03db89e733
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3dd32608a0
2021-11-17 22:39:09 +00:00
cb3d90040e
[Bug] Tighten definitions validation patterns ( #1396 )
...
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit ab17dfcc28
2021-10-26 15:27:32 +00:00
5ca067e3e3
Add missing Integration field ( #1537 )
...
* Add missing Integration field
* Bump updated_date
* Add test for integration<->path
* Fix rule folder
* bump updated date in rule
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 4524c175c8
2021-10-26 15:06:32 +00:00
ba09596949
[New Rule] AWS Route Table Created ( #1257 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_created.toml
* Update persistence_route_table_created.toml
* Update rules/persistence_route_table_created.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update persistence_route_table_created.toml
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_created.toml
* Update
* Update
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 89553d84a9
2021-10-26 13:26:56 +00:00
a28bb7961a
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
(cherry picked from commit 5bdf70e72c
2021-10-20 04:53:52 +00:00
db54ea7467
[New Rule] AWS EventBridge Rule Disabled or Deleted ( #1572 )
...
* Create aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 3ab67d1562
2021-10-18 18:37:29 +00:00
66f447cfff
[New Rule] AWS EFS File System or Mount Deleted ( #1462 )
...
* AWS EFS File System or Mount Deleted
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2c39bb962f
2021-10-16 02:24:00 +00:00
1771e33876
[New Rule] AWS Suspicious SAML Activity ( #1498 )
...
* Create privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Add trailing /
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 702524b1f7
2021-10-16 02:12:06 +00:00
b090e60bd6
[New Rule] Azure Full Network Packet Capture Detected ( #1420 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 50501bb40f
2021-10-16 02:07:22 +00:00
69dbb5f655
[New Rule] Azure Virtual Network Device Modified or Deleted ( #1421 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml
* fix description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 790586fb57
2021-10-15 19:12:07 +00:00
af3571ea6e
[New Rule] Azure Kubernetes Pods Deleted ( #1309 )
...
* Create impact_kubernetes_pod_deleted.toml
* Update impact_kubernetes_pod_deleted.toml
* Update
* Update impact_kubernetes_pod_deleted.toml
* quote value in query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 761df5fe84
2021-10-15 19:08:48 +00:00
ecc65a28bc
[New Rule] AWS RDS Snapshot Restored ( #1312 )
...
* Create exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
* Delete exfiltration_rds_snapshot_restored.toml
* Create exfiltration_rds_snapshot_restored.toml
* Update
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dc980effb0
2021-10-15 19:06:07 +00:00
8c2c6ea6ec
[New Rule] Microsoft 365 - Mass download by a single user ( #1348 )
...
* Create impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 3303a4e255
2021-10-15 19:02:52 +00:00
9021db6188
[New Rule] AWS Route53 hosted zone associated with a VPC ( #1365 )
...
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 90504915ad
2021-10-15 19:01:20 +00:00
25733e1d67
[New Rule] AWS STS AssumeRole Usage ( #1214 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_assumerole_abuse.toml
* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add note field
* Update privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Adding Reference
* Expand STS
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d7eab5bbf3
2021-10-15 18:57:13 +00:00
8bb2d27451
[New Rule] GCP Kubernetes Rolebindings Created or Patched ( #1267 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 27ba204f1c
2021-10-15 18:43:23 +00:00
8f55556006
[New Rule] Azure Blob Permissions Modification ( #1499 )
...
* Create defense_evasion_azure_blob_permissions_modified.toml
* Update defense_evasion_azure_blob_permissions_modified.toml
* Update defense_evasion_azure_blob_permissions_modified.toml
* Update description and query (spacing)
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 7123d46623
2021-10-14 10:00:28 +00:00
358585b2c1
[New Rule] Azure Kubernetes Events Deleted ( #1307 )
...
* Create defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add quotes to azure query field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3d15c2072d
2021-10-14 09:58:32 +00:00
76a60c5ca8
[New Rule] Microsoft 365 - Impossible travel activity ( #1344 )
...
* Create initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Updated Directory
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 11fa592c6f
2021-10-12 22:12:31 +00:00
76ca7f5fc9
[New Rule] Microsoft 365 - User Restricted from Sending Email ( #1345 )
...
