
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Revert changes to deprecated rules
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-03-06 17:37:52 -03:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
f17b6f1702
[Security Content] Fix verbiage used on Osquery Note ( #2513 )
...
* [Security Content] Fix verbiage used on Osquery Note
* Adjust verbiage
* date bump
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-02-22 12:33:23 -03:00
f8e97da549
Rule Tuning Update MITRE Details ( #2526 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-02-10 23:05:28 +05:30
443478c8c0
[Rule Tuning] Rule Tunings to add T1078 technique and subtechniques ( #2530 )
...
- add sub-techniques and techniques
2023-02-08 11:18:13 -05:00
5575400ee9
[Security Content] Add Investigation Guides for ML rules ( #2405 )
...
* [Security Content] Add Investigation Guides for ML rules
* .
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Place the guide in the correct rule
* Update guides to address IG refactor, and address sugestions
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-01-30 13:12:45 -03:00
0aa87d7f4a
[Rule Tuning] Unusual Process For a Linux Host ( #2445 )
...
* [Rule Tuning] Unusual Process For a Linux Host
* .
2023-01-23 21:03:29 -03:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
4997f95300
[Rule Tuning] Link Elastic Security Labs content to compatible rules ( #2388 )
...
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
e8c39d19a7
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-07-22 14:30:34 -04:00
9a739b7e4c
Modifying rules assoc w/ deprecation of v2 ML jobs ( #1846 )
...
* modifying rules assoc w/ deprecation of v2 ML jobs
* modified updated_date field
* fixed machine_learning_job_id and added min_stack_version
* replacing rest of deprecated jobs with new naming convention
* Update ml_suspicious_login_activity.toml
* removing rules assoc w/ deprecated ML jobs
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* updated ml job rules to reflect 8.3 changes
* updating min_stack_version for ml detection rules
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
2022-05-20 13:02:27 -07:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
72c64de3f5
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-28 10:41:22 -09:00
5bdf70e72c
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
2021-10-19 20:52:53 -08:00
5e4a7e67df
[Rule Tuning] Small update on rule descriptions ( #1508 )
2021-09-30 12:54:15 -08:00
9ff3873ee7
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-15 20:07:21 -05:00
51a2bc815b
[Rule tuning] Fix typo in ML rule descriptions ( #1484 )
2021-09-14 11:37:01 -05:00
655f7d91d0
[Rule tuning] Fix spacing in reference URLs ( #1455 )
2021-08-31 15:59:06 -08:00
ddec37b731
Fix typos discovered by codespell ( #1430 )
2021-08-14 20:29:10 -08:00
f8f643041a
[Rule tuning] Revise rule description and other text ( #1398 )
2021-08-03 13:07:47 -08:00
1882f4456c
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
2021-07-21 15:24:56 -06:00
c82e89ad34
Add min_stack_version to 7.14+ only rules ( #1321 )
2021-07-06 13:42:09 -06:00
e41fe620e6
[New Rule] Add detection rules for auth ML jobs ( #1283 )
...
* Adding detection rules for auth ML jobs
* name prefix
added the prefix "auth" to the file names
* Added descriptions
* Adding new lines and updating license
* FP text
added FP metadata
Co-authored-by: Craig <mailredirector36@gmail.com >
2021-06-16 16:00:17 -07:00
e0fa25ae8e
Fix rules which were note using v2 license ( #1291 )
2021-06-16 08:21:30 -06:00
49cb2e8dbf
[Bug] Fix ML job IDs that used hyphens ( #1287 )
...
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
2021-06-15 11:40:47 -06:00
1f7c88c6f4
Updating rules to query v2 ( #1254 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-06-15 07:20:50 -07:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
3876ef3a37
Adjust loopback for Cloudtrail ( #1103 )
...
* #1092 adjusting loopback for cloudtrail
* refactored time interval, adjusted updated_date
* reverting bucket interval back to 15m
2021-04-13 13:58:13 -04:00
0095a80014
Network rules for the 7.13 release ( #1087 )
...
* Adding network rules for the 7.13 release
* Adding rule guids
* Update rules/ml/ml_high_count_network_denies.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_high_count_network_events.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_spike_in_traffic_to_a_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Minor changes
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-08 09:34:47 -07:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2e422f7159
[Rule Tuning] Minor Rule Tweaks for 7.10 ( #400 )
...
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-10-22 09:07:04 -04:00
a7dee682cc
Add Tags to Unusual Sudo Activity Rule ( #340 )
...
* Update ml_linux_anomalous_sudo_activity.toml
added T1548
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
2020-09-28 16:07:41 -04:00
0affb48b07
[New Rule] Unusual User Calling the Metadata Service [Linux] ( #327 )
...
* Create ml_linux_anomalous_metadata_user.toml
rule create
* Update rules/ml/ml_linux_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_metadata_user.toml
* Update ml_linux_anomalous_metadata_user.toml
* Update rules/ml/ml_linux_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-28 12:13:06 -04:00
746c175669
[New Rule] Unusual User Calling the Metadata Service [Windows] ( #328 )
...
* Create ml_windows_anomalous_metadata_user.toml
* Update ml_windows_anomalous_metadata_user.toml
* Update rules/ml/ml_windows_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_windows_anomalous_metadata_user.toml
* Update rules/ml/ml_windows_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-28 12:09:14 -04:00
4473f6d8f3
[New Rule] Unusual Sudo Activity ( #263 )
...
* Create ml_linux_anomalous_sudo_activity.toml
rule to accompany the unusual sudo activity job
* Update ml_linux_anomalous_sudo_activity.toml
added fp field
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
linting
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
* Update rules/ml/ml_linux_anomalous_sudo_activity.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-24 14:55:33 -04:00
e39d857a11
[New Rule] Unusual Linux System Network Configuration Discovery ( #265 )
...
* Create ml_linux_system_network_configuration_discovery.toml
ML rule to accompany the network configuration discovery job
* Update ml_linux_system_network_configuration_discovery.toml
added fp field
* Update ml_linux_system_network_configuration_discovery.toml
* Update ml_linux_system_network_configuration_discovery.toml
linting
* Update ml_linux_system_network_configuration_discovery.toml
* Update ml_linux_system_network_configuration_discovery.toml
* Update rules/ml/ml_linux_system_network_configuration_discovery.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-24 09:07:34 -04:00
065bcd8018
Refresh ATT&CK data to v7.2 and expand threat validation ( #330 )
...
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00
1e43896cf1
[New Rule] Unusual Process Calling the Metadata Service [Windows] ( #323 )
...
* Create ml_windows_anomalous_metadata_process.toml
rule create
* Update rules/ml/ml_windows_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_windows_anomalous_metadata_process.toml
* Update ml_windows_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-23 15:50:43 -04:00
dd65dad9dc
[New Rule] Unusual Process Calling the Metadata Service [Linux] ( #321 )
...
* Create ml_linux_anomalous_metadata_process.toml
rule creation
* Update rules/ml/ml_linux_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-23 15:29:48 -04:00
baefaeeaff
[New Rule] Unusual Linux Network Connection Discovery ( #266 )
...
* Create ml_linux_system_network_connection_discovery.toml
ML rule to accompany the unsual network connection discovery job
* Update ml_linux_system_network_connection_discovery.toml
set author
* Update ml_linux_system_network_connection_discovery.toml
added fasle positve field
* Update ml_linux_system_network_connection_discovery.toml
* Update ml_linux_system_network_connection_discovery.toml
linting
* Update rules/ml/ml_linux_system_network_connection_discovery.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update ml_linux_system_network_connection_discovery.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-22 16:27:17 -04:00
Apoorva Joshi