578e86eeae
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Removed changes from:
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml
(selectively cherry picked from commit 9f8638a004
2024-03-13 09:16:15 +00:00
b1989a921b
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml
(selectively cherry picked from commit 458e67918a
2024-03-11 12:14:53 +00:00
a04dfbd1ef
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
(cherry picked from commit 089e6671aa
2024-02-20 14:43:36 +00:00
9c271c6591
Enhance Setup Guide information ( #3256 )
...
(cherry picked from commit d52546eee5
2023-11-03 13:41:40 +00:00
60475f6aa0
Move Setup information into setup filed ( #3206 )
...
(cherry picked from commit 7254c582c5
2023-10-23 14:04:26 +00:00
95f45de9cc
Setup information for Linux Rules - Set4 ( #3179 )
...
(cherry picked from commit 25b527c149
2023-10-17 13:35:14 +00:00
063386829c
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 4233fef238
2023-09-05 18:28:40 +00:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
94baa89ea8
New Rule to identify defense evasion via PRoot ( #2625 )
2023-04-20 17:14:01 +05:30
Ruben Groenewoud