e2f1fcefa8
Add flag to update the docs/ATT&CK-coverage.md with markdown URL(s) ( #4077 )
2024-09-19 23:12:01 +05:30
5e0fb4a63e
[Tuning] Add logs-panw.panos index to Network rules ( #4089 )
...
* [Tuning] Add logs-panw.panos index to Network rules
https://github.com/elastic/detection-rules/issues/3998
This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.
* add tag and integration
* Update command_and_control_fin7_c2_behavior.toml
* Build Manifest and Schema for panw integration
* Update definitions.py
* Update definitions.py
* Fix definitions declaration
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-09-19 08:01:44 +01:00
df31c002ca
[Bug] Handle formatting empty list ( #4086 )
2024-09-17 13:25:17 -05:00
574064272d
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4082 )
2024-09-16 21:43:16 +05:30
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
eda179bbe1
Skip Development Rules from Security Docs ( #4073 )
2024-09-13 19:57:00 +05:30
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
8618b1ad73
Support toml lint for investigate transforms ( #4066 )
2024-09-11 20:45:36 +05:30
6a1ba19f7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4050 )
2024-09-03 17:40:44 +05:30
0c38662cf3
[FR] [DAC] Add Support for Known Types to Auto-generated Schemas ( #3985 )
...
* Add support for autogen known type
* Add support for ML packages
* rename known_type to field_type
2024-08-28 10:48:00 -04:00
f7b7a04d53
[FR] Add Better Error Handling for CUSTOM_RULES_DIR ( #3990 )
...
* Add better error handling for CUSTOM_RULES_DIR
* Update detection_rules/config.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-08-28 10:30:45 -04:00
ba76c20b3d
Update import rules to repo help text. ( #4013 )
2024-08-26 10:20:32 -04:00
589aa33508
[Bug] Add historical Rules as Default when Build Package ( #4003 )
...
* Add historical Rules as Default
* Update num latest rule versions
* Update split for parsing
* Update saved version
* Remove if else
* write historical rules with versions
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-08-21 18:00:02 -04:00
c77356c0f2
Refresh Integration Manifest and Schema ( #4001 )
2024-08-21 22:24:05 +05:30
fbe47298cf
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3997 )
2024-08-20 23:46:25 +05:30
0c25cfb82e
Remove unused @click.pass_context ( #3996 )
2024-08-20 23:11:22 +05:30
760d9f6398
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3995 )
2024-08-20 21:32:43 +05:30
2559b7bb41
[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS ( #3898 )
...
* tuning AWS rules for SAML provider updates and assumed roles via STS
* fixed mitre mapping
* adjusted new terms and added user ID to query
* reverting new terms value change
* adding non-ecs to new term checks
* fixing mitre mapping
* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
* reverting file removal to add diff changes
* changeing rule contents
* reverting rule changes
* added rule contents
* changed file name
* linted
* reverting lint
2024-08-20 11:53:46 -04:00
d3dc231315
Refresh ECS, Beats manifest and schemas ( #3993 )
2024-08-20 20:45:20 +05:30
10ba6ad5a6
[FR] Add Alert Suppression for Addtional Rule Types ( #3986 )
2024-08-15 15:03:45 -05:00
400b4dbd23
[Bug] [DAC] Fix Kibana action connector export to export details with action connectors ( #3984 )
...
* Create Nested Directories
* Fix Kibana export not exporting connector info
2024-08-13 14:28:17 -04:00
d0597e4260
Create Nested Directories ( #3980 )
2024-08-13 09:40:49 -04:00
47d7a3acaa
[DaC] Beta Release ( #3889 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2024-08-06 18:07:12 -04:00
f9717e71bb
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3961 )
2024-08-06 19:37:36 +05:30
823e8fd140
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3926 )
2024-07-25 18:38:08 +05:30
f3b0dc1954
Prep for next release 8.16 ( #3919 )
2024-07-24 11:19:56 -04:00
baee89de9b
Revert "Prep for next release 8.16 ( #3914 )"
...
This reverts commit 4245a815d2
2024-07-23 14:06:04 -04:00
4245a815d2
Prep for next release 8.16 ( #3914 )
...
