aec3ec31b9
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
be08536880
Increase lookback for endpoint rules ( #200 )
2020-08-21 12:23:43 -05:00
cb1c401e27
Merge branch '7.9' into main
2020-08-03 15:20:36 -06:00
01b1e8be26
[Rule Tuning] Update Tags for Cloud Rules ( #99 )
...
* [Rule Tuning] Update Tags for Cloud Rules
* commenting out specifying alphabetical tag order in rule formatter
* Update rule_formatter.py
* py lint
* Lint fix comments
* update modified dates
* Update credential_access_secretsmanager_getsecretvalue.toml
* adding Continuous Monitoring tag
* update tags
* fixed and in tags
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-08-03 17:15:15 -04:00
a99b7c96fe
Merge branch '7.9' into main
2020-08-03 14:03:15 -06:00
7efe33e01d
[Rule Tuning] Update Index Pattern for Detection Engine Rules ( #101 )
...
* [Rule Tuning] Update Index Pattern for Detection Engine Rules
* update indices
2020-08-03 15:46:57 -04:00
3c4a383947
Add list_id to exceptions_list and remove endgame:* from external alerts ( #98 )
2020-07-28 07:30:48 -06:00
978a8d9df8
[Bug] Set threshold.field to empty string instead of null ( #87 )
2020-07-22 19:31:09 -04:00
4ba23ad6cd
Merge branch '7.9' into main
2020-07-22 14:39:18 -06:00
4b17cb37f0
Update External Alerts rule index to match default securitySolution:defaultIndex value ( #86 )
...
## Summary
Updates the External Alerts rule index to match default securitySolution:defaultIndex value
``` toml
index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
```
Note: extra spaces are from running `toml-lint`
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement )? Yes!
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md )? Yes!
2020-07-22 14:37:19 -06:00
b5213e66b2
[Rule Tuning} Correct Promotion Rule Descriptions ( #85 )
2020-07-22 12:36:18 -04:00
b4d8985105
[Rule Tuning] Update terms in promotion rules ( #72 )
...
* [Rule Tuning] Update terms in promotion rules
* Update Endpoint terms and lint
2020-07-21 14:28:30 -04:00
e08ff6c55d
[Rule Tuning] Update Cloud rules with note field ( #79 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-21 12:27:42 -04:00
aaef4b99f4
[New Rule] Okta Brute Force or Password Spraying Attack ( #66 )
...
* Create credential_access_okta_brute_force_or_password_spraying.toml
* Update maturity to production
* Update severity and risk score
* Aggregate by source.ip field
To ensure that investigate in timeline displays expected events
* Update false positive information
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Tweak false positive info
* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-07-20 12:44:59 -06:00
4784342723
[New Rule] AWS IAM Brute Force of Assume Role Policy ( #67 )
...
* Create credential_access_aws_iam_assume_role_brute_force.toml
* Update maturity to production
* Update formatting for query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rule name
* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rule description
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update note field in rule
... to inform users that AWS Filebeat module must be enabled to use this rule.
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* lint rule
* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-07-20 12:43:26 -06:00
1bf60551ff
Update lateral_movement_dns_server_overflow.toml
2020-07-17 15:52:04 -05:00
1cfb8f92bb
Windows DNS server vulnerability (CVE-2020-1350) rules ( #69 )
2020-07-17 14:32:52 -05:00
13ceed5410
Add Global Endpoint Exception List to Elastic Endpoint rule ( #60 )
2020-07-14 21:26:29 -06:00
f75b126ec4
Update terminology in ML job rules
2020-07-14 21:22:34 -06:00
f24666bf12
[New Rule] Add Cloudtrail ML Rules
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com >
2020-07-14 15:16:58 -06:00
680a04da8f
Fix terminology and doc links ( #54 )
2020-07-13 12:47:42 -06:00
c28795c25e
[New Rule] Elastic Endpoint and External Alerts ( #42 )
...
* Adds the Elastic Endpoint and External Alerts rules and required schema updates
* Optimizing queries to fix tests
* Apply PEP257 changes
* Apply suggestions from code review
* Update rules/cross-platform/external_alerts.toml
* Last fixes from review
* Fixing test for unrequired default
* Adding increased default max_signals to not interfere with testing
* Make promotions folder
* Refining Elastic Endpoint rule index
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-07-09 15:24:36 -06:00
e0f2e8b4a9
Add dataset and index to network rules ( #15 )
...
* Add dataset and index to network rules
* Restore iptables changes
* Fix beats parsing logic
* Updated date and ECS version
* Only update modules if empty
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-08 13:19:35 -06:00
676be30199
[New rule] AWS Secrets Manager and System Manager
...
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-08 12:48:04 -06:00
c577426510
Update Lookback Interval for AWS Rules
2020-07-08 08:50:01 -06:00
316be47e27
Rename AWS to aws
2020-07-08 08:43:30 -06:00
94974c3895
Detect DeleteRule events with AWS WAF Deletion
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com >
2020-07-07 15:44:11 -06:00
ee82874c24
[New Rule] AWS Config Service Tampering
...
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com >
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com >
2020-07-07 15:43:22 -06:00
95908c22a4
Improve ECS compatibility for endpoint rules
2020-07-07 15:41:23 -06:00
cae5fee025
[New Rule] Add AWS Password Recovery Requested
2020-07-07 15:38:52 -06:00
8052a1ea1f
[New Rule] Add rule for AWS UpdateAssumeRolePolicy
...
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-07-07 15:38:18 -06:00
a2a0b2bf0c
[New Rule] AWS EC2 Snapshot Activity
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-07-07 15:10:06 -06:00
c1a1cf6854
[New Rule] AWS Root Login Without MFA
...
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-07-07 15:07:17 -06:00
a98eca06d0
Add event.module value to Okta rules ( #19 )
2020-07-06 14:26:18 -06:00
51fed4f537
Update defense_evasion_attempt_to_disable_iptables_or_firewall.toml ( #11 )
2020-07-02 11:31:19 -06:00
f438a222d5
[New Rule] Attempt to Modify or Delete Okta Application Sign On Policy ( #10 )
...
* Add okta rule for policy modification/delete
* Update rule name
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add event.module value to query
* Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Add event.category and event.type values to query
* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-07-02 08:52:55 -06:00
46a4008570
[Rule tuning] Fix evasion for disable iptables rule ( #5 )
2020-07-01 12:08:32 -06:00
1fac018f10
Update MySQL port to 3306 not 3336 ( #2 )
2020-07-01 09:52:04 -06:00
975aa61bc0
Remove links to empty rules subfolders
2020-06-30 10:32:03 -06:00
fb0d36941c
Add documentation and update license notice
2020-06-29 23:21:16 -06:00
5fcece8416
Populate rules/ directory.
...
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com >
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com >
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 22:57:03 -06:00
brokensound77