a6c5cfc418
[Rule Tuning] Optimize query for Query Registry using Built-in Tools ( #3330 )
...
* [Rule Tuning] Optimize query for Query Registry using Built-in Tools
* reduce history window to 7d
* use args vs command_line wildcards
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2023-12-14 19:55:36 -07:00
4b183be124
[Tuning] Suspicious Script Object Execution ( #3339 )
...
* Update defense_evasion_suspicious_scrobj_load.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-14 16:49:54 -07:00
07b952b7bc
[Tuning] Remote Scheduled Task Creation ( #3337 )
...
* Update non-ecs-schema.json
* add timestamp override
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-14 16:39:52 -07:00
aff7f37b92
[Rule Tuning] Optimize query for Installation of Custom Shim Databases ( #3331 )
...
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-12-14 15:04:08 -07:00
a7b9a61942
[Rule Tuning] Optimize query for Direct Outbound SMB Connection ( #3329 )
...
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-12-14 11:21:46 -07:00
8b2aed4fc0
[Tuning] Suspicious Managed Code Hosting Process ( #3338 )
...
* Update defense_evasion_suspicious_managedcode_host_process.toml
* Update defense_evasion_suspicious_managedcode_host_process.toml
2023-12-14 17:51:35 +00:00
727c23e3d2
[Tuning] Multiple Logon Failure Followed by Logon Success ( #3340 )
...
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
2023-12-14 17:41:06 +00:00
7a4f1224dc
[Rule Tuning] Account Password Reset Remotely ( #3335 )
...
* [Rule Tuning] Account Password Reset Remotely
- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)
* Update persistence_remote_password_reset.toml
2023-12-14 17:22:19 +00:00
9a9f5437f2
Update Advanced Analytics config guides ( #3302 )
...
* Updating config guides for Advanced Analytics rules
* More updates
* Update setup instructions for LMD
* Adding more guides
* update TestRuleTiming unit test to ignore advanced analytic rules
* fixed flake error
* Moving config guides under setup instead of note
* Removing leading and trailing whitespace
* Updates as requested by PM
* Updating related integrations, minor updates to setup guides
* fixing unit tests to ignore analytic packages with multiple integration tags
* Update tests/test_all_rules.py
* fixing linting errors
---------
Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-13 07:53:41 -08:00
a39a52360a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3319 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-12 13:23:14 -05:00
631f8841ad
updating min-stack for Okta rule ( #3318 )
2023-12-12 12:27:18 -05:00
93d71acb91
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset ( #3265 )
...
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'
* updated non-ecs; linted rule; updated description
* adjusted interval and maxspan
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-12 10:31:45 -05:00
6f4c323929
[Rule Tuning] Windows DR Tuning - 6 ( #3246 )
...
* [Rule Tuning] Windows DR Tuning - 6
* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-12 11:37:54 -03:00
90a2043bc4
[FR] 8.12 Release Preparation update Main Branch to 8.13 ( #3313 )
...
* 8.12 Release Prep update Main Branch to 8.13
* Fix typo in integrations
* Updated Schemas
2023-12-11 14:58:06 -05:00
face95058f
[Bug] Use integration schemas for required_field types ( #3303 )
2023-12-11 11:32:38 -06:00
6c614eb102
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 ( #3288 )
...
* [Security Content] Add IGs to Persistence Rules
* Cleaned query
* IG description fix
* Added related rules
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-11 13:53:06 +01:00
10f00a3f88
Create new_meta.md ( #3305 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-12-08 14:39:02 -06:00
7514c0a206
[FR] Add Support for ES|QL Rule Type and Remote Validation ( #3281 )
...
* add suuport for esql type
* add unit tests
* set clients in RemoteConnector from auth methods
* thread remote rules; add engine test
* Add versions to remote validation results
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 12:46:28 -07:00
aeb1f91320
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 11:54:40 -07:00
eb7c5f6717
[Security Content] Add Windows Investigation Guides ( #3095 )
...
* [Security Content] Add Windows Investigation Guides
* Update defense_evasion_rundll32_no_arguments.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update rules/windows/defense_evasion_rundll32_no_arguments.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/execution_ms_office_written_file.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update privilege_escalation_posh_token_impersonation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
2023-12-08 11:31:16 -03:00
840958d117
[New Rule] Suspicious File Creation via Kworker ( #3237 )
...
* [New Rule] Suspicious File Creation via Kworker
* Update rules/linux/persistence_kworker_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 23:02:00 +01:00
490fa0e1d2
[New Rule] Out-Of-Tree Kernel Module Load ( #3233 )
...
* [New Rule] Out-Of-Tree Kernel Module Load
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:53:21 +01:00
07b1cab919
[New BBR] Pot. Persistence Through Systemd-udevd ( #3235 )
...
* [New BBR] Persistence Through Systemd-udevd
* Formatting change
* Update rules_building_block/persistence_udev_rule_creation.toml
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:42:29 +01:00
9c61231dc6
[New Rule] UID Elevation from Unknown Executable ( #3239 )
...