* Prep for Release 8.16
* Add subscription
* Remove double subscription
* Formatting
* Formatting
* Revert Beaconing rules minstack and lock version
2024-07-23 13:04:03 -04:00
03c99d22d3
Revert "Prep for Release 8.16 ( #3913 )"
...
This reverts commit 01135085f6
2024-07-23 09:50:04 -05:00
01135085f6
Prep for Release 8.16 ( #3913 )
2024-07-23 09:42:26 -05:00
2110ad53f0
[FR] Support new_terms schema import/export w/custom format ( #3890 )
...
* [FR] Support new_terms schema import/export w/custom format
* fix formatter for filters
* handle both rule formats when parsing data view
2024-07-12 17:17:09 -05:00
361e97a256
[FR] Add API auth to Kibana module ( #3815 )
...
* [FR] Add API auth to Kibana module
* update make file to properly install all deps
* Bump Kibana Version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-07-11 17:19:41 -04:00
80ac2794f2
[Rule BugFix] Google Workspace Oauth2 new app ( #3436 )
...
* [Rule BugFix] Google Workspace Oauth2 new app
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
* [Rule BugFix] Google Workspace Oauth2 new app update (#3436 )
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-11 10:45:17 -04:00
ec6038b9d9
Added Schema Check for Data View ID and Index ( #3830 )
2024-07-09 15:05:12 -04:00
6a28881b5f
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3880 )
2024-07-09 19:13:24 +05:30
5048bc26bd
[Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 ( #3806 )
...
* Add "by host.id" argument to the sequence command in the rule query.
* Update collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-03 10:39:15 -04:00
99a4d629c9
[New Rule] Entra ID Device Code Auth with Broker Client ( #3819 )
...
* new rule 'Entra ID Device Code Auth with Broker Client'
* updated azure integration, non-ecs updated, rule date updated
* updates tags
* updated query to add Azure activity logs
* merging in main
* updated azure manifest and schemas
* updated azure manifest and schemas
* updated index map for summary and changelog
* removed string imports
* reverting packaging.py updates
* adjusted query
* adjusted query to be more optimized
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-01 10:31:26 -04:00
949ceccc0f
Generate Better Index Keys ( #3826 )
...
* Generate Better Index Keys
* More Robust index mapping
* Remove unused import
* Remove unused import
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-06-28 13:48:09 -04:00
aef9fe8ec4
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3845 )
2024-06-28 17:49:18 +05:30
357204e1c5
[FR] Limit historical rules to the latest 2 ( #3842 )
2024-06-28 06:42:10 -05:00
54d5b442cf
[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs ( #3825 )
...
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs
* .
* Update integration-schemas.json.gz
* Fix integration manifests
2024-06-26 11:06:27 -03:00
6f43d1f535
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3821 )
2024-06-25 17:58:37 +05:30
259efaf716
[FR] Loosen Filters Schema Validation ( #3753 )
2024-06-18 15:57:14 -05:00
020ca4be24
[New Rule] Rapid7 Threat Command CVEs Correlation ( #3718 )
...
* new rule 'Rapid7 Threat Command CVEs Correlation'
* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated threat index and tags
* changed 'indicator match' to 'threat match' for tags
* removed timeline
* updating integrations to match main
* re-adding rapid7 threat command integration manifest and schema
* reverting changes; removing timeline
* changed max signals to 10000
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-12 18:01:44 -04:00
e3a72c6c47
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3778 )
2024-06-11 20:57:01 +05:30
ec223a4a05
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-11 13:03:20 +02:00
e357a2c050
Refresh MITRE Attack v15.1.0 ( #3725 )
2024-06-04 20:14:58 +05:30
259bab7a5a
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3716 )
2024-05-29 19:48:22 +05:30
527f785a60
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-05-28 10:49:20 -04:00
f43fbfba0d
[FR] Update utility path computation to use pathlib ( #3699 )
...
* update
* Updated to pathlib
* Linting
* Add string cast where needed
* Add additional string conversion as needed
* Str conversions to support eql lib
* Attack typo
* Typo in test script
* Updated for more pathlib
* Linting
* Update to convert string to path object
* Fix typo
2024-05-23 17:36:51 -04:00
shashank-elastic