sigma-rules

Author	SHA1	Message	Date
Isai	b0838cc2cb	[New Rule] SSH Connection Established Inside A Running Container (#2793 ) * [New Rule] SSH Connection Established Inside A Running Container new rule toml * Update initial_access_ssh_connection_established_inside_a_container.toml moved order of tactics * Apply suggestions from code review updated spacing based on code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 16:56:52 -04:00
Isai	515d393828	[New Rule] SSH Authorized Keys File Modified Inside a Container (#2792 ) * [New Rule] SSH Authorized Keys File Modified Inside a Container new rule toml * toml file name change changed duplicate toml file name * Update persistence_ssh_authorized_keys_modification_inside_a_container.toml added time intervals * removed redundant event.type removed event.type fields * added back event.type and removed event.action per reviewer suggestion removed redundant event.action fields	2023-05-16 16:30:17 -04:00
Isai	648dd8b3ed	[New Rule] Interactive Exec Command Launched Against A Running Container (#2791 ) * [New Rule] Interactive Exec Command Launched Against A Running Container new rule toml * Update execution_interactive_exec_to_container.toml updated reference links * Update execution_interactive_exec_to_container.toml fixed the comments * Update execution_interactive_exec_to_container.toml * Update execution_interactive_exec_to_container.toml removed process.session_leader.same_as_process * Update execution_interactive_exec_to_container.toml added time intervals * Apply suggestions from code review updated spacing Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 16:09:10 -04:00
Isai	9e3dc112b3	[New Rule] Sensitive Files Compression Inside A Container (#2790 ) new rule toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 15:49:42 -04:00
Isai	d8e9874d54	[New Rule] Sensitive Keys Or Passwords Searched For Inside A Container (#2789 ) * [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container new rule toml * description update Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * added locate and mlocate based on review suggestion --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 15:29:54 -04:00
Isai	73f87ad7e6	[New Rule] Suspicious Network Tool Launched Inside A Container (#2759 ) * [New Rule] Suspicious Network Tool Launched Inside A Container new rule * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * update based on reviews added additional tools, added false positives section, raised risk score * Update discovery_suspicious_network_tool_launched_inside_a_container.toml adjusted tags --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 15:21:42 -04:00
Isai	5fd155849e	[New Rule] File Made Executable via Chmod Inside A Container (#2757 ) * [New Rule] File Made Executable via Chmod Inside A Container new rule * edit threat matrix urls add final / to reference urls * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update execution_file_made_executable_via_chmod_inside_a_container.toml rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique * Update execution_file_made_executable_via_chmod_inside_a_container.toml added Defense Evasion tag * Update execution_file_made_executable_via_chmod_inside_a_container.toml * Update execution_file_made_executable_via_chmod_inside_a_container.toml adjusted tags * Update execution_file_made_executable_via_chmod_inside_a_container.toml changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 15:15:49 -04:00
Isai	4c996490ec	[New Rule] Netcat Listener Established Inside A Container (#2756 ) * [New Rule] Netcat Listener Established Inside A Container new rule toml * remove references Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * remove false_positives Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * adjust from field from s to m for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update execution_netcat_listener_established_inside_a_container.toml updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables * optimized query optimized query to deduplicate fields based on review feedback * Update execution_netcat_listener_established_inside_a_container.toml updated query comment * Update execution_netcat_listener_established_inside_a_container.toml added false positive section * Update execution_netcat_listener_established_inside_a_container.toml adjusted tags * removed the != end query parameter removed the exclusion of end events for this to account for short-lived netcat listener processes --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-16 15:08:20 -04:00
Isai	e954b6d7eb	[New Rule] Interactive Shell Spawned From Inside a Container (#2752 ) * Create execution_interactive_shell_spawned_from_inside_a_container.toml new rule * Update execution_interactive_shell_spawned_from_inside_a_container.toml edited threat matrix * Update execution_interactive_shell_spawned_from_inside_a_container.toml changed boolean in query from string type * Update execution_interactive_shell_spawned_from_inside_a_container.toml added timestamp_override field * Apply suggestions from code review readability from field change, removed references field Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review index spacing, rule name, comment change Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update execution_interactive_shell_spawned_from_inside_a_container.toml updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query. * Update rule query updated rule query to use process.executable and an or field for event.action * Update execution_interactive_shell_spawned_from_inside_a_container.toml adjusted tags * changed "not" in query event.action != end based on review suggestion * spacing around comments * removed ending wildcard causing FPs removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-16 15:02:20 -04:00
