* add RDS instance deletion to aws rule
I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.
* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 9640ecb3fe)
* Update persistence_ec2_security_group_configuration_change_detection
Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.
* update to improve rule coverage
I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.
* Revert "update to improve rule coverage"
This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
(cherry picked from commit 5073ef8be7)
* add rule type to the rule lock_info
* add check in VersionLock; add type to version.lock
* print changes only on save
(cherry picked from commit 11ec9c230e)
* save changes to top level for route C; verbose prints
* update top level on forked rule without overriding min_stack_version
* add check to ensure previous version !> current
(cherry picked from commit f4c94af994)
* Ensure kql2eql conversion doesnt support `text` fields
* Add unit test cases for`text` not supported in eql
* test `field not recognized` in the rule_validator and output a verbose message.
* use elasticsearch_type_family to lookup text mappings
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 1f015ebe85)
* Adding event.provider
* Removing new line
* Updating updated_date field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
(cherry picked from commit 2ed97d2e8c)
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit 096723b2a1)
* update beats master branch ref to main
* update filename of master beat schema to main
* delete old main beats schema
* rebuilt main beats archive
(cherry picked from commit 84b7ce6582)
Justin Ibarra