security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,693 Commits 1 Branch 0 Tags
a5d9d6400a78d20ab3f2fce315b09a2e15eca879
Commit Graph

43 Commits

Author SHA1 Message Date
shashank-elastic 692a1382bf Fix spacing in Setup information (#4470) 2025-02-20 10:04:13 +05:30
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
George Papakyriakopoulos 80ac2794f2 [Rule BugFix] Google Workspace Oauth2 new app (#3436) 
* [Rule BugFix] Google Workspace Oauth2 new app

In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:

```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```

After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.

We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.

* [Rule BugFix] Google Workspace Oauth2 new app update (#3436)

In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:

```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```

After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.

We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-11 10:45:17 -04:00
Terrance DeJesus 5fe7833312 [Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849) 
* tuning google workspace rules

* removed verbiage about runtime
 2024-07-01 15:50:12 -04:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 7f249e6cc4 [Security Content] Add Google Workspace Investigation Guides (#2540) 
* adding google workspace investigation guides

* updated 'Google Workspace Custom Gmail Route Created or Modified' guide

* updated 'Google Workspace Custom Gmail Route Created or Modified' guide

* updated 'Application Removed from Blocklist in Google Workspace'

* updated 'Domain Added to Google Workspace Trusted Domains'

* updated 'Google Workspace Bitlocker Setting Disabled'

* updated 'Google Workspace Admin Role Deletion'

* updated 'Application Added to Google Workspace Domain'

* updated 'Google Workspace Admin Role Assigned to a User'

* updated 'Google Workspace Role Modified'

* updated 'Google Workspace Custom Admin Role Created'

* updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority'

* updated 'Google Workspace Password Policy Modified'

* updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App'

* updated 'Google Workspace User Organizational Unit Changed'

* reverted 'Google Workspace User Group Access Modified to Allow External Access'

* removed new lines

* added 'Investigation Guide' tags

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed duplicate file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
 2023-05-18 10:16:20 -04:00
Terrance DeJesus f21a9e4793 updating min stack comments (#2712) 2023-04-12 14:30:34 -04:00
Terrance DeJesus d6f277e379 [New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677) 
* adding new rule 'Google Workspace New OAuth Login from Custom Application'

* changed name and 'custom' to 'third-party'

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* updated non-ecs
 2023-04-12 09:40:31 -04:00
Terrance DeJesus 4511ab0666 [Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674) 
* tuning rule to add token sequence

* updated date

* updated non-ecs, integration schemas and manifests

* added investigation guide

* Updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updated false positive description

* updating manifest and schemas with main to resolve conflicts

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-04-12 09:15:58 -04:00
Terrance DeJesus 71d12bdda4 [Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682) 
* add promotion to rulemeta schema class and updated promotion rules

* add promotion to rulemeta schema class and updated promotion rules

* adjusted test_integration_tag and okta rule missing dataset

* fixed flake errors

* updated manifests and schemas to include cloud defend
 2023-04-03 09:42:40 -04:00
Terrance DeJesus 76500f0d46 [New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User (#2654) 
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'

* updated MITRE ATT&CK mappings
 2023-03-24 12:21:56 -04:00
Terrance DeJesus 7be5788945 [New Rule] Google Workspace Resource Copied from External Drive (#2627) 
* added new rule 'Google Workspace Resource Copied from External Drive'

* adjusted mitre att&ck subtechnique ID
 2023-03-20 14:37:58 -04:00
Terrance DeJesus 2c5470349c [New Rule] External User Added to Private Organization Group (#2577) 
* new rule 'External User Added to Google Workspace Group'

* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added Investigation Guide tag

---------

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-20 14:32:42 -04:00
Terrance DeJesus bb4f7acf27 deprecate 'Google Workspace User Group Access Modified to Allow External Access' (#2576) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-02 11:29:14 -05:00
Terrance DeJesus 46b18b5a07 [New Rule] Google Workspace - Suspended User Account Renewed (#2592) 
* new rule for suspended user account renewal in Google Workspace

