ad7a8afb32
[Rule Tuning] Windows Service Installed via an Unusual Client ( #3671 )
...
* [Rule Tuning] Windows Service Installed via an Unusual Client
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 0eef7f62ff
2024-05-15 13:39:59 +00:00
ed48d9fd57
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 ( #3676 )
...
(cherry picked from commit f3585da503
2024-05-15 11:41:56 +00:00
891da3623d
Prepare For Next Elastic Stack 8.15 ( #3670 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 50a8b52cd5
2024-05-14 19:10:09 +00:00
ca8af123d2
[FR] Add max_signal note, unit test, and rule tuning ( #3669 )
...
(cherry picked from commit f07a9e6fbc
2024-05-14 16:23:18 +00:00
a4b38209b4
[New Rule] Building Block Rule - AWS IAM Login Profile Added to User ( #3633 )
...
* new rule 'AWS IAM Login Profile Added to User'
* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 608b801088
2024-05-14 15:18:38 +00:00
9dceb36a7e
[New Rule] Route53 Resolver Query Log Configuration Deleted ( #3592 )
...
* new rule 'Route53 Resolver Query Log Configuration Deleted'
* added investigation guide
* adjusted investigation notes
* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 2375297879
2024-05-14 14:32:44 +00:00
cbac37db59
[New] Unusual Execution via Microsoft Common Console File ( #3663 )
...
* [New] Unusual Execution via Microsoft Common Console File
https://www.genians.co.kr/blog/threat_intelligence/facebook
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_initial_access_via_msc_file.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a1ef8c9fc0
2024-05-14 14:16:02 +00:00
95fd920afe
[New] Potential File Download via a Headless Browser ( #3660 )
...
* [New] Potential File Download via a Headless Browser
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_common_webservices.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
(cherry picked from commit 83462a3087
2024-05-14 13:04:35 +00:00
f918f091c3
[New Rule] AWS EC2 AMI Shared with Another Account ( #3600 )
...
* new rule 'AWS EC2 AMI Shared with Another Account'
* linted; updated UUID
* added investigation guide
* updated description
* fixed spelling errors
* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* fixed spacing issue
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d505b95f3c
2024-05-14 06:04:20 +00:00
727e7ada2e
[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role ( #3586 )
...
* new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance'
* updated description and name
* added investigation guide; adjusted description
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated query logic
* fixed spacing issue
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 38e0f13e23
2024-05-14 03:15:43 +00:00
33e44b29fc
[FR] Bundle KQL & Kibana libs into base dependencies ( #3662 )
...
(cherry picked from commit 78837549e8
2024-05-13 19:36:55 +00:00
e45c7db95e
[Bug] Update Rule Formatter ( #3668 )
...
* Update Rule Formatter
* Only apply fix to Note
(cherry picked from commit 094ef22604
2024-05-13 19:07:19 +00:00
2f88a93d62
[New Rule] Alternate Data Stream Creation at Volume Root Directory ( #3517 )
...
* [New Rule] Alternate Data Stream Creation at Volume Root Directory
* Update defense_evasion_root_dir_ads_creation.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6150f222b2
2024-05-13 11:42:34 +00:00
c915b9959d
[Tuning] MacOS Comprehensive Detection Rule Tuning ( #3435 )
...
* Update to use new data source
* Exclude FPs
* Update logic
* Exclude FPs
* Update to match ER logic
* Exclude FP
* Update to match endpoint rule and reduce FPs
* Update logic to reduce FPs
* Update logic to reduce FPs
* Exclude FPs
* Update logic to remove FPs
* Update logic to reduce FPs
* Update logic and min stack version to reduce FPs
* Exclude FP
* Remove FPs
* Update logic and min stack to reduce FPs
* Exclude FPs
* Update logic and min stack to exclude FPs
* Update logic and min stack to exclude FPs
* Update logic to be more efficient
* Update logic
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
* Update persistence_folder_action_scripts_runtime.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/credential_access_credentials_keychains.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Fix
* Fix
* Fix
* Update min stack comments
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/discovery_users_domain_built_in_commands.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Remove field
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1fb58e1b61
2024-05-11 17:59:28 +00:00
2e270cf78c
[New Rule] Potential PowerShell HackTool Script by Author ( #2472 )
...
* [New Rule] Potential PowerShell HackTool Script by Author
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f85d7482fd
2024-05-09 16:08:45 +00:00
ae6bb88edb
[Tuning] Component Object Model Hijacking ( #3655 )
...
* [Tuning] Component Object Model Hijacking
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
* Update persistence_suspicious_com_hijack_registry.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7a61070e08
2024-05-08 16:52:11 +00:00
3262eaaca3
[FR] Update readme with wsl instructions for py312 ( #3649 )
...
* Update README
* Removed DaC Specifics
* Add troubleshooting guide.
* Update Troubleshooting.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 65441b8e67
2024-05-07 17:59:13 +00:00
4bbb8c2642
[New] Ransomware over SMB ( #3638 )
...
* [New] Ransomware over SMB
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_ransomware_file_rename_smb.toml
* ++
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_ransomware_file_rename_smb.toml
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_high_freq_file_renames_by_kernel.toml
(cherry picked from commit 4a2e2764cd
2024-05-07 05:46:07 +00:00
947e8fd965
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3650 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Bumping status checks
* undo bump
---------
Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
(cherry picked from commit 84437bac03
2024-05-06 16:52:30 +00:00
2bd230ff60
[Bug] Query validation failing to capture InSet edge case with ip field types ( #3572 )
...
