3966981dae
Add investigation guides ( #4600 )
2025-04-07 20:55:39 +05:30
e7806fc74f
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #4589 )
2025-04-02 09:52:34 -03:00
c6e37d6910
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 ( #4557 )
...
* tuning Azure rule for illicit grant activity; creating new rule for M365
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
* adjusted tags
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
2025-03-27 15:55:04 -04:00
280140650a
tuning 'Azure Conditional Access Policy Modified' ( #4558 )
2025-03-27 15:43:46 -04:00
2f3f4fbdef
deprecating 'Azure Virtual Network Device Modified or Deleted' ( #4559 )
2025-03-27 10:09:34 -04:00
2b3095a13c
Update Max signals value to supported limits ( #4556 )
2025-03-27 09:02:25 +05:30
63c1f47689
[Rule Tuning] Added OWA (outlook for web) new AppID ( #4568 )
...
* Added OWA (outlook for web) new AppID
**Title:** Add new Outlook for Web AppID to abnormal Microsoft 365 ClientAppID rule
**Description:**
This pull request updates the `initial_access_microsoft_365_abnormal_clientappid` rule to include the newly introduced Outlook for Web AppID:
- **New AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
### Context
Outlook for Web (OWA) is migrating to a new authentication platform using MSAL and a Single Page Application (SPA) auth model. As part of this backend change, Microsoft is replacing the existing OWA AppID with a new one. This change is being rolled out during the first half of calendar year 2024, with full deployment expected by Q4 2024.
- **Old OWA AppID**: `00000002-0000-0ff1-ce00-000000000000`
- **New OWA AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
Although no action is required for tenant administrators, this new AppID may show up in logs and should be accounted for in detections relying on known legitimate ClientAppIDs.
### Why this change?
The rule `initial_access_microsoft_365_abnormal_clientappid` flags potentially suspicious or unauthorized client applications accessing Microsoft 365 services. To prevent false positives caused by this official change from Microsoft, this PR adds the new OWA AppID to the allowlist.
### References
- Microsoft 365 Message Center notice (ref: MC715025)
- [MSAL documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview )
* Update initial_access_microsoft_365_abnormal_clientappid.toml
Updated updated_date
2025-03-26 15:15:28 -03:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
5e12f05a36
fixing double header in investigation notes ( #4490 )
2025-03-25 09:08:13 -04:00
db78756062
[New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors ( #4535 )
...
* new rules for AWS DynamoDB data exfiltration
* bumping patch version
* adjusting investigation guide
* updating patch version
* updating patch version
* updating patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-21 10:05:24 -04:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
955e973c00
Change description and name of problemchild ML detection-rules ( #4545 )
...
Changed description and name of problemchild ML detection-rules
2025-03-20 08:58:10 -04:00
5ccb7ed4af
Min stack rules from 4516 ( #4549 )
2025-03-19 20:27:30 -04:00
5b3dc4a4a7
Revert "Add new ML detection rules for Privileged Access Detection ( #4516 )" ( #4548 )
...
This reverts commit 2ff8d1bb56
2025-03-19 20:08:08 -04:00
2ff8d1bb56
Add new ML detection rules for Privileged Access Detection ( #4516 )
...
Add detection-rules for privileged access detection integration
2025-03-19 11:02:28 -04:00
0993ced309
Deprecate Cloud Defend Rules ( #4537 )
2025-03-14 21:27:37 +05:30
3ed820afa8
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) ( #4523 )
...
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'
* updating name
* added investigation guide
* updated investigation guide
* updated investigation guide
* removed unnecessary comment
* adjusted logic to count distinct on principal id; principal name will be in aggregations now
* updated Entra ID name
2025-03-11 11:25:10 -04:00
aacb376acf
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication ( #4524 )
...
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'
* updating tactic tag
* adjusted query logic for user type
* updated Entra ID name
2025-03-11 11:05:56 -04:00
fd1369a164
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User ( #4525 )
...
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'
* linted; updated UUID
* adjusted rule name and logic to focus on any rare authentication requirements
* adjusted file name
2025-03-11 10:51:01 -04:00
e28512a32f
Deprecation Notice to Cloud Defend Rules ( #4520 )
...
* Deprecation Notice to Cloud Defend Rules
* Udpate names in investigation guide
* Adding deprecation note under Setup field
* reverting back to setup field name
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-03-07 00:20:00 -05:00
49c361dd98
[New Rules] Azure OpenAI ( #3701 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-03-04 22:59:38 +05:30
4b7aa67213
[New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token ( #4469 )
...
* new rule 'M365 OneDrive Excessive File Downloads with OAuth Token'
* removed Azure data source tag; added saas tag
* removed Azure data source tag; added saas tag
* updated mitre mappings
* added tactic:collection tag
* removed file directory, added targeted_time_window to aggregation
2025-02-21 10:45:04 -05:00
0b98462cfe
[New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection ( #4458 )
...
* new hunting queries for SNS
* added KEEP to all queries; adjusted description in SNS rule
2025-02-20 10:53:36 -05:00
ec4523a6a9
[Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol ( #4466 )
...
