* initial commit with changes to new terms validation
* adjusted validation to call KQLValidator for flattened ECS variable
* changed call to KQLValidator instead of super; validate from same variable
* removed testing rules
* removed commented line
* Version() called on all string versions prior to comparison logic
* adjusted assert error punctuation
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update non-ecs-schema.json
* Remove duplicated value on non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* adding support new_terms_fields and window_start_history
* adjusted rule.py to address flake errors
* added assertion error if history_window_start does not exist
* removed sample rule
* removed self.rule_id from DataValidator
* added new_terms to RuleType
* changed new terms to its own class in rule.py
* removed nonexisting function call in DataValidator class
* adjusted new_terms field value in dataclass
* changed literal type for history_window_start; view-rule working
* removing test TOML rule
* addressed flake errors for missing newlines
* added validation option and adjusted object referencing
* adjusted validation method call in post_validation
* addressed flake errors for multiple spaces
* added transform method to NewTermsRuleData class
* added validation for min stack version and new terms array length restraints
* added validation for unique new terms array
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* removed historywindowstart definition and adjusted subclass
* removed test rule from commit
* adjusted if/else for data transform method check
* adjusted stack-schema-map; validation method name
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* added assertion for history_window_start field value
* added variables for feature min stack and extended field min stack
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors for continuation line with same indent
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update privilege_escalation_shadow_file_read.toml
description update, name update, query update, tags update, MITRE update
* Update privilege_escalation_shadow_file_read.toml
edited order of MITRE
* changed file name to match credential_access as primary tactic
changed file name to match credential_access as primary tactic
* excluded common executables, not related to "read", based on telemetry
excluded common executables, not related to "read", based on telemetry
* update cred access reference MITRE
* toml-lint file for final validation
* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml
revert name back to privilege_escalation...
* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml
* update update_date
* Changed primary tactic back to privilege_escalation to match rule name
Changed primary tactic back to privilege_escalation to match rule name
limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:<char count>:<binary value>:<object DN>` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others).
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Create defense_evasion_masquerading_space_after_filename.toml
new rule toml
* Update defense_evasion_masquerading_space_after_filename.toml
toml-lint the file
* Moved to cross-platform folder
moved to cross-platform folder
* update query to specify OS
added filter for host OS to query ```host.os.type:("linux","macos")```
* Update rule query: regex and process.executable
update rule query to use regex instead of wildcards and alert on process.executable instead of process.args and process.name to reduce noise.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Deprecating this rule due to high false positive rate. This behavior is too generic for an effective malicious behavior detection.
* move toml file to _deprecated
move toml file to _deprecated
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
* adjusted query to include event action and network direction filters
* adjusted rule name and file name
* toml linted and tags updated
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
rule tune: update by adding MITRE tactic/technique/subtechnique : Initial Access>Valid Accounts>Local Accounts. Added new tag for new tactic : Initial Access
* [Rule Tuning] Kubernetes Rules adds Mitre Execution-Deploy Container
This adds the following attacker threat and technique to each of these rules. Execute.Deploy Container
* updated_date
update the updated_date fields
* add "Windows Azure Linux Agent"'s pid file to list
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux
this tool is default installed on azure linux hosts, can resolve my problem as an exception and have but the tool is common enough in cloud environments that it deserves inclusion.
* Update execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Jonhnathan