* fixed risk score; toml linted

* Update rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-03-02 11:23:49 -05:00
Terrance DeJesus e5d81e77f7 [New Rule] Add Google Workspace Alert Center Promotional Rule (#2471) 
* Add Google Workspace Alert Center Promotional Rule

* added severity mapping overrides
 2023-01-17 12:09:13 -05:00
Terrance DeJesus b61da98f97 [Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 (#2467) 
* Bumping min-stack version for Google Workspace to 8.4

* changed 'updated_date' values
 2023-01-13 13:29:28 -05:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Jonhnathan ac01718bb6 [Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352) 
* [Rule Tuning] Add tags to flag Sysmon-only rules

* Modify tags

* Revert "Modify tags"

This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.

* Modify tags

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py
 2022-11-18 12:32:27 -03:00
Jonhnathan ec04a39413 [Security Content] Tag rules with robust Investigation Guides (#2297) 2022-09-23 14:20:32 -03:00
Terrance DeJesus 812a54fc70 [New Rule] Custom Gmail Route Created or Modified - Google Workspace (#2296) 
* adding new rule

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted rule description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 13:03:23 -04:00
Terrance DeJesus 59297c836e [New Rule] User Organizational Unit Changed - Google Workspace (#2289) 
* adding new rule

* adjusting severity and risk

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
 2022-09-13 15:36:27 -04:00
Terrance DeJesus 8c19e9ff6c [New Rule] Bitlocker Settings Disabled - Google Workspace (#2288) 
* adding new rule

* adjusted UUID
 2022-09-12 16:06:01 -04:00
Terrance DeJesus 6a6ef0ce11 [New Rule] Restrictions for Google Marketplace Modified to Allow Any App - Google Workspace (#2268) 
* adding new rule

* adjusted UUID to address unit testing failures

* adjusted UUID to address unit testing failures

* adjusted references
 2022-08-26 12:43:30 -04:00
Terrance DeJesus bd6befb168 [New Rule] Google Drive Ownership Transferred (#2265) 
* adding new rule

* adjusted query format

* adjusted file and rule name to include google workspace

* Update collection_google_drive_ownership_transferred_via_google_workspace.toml

Fixed a couple minor typos

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-08-26 12:41:10 -04:00
Terrance DeJesus 18df50443c [Rule Tuning] Admin Role Assigned to User - Google Workspace (#2266) 
* tuning rule query and att&ck mappings

* adjusted description and query formatting

* Update rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adjusted risk and severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 12:35:44 -04:00
Terrance DeJesus cd2539f1eb [New Rule] User Group Access Modified to Allow External Access (#2264) 
* adding new rule

* adjusting rule name, file name and description

* adjusted att&ck technique

* adjusted file and rule name to include google workspace

* adjusted references

* Update persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml

Fixed minor typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-08-26 12:25:29 -04:00
Terrance DeJesus c0a339e277 [New Rule] 2SV Policy Disabled - Google Workspace (#2271) 
* adding new rule

* adjusted file name, query and rule name
 2022-08-26 12:22:54 -04:00
Terrance DeJesus e5399bc148 [New Rule] Application Removed from Blocklist - Google Workspace (#2267) 
* adding new rule

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 12:16:41 -04:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Jonhnathan 91c00fd442 [Security Content] Add Investigation Guides - Cloud - 3 (#2132) 
* [Security Content] Add Investigation Guides - Cloud - 3

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

* update dates

* Apply suggestions from review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
 2022-07-27 15:40:09 -03:00
Terrance DeJesus e8c39d19a7 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-07-22 14:30:34 -04:00
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Jonhnathan b6d1c1476b [Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706) 
* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version
 2022-01-25 16:51:20 -09:00
Justin Ibarra f8f643041a [Rule tuning] Revise rule description and other text (#1398) 2021-08-03 13:07:47 -08:00
Ross Wolf 1882f4456c [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
 2021-07-21 15:24:56 -06:00