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'
* bumping patch version
* fixed investigation guide unit test failure
* bump patch
2025-02-20 10:29:04 -05:00
17ea9fbdd5
[New Rule] Adding Coverage for AWS SNS Topic Created by Rare User ( #4455 )
...
* new rule 'AWS SNS Topic Created by Rare User'
* changed file name
* Update rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml
* moved new terms link to investigation guide
2025-02-20 10:05:40 -05:00
692a1382bf
Fix spacing in Setup information ( #4470 )
2025-02-20 10:04:13 +05:30
5155f47b86
[Rule Tuning] Event Aggregation - Fix event.action & event.type conditions ( #4445 )
...
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions
* .
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-07 18:42:28 -03:00
c7f5385711
[Rule Tuning] Decrease Interval to 1m for Endpoint Promotions ( #4450 )
2025-02-07 08:30:35 -06:00
a866ee7f57
Fix remaining Replace master doc URLs with current ( #4441 )
2025-02-03 23:03:20 +05:30
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
bf1caf8b5f
[Rule Tuning] December-January AWS Rule Tuning ( #4425 )
...
* [Rule Tuning] AWS Monthly Rule Tunings
* Adding several more AWS tunings
* updating patch version
* updating non-ecs type to boolean
* fixed cloudtrail index
2025-01-31 10:35:18 -05:00
7c6c77932c
[FR] Add Remaining Guides ( #4412 )
2025-01-22 14:43:30 -06:00
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
fb13b89f8d
[New Rule] Adding Coverage for AWS S3 Unauthenticated Bucket Access by Rare Source ( #4315 )
...
* adding new rule 'AWS S3 Unauthenticated Object Retrieval by Rare Source'
* adjusted logic to capture multiple event calls
* updated verbiage
* updated MITRE mappings
* fixing date
2025-01-20 13:36:09 -05:00
7be96ec64d
[Rule Tuning] Add Public Snapshot Coverage Regarding AWS EC2 EBS Snapshot Shared or Made Public ( #4335 )
...
* removing detection gap for EBS snapshots that are made public
* reverted logic; added investigation note about public snapshots
2025-01-20 13:15:41 -05:00
01eda44298
[Rule Tuning] Linux Persistence Rules ( #4393 )
...
* [Rule Tuning] Linux Persistence Rules
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
2025-01-20 09:51:49 +01:00
ca3994af0d
[Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts ( #4394 )
...
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'
* adding 'Deprecated - Suspicious JAVA Child Process'
* updated dates
* changed to deprecated maturity
2025-01-17 10:52:13 -05:00
5162067a51
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C ( #4377 )
...
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'
* updated pyproject patch version
* bump repo version
* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
* updating patch version
* updating patch version
* Adding additional threshold rule
2025-01-15 14:11:58 -05:00
c04ae6d444
[New Rule] Adding Coverage for SNS Topic Message Publish by Rare User ( #4350 )
...
* new rule 'SNS Topic Message Publish by Rare User'
* added new terms note
* added investigation guide tag
* fixed tag, added investigation fiedls
* toml lint
* fixed mitre ATT&CK mapping
2025-01-15 13:55:45 -05:00
97b3f43870
[New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery ( #4328 )
...
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
2025-01-15 11:53:18 -05:00
f8312cc5b0
[Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded ( #4334 )
...
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* updating subtechnique ID
* added mitre tag lateral movement
* changing sequence of mitre ATT&CK
2025-01-15 11:12:53 -05:00
f97007f3a8
[New Rule] Adding Coverage for AWS SQS Queue Purge ( #4354 )
...
* new rule 'AWS SQS Queue Purge'
* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml
* added investigation guide tag; fixed file name
2025-01-15 10:52:22 -05:00
f52cfb3729
[Rule: Tuning] - Azure blob permission modification tagging - Correct tags ( #4371 )
...
* Remove `Data Source: Elastic Defend` tag
* Update metadata
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-13 10:40:34 -03:00
466097c31e
[Rule Tuning] Potential Persistence via File Modification ( #4310 )
...
* [Rule Tuning] Potential Persistence via File Modification
* Update persistence_suspicious_file_modifications.toml
* Update persistence_suspicious_file_modifications.toml
2025-01-03 16:19:58 +01:00
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events ( #3533 )
...
* new endpoint security rules for specific alerts
* updated risk scores
* fixed rule names and UUIDs
* changed logic to use message field for detection vs prevention
* reverting changes
* reverting changes
* reverting to old commit
* reverting to old commit
* reverting to old commit
* reverting to old commit
* changed naming to Elastic Defend
* updated rule dates and min-stacks
* linted; adjusted queries
* updated ransomware, memory sig or shellcode risk
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* updated promotion rule
* fixed typos in naming
* updated setup guides
* added intervals
* added MITRE
* added investigation guide for Memory Threat
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update defense_evasion_elastic_memory_threat_prevented.toml
* toml-lint
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co >
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-12-19 13:24:23 -05:00
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules ( #4324 )
...
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-12-19 13:03:50 -05:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
e6012b1db6
Removing ESQL query format error ( #4292 )
2024-12-10 09:27:37 -05:00
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS ( #4277 )
...
* new rule 'AWS IAM Login Profile Added for Root'
* added min-stack
* linted; fixed rule schema errors
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-09 08:55:20 -05:00
shashank-elastic