* Move test case to separate file
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a4a0bc6a7e
2024-05-06 12:07:00 +00:00
b75a9f902b
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
...
(cherry picked from commit 2ffb0e7fe2
2024-05-03 23:08:58 +00:00
40015070b4
[FR] Add ability to generate hunt index ( #3643 )
...
(cherry picked from commit c8c8c96956
2024-05-03 18:51:10 +00:00
90ad70e63b
[FR] Add Hunt Structure and Initial LLM Queries 🚀 ( #3637 )
...
(cherry picked from commit 00b8a77f50
2024-05-03 14:40:58 +00:00
c97395d606
[Bug] Fix missing indexes on navigator build ( #3636 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 2668f5f762
2024-05-01 21:58:13 +00:00
b83887e73d
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 54ff270c62
2024-05-01 21:08:19 +00:00
809279b62b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3630 )
...
(cherry picked from commit ca78f550fd
2024-04-30 12:43:58 +00:00
d3faf0d0d6
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e29994c338
2024-04-30 11:48:38 +00:00
f7215a7ced
[Rule Tuning] Linux DRs ( #3628 )
...
(cherry picked from commit 115c3a6dfd
2024-04-30 11:33:56 +00:00
55a17e12db
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8f6de1c235
2024-04-29 14:18:06 +00:00
09a7e2e81b
Refresh Kibana module with API updates ( #3466 )
...
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit c567d3731a
2024-04-26 17:20:37 +00:00
dfd261590b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3615 )
...
(cherry picked from commit 374f21fbc4
2024-04-23 12:36:46 +00:00
868ab80c63
Fix minstack version for 0365 in azure integration rules ( #3612 )
...
(cherry picked from commit 7673ba484d
2024-04-22 13:55:15 +00:00
bda38d6f27
updating performance note ( #3608 )
...
(cherry picked from commit 69d42ecc71
2024-04-18 20:43:50 +00:00
fea73c9686
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6ae0902a38
2024-04-18 16:05:03 +00:00
4562d694b0
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 5004ff115c
2024-04-16 16:34:23 +00:00
f3d95cccce
adjust aws rule index patterns and tags ( #3595 )
...
(cherry picked from commit 74312797bf
2024-04-16 14:16:36 +00:00
e33d80804f
[Rule Tuning] Windows BBR Promotion ( #3577 )
...
* [Rule Tuning] Windows BBR Promotion
* Update non-ecs-schema.json
* Update persistence_netsh_helper_dll.toml
* Update persistence_werfault_reflectdebugger.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"
This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.
* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"
This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.
* Revert "Update discovery_security_software_wmic.toml"
This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit c2d1586270
2024-04-16 12:36:20 +00:00
06a9b0e3b6
Bump KQL Version in Init ( #3597 )
...
(cherry picked from commit 114db81f07
2024-04-15 15:14:10 +00:00
f291aa105d
Update defense_evasion_untrusted_driver_loaded.toml ( #3596 )
...
excluding `errorCode_endpoint:*` status (noisy)
(cherry picked from commit 919a438257
2024-04-15 14:00:51 +00:00
52e86dc8e8
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
(cherry picked from commit 9692e59abb
2024-04-11 11:18:52 +00:00
608a0ff0c2
[Rule Tuning] Windows BBR Rule Tuning - 1 ( #3579 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 1
* Update non-ecs-schema.json
* Update rules_building_block/command_and_control_certutil_network_connection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/collection_common_compressed_archived_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_dll_hijack.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d0dfa479bb
2024-04-08 13:46:29 +00:00
d21d94a8f8
[Rule Tuning] Windows BBR Rule Tuning - 3 ( #3581 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 3
* Update non-ecs-schema.json
* Update rules_building_block/execution_settingcontent_ms_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_startup_folder_lnk.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c5addae009
2024-04-08 12:55:35 +00:00
9756346df0
[Rule Tuning] Windows BBR Rule Tuning - 2 ( #3580 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Removed changes from:
- rules_building_block/discovery_posh_generic.toml
(selectively cherry picked from commit 1bc59bdc04
2024-04-08 12:42:20 +00:00
2a3a5a250e
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition ( #3576 )
...
* [Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Update rules_building_block/discovery_security_software_wmic.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Endgame tag
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 109e8a85a5
2024-04-08 12:05:42 +00:00
525997e4e7
[Rule Tuning] WRITEDAC Access on Active Directory Object ( #3583 )
...
(cherry picked from commit e125a4e4cf
2024-04-08 11:51:13 +00:00
74d428b09e
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit aa0cc42ff6
2024-04-08 10:57:52 +00:00
a2cb089d12
updated to v14.0 mitre ATT&CK ( #3289 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
(cherry picked from commit 0cb42983c1
2024-04-05 18:38:20 +00:00
02be3c08e9
Bump KQL lib Version ( #3575 )
...
(cherry picked from commit e6f48ade01
2024-04-05 17:46:47 +00:00
dee8c947de
Update default ( #3574 )
...
(cherry picked from commit fbb6df506e
2024-04-05 00:35:15 +00:00
72ba0b16a9
[Bug] KQL fails validation on uppercase keywords ( #3568 )
...
* add todo
* Add a normalize_kql_keywords function to utils
* update rule loader to normalize and warn
* optimized loading
* fix linting
* Moved conversion to kql module.
* Updated unit test
* Refactor KQL parser to normalize keywords via flag
* Fix logic typo
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update lib/kql/kql/__init__.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated to fix unit tests and remove warnings
* linting typo
* Added comments
* remove unused imports
* Update kql.parse default
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1566c29bae
2024-04-04 22:10:57 +00:00
Jonhnathan