* [New Rule] UID Elevation from Unknown Executable
* type change
* bump min stack
* Added additional exclusions
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:25:01 +01:00
1071b12f00
[New Rule] Suspicious Kworker UID Elevation ( #3238 )
...
* [New Rule] Suspicious Kworker UID Elevation
* Update privilege_escalation_kworker_uid_elevation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-07 20:59:07 +01:00
7070eb3b34
[New] Rare SMB Connection to the Internet ( #3300 )
...
* Create exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 13:10:20 -03:00
1647a16fab
[Rule Tuning] UEBA new_terms process_executable ( #3268 )
...
* [Rule Tuning] UEBA new_terms process_executable
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 16:38:08 +01:00
38862b89e9
[Tuning] Small Linux DR Tuning ( #3287 )
2023-12-07 12:45:24 +01:00
7488c60090
[New] Process Created with a Duplicated Token ( #3152 )
...
* [New] Process Created with a Duplicated Token
using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-07 08:20:30 -03:00
a4ad0b6a24
Fix syntax error in query ( #3285 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 07:49:18 -03:00
5e1546c57c
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash ( #3304 )
...
* tuning rule; adding investigation guide
* updated MITRE ATT&CK
* updated file name
* Updating description
* updated investigation guide
* fixed ATT&CK mappings; updated tags
2023-12-06 10:35:46 -05:00
e5d676797e
[Rule Tuning] Windows DR Tuning - 5 ( #3229 )
...
* [Rule Tuning] Windows DR Tuning - 5
* .
* Revert changes BehaviorOnFailedVerify
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-05 19:20:40 -03:00
e6df245ff3
[New] Interactive Logon by an Unusual Process ( #3299 )
...
* Create privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
2023-12-05 17:34:10 +00:00
5358361754
Adjust ESQLRuleData to Inherit QueryRuleData Dataclass ( #3297 )
...
* adjusting inheritance of ESQL rule data
* update tests to handle missing index from QueryRuleData
* removed test es|ql rule
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2023-11-30 09:06:34 -05:00
f7b9a1f8df
Update QueryRuleData ( #3294 )
2023-11-29 09:43:04 -06:00
bc39c20eaf
FR] Add Core Support for ES|QL Rule Type ( #3292 )
2023-11-28 13:03:09 -06:00
ba7b2722c2
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3291 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-11-28 12:30:55 -05:00
1f47e3c1a9
[New Rule] Okta FastPass Phishing ( #2782 )
...
* Create initial_access_fastpass_phishing.toml
* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-11-28 09:26:16 -05:00
e6fef85899
[New Rule] Okta MFA Bombing Attempt ( #3278 )
...
* new rule 'Potential Okta MFA Bombing via Push Notifications'
* updated naming
* TOML lint
* adjusted duplicate rule ID
* added event category override; added until sequence statement
* added verify authentication success
* moved setup to separate field
* enhanced query optimization
2023-11-28 09:16:20 -05:00
69cb2f6fc6
[New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash ( #3267 )
...
* added new rule 'Multiple Okta Users with the Same Device Token Hash'
* moved rule to okta integration folder
* adjusted query to be optimized
* added false positive comment
* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
2023-11-27 19:23:38 -05:00
0578bd4caa
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses ( #3263 )
...
* new Okta threshold rules for client addresses and sessions
* adjusting references
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-11-27 19:03:06 -05:00
8eeb95f545
[New Rule] Detection for Okta Sign-In Events via Third-Party IdP ( #3259 )
...
* adding new rule 'Okta Sign-In Events via Third-Party IdP'
* fix creation date
* fixed query efficiency
* added investigation guide
* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-11-27 18:31:27 -05:00
73288af642
adding new rule 'New Okta Identity Provider (IdP) Added by Admin' ( #3258 )
2023-11-27 18:06:54 -05:00
8321cfe018
[New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy ( #3261 )
...
* new rule 'First Occurrence of Okta User Session Started via Proxy'
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
2023-11-27 17:50:13 -05:00
f19506f3a2
[New Rule] Adding Detection for New Okta Authentication Behavior ( #3260 )
...
* new rule 'New Okta Authentication Behavior Detected'
* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-11-27 17:39:10 -05:00
88f752bf8b
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-11-27 18:37:15 +00:00
7854081cc0
Setup Guide information for MacOS rules ( #3274 )
2023-11-22 20:18:22 +05:30
832ee02aed
[New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations ( #3279 )
...
* new rule 'Okta User Sessions Started from Different Geolocations'
* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
2023-11-21 17:32:09 -05:00
93ad4b0959
Add UEBA Tag ( #3277 )
2023-11-20 13:51:13 -06:00
66c1d7f3b4
[Bug] Fix typo in downgrade_contents_from_rule ( #3272 )
...
* Fix missing to_dict()
* Update pyproject.toml
2023-11-14 23:06:04 -05:00
Justin Ibarra