Isai	ee86144565	[New Rule] Container Management Binary Run Inside A Container (#2754 ) * [New Rule] Container Management Binary Run Inside A Container new rule * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review description change, name change, index spacing Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update false_positives and query added false positives section and updated query with container.id field * Update execution_container_management_binary_launched_inside_a_container.toml adjusted tags --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 14:41:27 -04:00
Ruben Groenewoud	9ebffb44ff	[New Rules] Ransomware Encryption & Note Creation (#2652 ) * [New Rules] Ransomware Encryption & Note Creation * changed description * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_potential_linux_ransomware_note_detected.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 11:30:00 +02:00
Jonhnathan	d017156454	[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761 ) * [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-15 20:31:59 -03:00
shashank-elastic	1293365a7f	Rule to detect Potential Linux Credential Dumping via Proc Filesystem (#2751 )	2023-05-05 22:23:15 +05:30
Ruben Groenewoud	26258f806a	[New Rules] Persistence through MOTD (#2608 ) * [New Rules] Persistence through MOTD * fixed unit error test by adding timestamp_override * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added host.os.type == "linux" * removed ability to bypass chmod by using e.g. 700 * Added endgame support, changed query * Changed query * updated risk_score * added OSQuery to investigation guides * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guides to add in future PR * removed investigation guide tag * Changed rule to new terms rule for FP reduction * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-05 10:29:15 +02:00
Ruben Groenewoud	1aea1ee9bb	[New rule] Sus File Creation in init.d for Persistence Detected (#2653 ) * [New Rule] Init.d File and Service Creation * Changed rule name * [New Rule] Sus File Creation init.d Persistence * Added Endgame compatibility * added touch * Added OSQuery to investigation guide * added additional processes * removed investigation guide to add in sep PR * changed rule name * removed investigation guide tag * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update persistence_init_d_file_creation.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-05 09:54:42 +02:00
Ruben Groenewoud	09719dd0c5	[Rule Tuning] Potential Shell via Web Server (#2585 ) * tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-05-05 09:47:49 +02:00
Jonhnathan	6655932190	[Rule Tuning] Startup or Run Key Registry Modification (#2766 ) * [Rule Tuning] Startup or Run Key Registry Modification * Update persistence_run_key_and_startup_broad.toml * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-04 09:42:12 -03:00
Terrance DeJesus	71d93e875e	[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760 ) * [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms * updated new terms	2023-05-03 09:28:59 -04:00
Ruben Groenewoud	6524acf98a	[rule tuning] modified std auth module or config (#2737 )	2023-05-03 09:32:33 +02:00
Terrance DeJesus	d5350ae6e0	[New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685 ) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-02 23:09:17 -04:00
shashank-elastic	855ba16299	Linux Rule Tuning (#2753 )	2023-05-02 19:12:13 +05:30
Karl Godard	7435ac39d2	[Rule Tuning] added rule name override for cloud_defend integration rule (#2767 )	2023-05-02 00:05:24 -04:00
shashank-elastic	cd5bc2c44b	Update file path regex for /run (#2749 )	2023-04-26 14:02:16 +05:30
shashank-elastic	0107e0fcaa	Detect Threat indicators for VMware ESXi servers (#2708 )	2023-04-25 20:17:16 +05:30
Apoorva Joshi	c60e1a61a9	Updating some rule names (#2744 ) * Changing some rule names * Updating the date	2023-04-25 09:01:06 -03:00
Samirbous	2eda02c10e	[Rule Tuning] Multiple Logon Failure from the same Source Address (#2588 ) * Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml * Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml * Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-04-24 09:16:17 -03:00
shashank-elastic	2996c79ff4	Detect Mount Execution With Hidepid Parameter (#2706 )	2023-04-22 08:00:30 +05:30
Jonhnathan	84acf004da	[Rule Tuning] Component Object Model Hijacking (#2730 )	2023-04-21 18:43:02 -03:00
Jonhnathan	12d6b49a24	[Rule Tuning] Potential Credential Access via Windows Utilities (#2727 ) * [Rule Tuning] Potential Credential Access via Windows Utilities * Add system integration index --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-04-21 18:27:44 -03:00
