* initial commit with rule changes
* removed rule from version lock file to pass unit testing; adjusted rule file name
* adjusted maturity to development
* initial commit with changes to new terms validation
* adjusted validation to call KQLValidator for flattened ECS variable
* changed call to KQLValidator instead of super; validate from same variable
* removed testing rules
* removed commented line
* Version() called on all string versions prior to comparison logic
* adjusted assert error punctuation
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update non-ecs-schema.json
* Remove duplicated value on non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* adding support new_terms_fields and window_start_history
* adjusted rule.py to address flake errors
* added assertion error if history_window_start does not exist
* removed sample rule
* removed self.rule_id from DataValidator
* added new_terms to RuleType
* changed new terms to its own class in rule.py
* removed nonexisting function call in DataValidator class
* adjusted new_terms field value in dataclass
* changed literal type for history_window_start; view-rule working
* removing test TOML rule
* addressed flake errors for missing newlines
* added validation option and adjusted object referencing
* adjusted validation method call in post_validation
* addressed flake errors for multiple spaces
* added transform method to NewTermsRuleData class
* added validation for min stack version and new terms array length restraints
* added validation for unique new terms array
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* removed historywindowstart definition and adjusted subclass
* removed test rule from commit
* adjusted if/else for data transform method check
* adjusted stack-schema-map; validation method name
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* added assertion for history_window_start field value
* added variables for feature min stack and extended field min stack
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors for continuation line with same indent
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update privilege_escalation_shadow_file_read.toml
description update, name update, query update, tags update, MITRE update
* Update privilege_escalation_shadow_file_read.toml
edited order of MITRE
* changed file name to match credential_access as primary tactic
changed file name to match credential_access as primary tactic
* excluded common executables, not related to "read", based on telemetry
excluded common executables, not related to "read", based on telemetry
* update cred access reference MITRE
* toml-lint file for final validation
* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml
revert name back to privilege_escalation...
* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml
* update update_date
* Changed primary tactic back to privilege_escalation to match rule name
Changed primary tactic back to privilege_escalation to match rule name
limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:<char count>:<binary value>:<object DN>` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others).
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Create defense_evasion_masquerading_space_after_filename.toml
new rule toml
* Update defense_evasion_masquerading_space_after_filename.toml
toml-lint the file
* Moved to cross-platform folder
moved to cross-platform folder
* update query to specify OS
added filter for host OS to query ```host.os.type:("linux","macos")```
* Update rule query: regex and process.executable
update rule query to use regex instead of wildcards and alert on process.executable instead of process.args and process.name to reduce noise.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Deprecating this rule due to high false positive rate. This behavior is too generic for an effective malicious behavior detection.
* move toml file to _deprecated
move toml file to _deprecated
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
* adjusted query to include event action and network direction filters
* adjusted rule name and file name
* toml linted and tags updated
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
rule tune: update by adding MITRE tactic/technique/subtechnique : Initial Access>Valid Accounts>Local Accounts. Added new tag for new tactic : Initial Access
* [Rule Tuning] Kubernetes Rules adds Mitre Execution-Deploy Container
This adds the following attacker threat and technique to each of these rules. Execute.Deploy Container
* updated_date
update the updated_date fields
Samirbous
