* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'
* updating name
* added investigation guide
* updated investigation guide
* updated investigation guide
* removed unnecessary comment
* adjusted logic to count distinct on principal id; principal name will be in aggregations now
* updated Entra ID name
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'
* updating tactic tag
* adjusted query logic for user type
* updated Entra ID name
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'
* linted; updated UUID
* adjusted rule name and logic to focus on any rare authentication requirements
* adjusted file name
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'
* bumping patch version
* fixed investigation guide unit test failure
* bump patch
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
* updating ES|QL rules to include KEEP command
* fixed some ES|QL rules with typos; added validation for KEEP command
* fixed ES|QL errors from missing fields
* fixed flake errors
* updated date
* added best practices to hunt docs
* deprecated rule; tuned for single source inclusion
* adjusted query comments
* added min-stack
* updated date
* added Azure-based rule for brute forcing
* added reference to o365spray
* fixed tag
* adjusted query comment
* added rule for repeat source
* adjusted query to use count distinct
* added intervals; adjusted lookback window according to time truncation
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Terrance DeJesus