Jonhnathan	255c53cff0	[Rule Tuning] Connection to Commonly Abused Web Services (#2728 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-04-20 18:26:00 -03:00
Jonhnathan	b1e3215cd5	[Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729 )	2023-04-20 12:37:06 -03:00
shashank-elastic	2705df81e2	Tune Shell evasion Rule to incorporate GTFOArgs shell evasion (#2687 )	2023-04-20 18:35:18 +05:30
shashank-elastic	f7aa477536	Correct Event Action to include endgame event schema (#2610 )	2023-04-20 17:28:01 +05:30
shashank-elastic	94baa89ea8	New Rule to identify defense evasion via PRoot (#2625 )	2023-04-20 17:14:01 +05:30
Jonhnathan	fb09208132	[Rule Tuning] Connection to Commonly Abused Web Services (#2717 ) * [Rule Tuning] Connection to Commonly Abused Web Services * Update command_and_control_common_webservices.toml	2023-04-18 09:15:47 -03:00
Terrance DeJesus	f21a9e4793	updating min stack comments (#2712 )	2023-04-12 14:30:34 -04:00
Terrance DeJesus	d6f277e379	[New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677 ) * adding new rule 'Google Workspace New OAuth Login from Custom Application' * changed name and 'custom' to 'third-party' * Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml * Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml * updated non-ecs	2023-04-12 09:40:31 -04:00
Terrance DeJesus	4511ab0666	[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674 ) * tuning rule to add token sequence * updated date * updated non-ecs, integration schemas and manifests * added investigation guide * Updating note Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * updating note Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * updated false positive description * updating manifest and schemas with main to resolve conflicts --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-04-12 09:15:58 -04:00
Jonhnathan	16749e45ae	[Rule Tuning] Third-party Backup Files Deleted via Unexpected Process (#2704 ) * [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process * Update impact_backup_file_deletion.toml	2023-04-11 13:47:52 -03:00
Eric	d1aadde671	[Rule Tuning] Suspicious Antimalware Scan Interface DLL (#2671 ) (#2672 ) * --amend * --amend --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-04-06 15:15:57 -03:00
Karl Godard	d0ea8c6f98	[New Rule] new CWP rule to surface alerts from the cloud_defend integration (#2679 ) * new CWP rule to surface alerts from the cloud_defend integration * created new rule uuid * updated version info. removed risk level overrides and endpoint exception list * added event.module * removed rule name override * updated_date and min_stack_comments updated * updated external alerts updated_date. added kubernetes to cwp rule tags --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-04-05 21:31:03 -03:00
Jonhnathan	1a9b0e732c	[Rule Tuning] Potential PowerShell HackTool Script by Function Names (#2692 )	2023-04-05 16:48:33 -03:00
Jonhnathan	eafe54c2cc	[Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot (#2691 )	2023-04-05 13:28:57 -03:00
Jonhnathan	5aaac84f3a	[Rule Tuning] Suspicious service was installed in the system (#2693 ) * [Rule Tuning] Suspicious service was installed in the system * Update persistence_service_windows_service_winlog.toml	2023-04-05 13:23:47 -03:00
Samirbous	0c8d0bfd3d	[New Rule] Suspicious Execution via Microsoft Office Add-Ins (#2651 ) * Create * Update initial_access_execution_via_office_addins.toml * Update initial_access_execution_via_office_addins.toml * Update initial_access_execution_via_office_addins.toml * Update rules/windows/initial_access_execution_via_office_addins.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-04-05 17:02:04 +01:00
Terrance DeJesus	71d12bdda4	[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682 ) * add promotion to rulemeta schema class and updated promotion rules * add promotion to rulemeta schema class and updated promotion rules * adjusted test_integration_tag and okta rule missing dataset * fixed flake errors * updated manifests and schemas to include cloud defend	2023-04-03 09:42:40 -04:00
Samirbous	51d50b7d8a	[New Rule] Lsass Process Access - Generic (#2613 ) * Create credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update credential_access_lsass_openprocess_api.toml * Update non-ecs-schema.json --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-04-03 14:34:30 +01:00
Samirbous	892757f4a4	[New Rule] Potential Pass The Hash (#2670 ) * Create lateral_movement_alternate_creds_pth.toml * Update rules/windows/lateral_movement_alternate_creds_pth.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/lateral_movement_alternate_creds_pth.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/lateral_movement_alternate_creds_pth.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-29 19:37:27 +01:00
Jonhnathan	5ed2120e3f	[Rule Tuning] Potential Credential Access via Windows Utilities (#2659 ) * [Rule Tuning] Potential Credential Access via Windows Utilities * Update credential_access_cmdline_dump_tool.toml	2023-03-29 09:32:36 -03:00
Justin Ibarra	411ec36ff0	Validate markdown plugin fields (#2602 )	2023-03-28 09:17:50 -04:00

1 2 3 4 5 ...

1099 Commits