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Fix technique
* update description and FP
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit c8ac37957d
2021-10-12 21:34:01 +00:00
b4d584fbc6
[New Rule] Microsoft 365 - Potential ransomware activity ( #1346 )
...
* Create impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* bump to prod
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 98c217ece9
2021-10-12 21:27:11 +00:00
088c8a8354
[New Rule] AWS Route Table Modified or Deleted ( #1258 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 82e72a956b
2021-10-12 18:17:56 +00:00
bd7616e912
[New Rule] AWS ElastiCache Security Group Created ( #1363 )
...
* Create persistence_elasticache_security_group_creation.toml
* Update
* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml
* Update defense_evasion_elasticache_security_group_creation.toml
* Update defense_evasion_elasticache_security_group_creation.toml
* Re-add rule.threat
* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* remove extra space from query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9508002bb3
2021-10-05 17:01:33 +00:00
bd8eeae6ca
Made these pull requests before the directory restructure. ( #1517 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3b0d2006b7
2021-10-05 12:30:40 +00:00
29d1ee4ae5
[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created ( #1514 )
...
(cherry picked from commit 0a3c44e8db
2021-10-04 21:32:40 +00:00
c2fc2af03b
[New Rule] AWS ElastiCache Security Group Modified or Deleted ( #1364 )
...
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml
* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Update
* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f41714642c
2021-10-04 18:39:40 +00:00
8033c0a260
Rename new_or_modified_federation_domain.toml to correspond with tactic ( #1511 )
...
(cherry picked from commit ba9c01be50
2021-09-30 21:09:35 +00:00
ed57d46d15
[Rule Tuning] Small update on rule descriptions ( #1508 )
...
(cherry picked from commit 5e4a7e67df
2021-09-30 20:55:18 +00:00
09f49da822
[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted ( #1393 )
...
(cherry picked from commit d28c48f20f
2021-09-29 17:09:18 +00:00
ba458dea13
[New Rule] New or Modified Federation Domain ( #1212 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_new-or-modified-federation-domain.toml
* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update
* Update persistence_new_or_modified_federation_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit a51ed86851
2021-09-29 12:17:22 +00:00
216d06ef30
[New Rule] AWS STS GetSessionToken Abuse ( #1213 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_getsessiontoken_abuse.toml
* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update
* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 93b8038d7d
2021-09-22 19:29:04 +00:00
98735808ab
[Rule Tuning] Fix typos in rule metadata ( #1494 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 8e3b1d28c4
2021-09-21 19:32:05 +00:00
c864538606
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ff3873ee7
2021-09-16 01:08:23 +00:00
2ef59e918f
Revert #1440 new endpoint promotion rule ( #1470 )
...
* Revert #1440 new endpoint promotion rule
* Set the updated_at date
Removed changes from:
- rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml
(selectively cherry picked from commit c9d6527280
2021-09-03 14:08:22 +00:00
20a814c47f
[Rule tuning] Azure Active Directory High Risk Sign-in ( #1463 )
...
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
(cherry picked from commit 8b2c8c2e03
2021-08-30 22:34:47 +00:00
1f7c404548
Remove the 7.15+ behavior protection promotion rule
2021-08-26 08:51:38 -06:00
34ab6c81d3
[New Rule] Endpoint Security Behavior Protection ( #1440 )
...
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 3b338baab0
2021-08-25 15:58:03 +00:00
94190321c1
[Rule Tuning] AWS Security Group Configuration Change Detection ( #1426 )
...
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration
(cherry picked from commit 3b29498907
2021-08-15 04:35:07 +00:00
742253c61d
[Rule tuning] Revise rule description and other text ( #1398 )
...
(cherry picked from commit f8f643041a
2021-08-03 21:08:48 +00:00
05d01bbfe0
[Rule Tuning] Rule description tweaks ( #1388 )
...
(cherry picked from commit b736d6e748
2021-07-29 18:57:11 +00:00
600acca704
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
(cherry picked from commit 1882f4456c
2021-07-21 21:25:48 +00:00
Austin Songer