bcd8ef15ba
[New Rule] Unsigned DLL Side-Loading from a Suspicious Folder ( #2409 )
...
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update non-ecs-schema.json
* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 13:23:20 +00:00
8427c8cd22
Create credential_access_suspicious_lsass_access_generic.toml ( #2487 )
2023-01-25 09:43:35 +00:00
3b2d1af051
new guided onboarding rule ( #2492 )
2023-01-24 11:26:28 -05:00
f804c29f6d
[New Rule] PowerShell Script with Encryption/Decryption Capabilities ( #2489 )
...
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities
* Update defense_evasion_posh_encryption.toml
2023-01-24 12:26:11 -03:00
644a094503
Group Policy Object Discovery through gpresult.exe ( #2483 )
...
* [New Rule] Group Policy Discovery Through gpresult.exe
* Fixed typo
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-24 12:10:57 +01:00
fc30b5881f
[New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities ( #2465 )
...
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities
* Bump sev
* Update rules/windows/collection_posh_clipboard_capture.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-24 07:58:48 -03:00
92ae27600f
[New Rule] PowerShell Mailbox Collection Script ( #2461 )
2023-01-24 07:54:55 -03:00
0aa87d7f4a
[Rule Tuning] Unusual Process For a Linux Host ( #2445 )
...
* [Rule Tuning] Unusual Process For a Linux Host
* .
2023-01-23 21:03:29 -03:00
77c8665f11
[Rule Tuning] Add endgame support for Linux Rules ( #2436 )
...
* [Rule Tuning] Add endgame support for Linux Rules
* [Rule Tuning] Add endgame support for Linux Rules
* .
* Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
7cde7901e3
[Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions ( #2478 )
...
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions
* Update discovery_posh_suspicious_api_functions.toml
2023-01-23 20:35:43 -03:00
729ecf8b58
[New Rule] PowerShell Invoke-NinjaCopy script ( #2488 )
...
* [New Rule] PowerShell Invoke-NinjaCopy script
* Update credential_access_posh_invoke_ninjacopy.toml
* Update credential_access_posh_invoke_ninjacopy.toml
2023-01-23 20:00:57 -03:00
e3ff45e20c
[New Rule] System Time Discovery ( #2475 )
...
* [New Rule] System Time Discovery
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-18 13:01:57 +01:00
e5d81e77f7
[New Rule] Add Google Workspace Alert Center Promotional Rule ( #2471 )
...
* Add Google Workspace Alert Center Promotional Rule
* added severity mapping overrides
2023-01-17 12:09:13 -05:00
d81bc25d09
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2468 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-01-13 15:20:23 -05:00
b61da98f97
[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 ( #2467 )
...
* Bumping min-stack version for Google Workspace to 8.4
* changed 'updated_date' values
2023-01-13 13:29:28 -05:00
0e535e5931
[Rule Tuning] Remove unreleased timeline from alert correlation rules ( #2462 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-12 12:10:59 -03:00
cb88ad715c
[New Rule] Exchange Mailbox via PowerShell ( #2459 )
...
* Create collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-11 16:45:20 +00:00
8afda66487
[Rule Tuning] Suspicious WerFault Child Process ( #2437 )
...
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
2023-01-11 16:41:57 +00:00
9121a25b02
Update collection_email_powershell_exchange_mailbox.toml ( #2457 )
2023-01-11 16:29:01 +00:00
6acc0f9b11
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2455 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-10 09:50:41 -05:00
4124a82496
[Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules ( #2449 )
...
* [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules
* Update privilege_escalation_posh_token_impersonation.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Adjust severity
2023-01-10 09:37:07 -03:00
7725e32126
[Security Content] Fix Osquery Markdown Plugin Escaped queries ( #2447 )
...
* [Security Content] Fix Osquery Markdown Plugin Escaped queries
* Re-add line
* Update credential_access_credential_dumping_msbuild.toml
* Update command_and_control_common_webservices.toml
2023-01-09 14:45:31 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
896a25bc0f
Refactor file path name ( #2452 )
2023-01-05 22:10:55 +05:30
bdffab5722
adding initial solution ( #2448 )
2023-01-04 12:28:34 -05:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
46eccea704
[New Rule] Suspicious Module Loaded by LSASS ( #2441 )
...
* Create credential_access_lsass_loaded_susp_dll.toml
* Update credential_access_lsass_loaded_susp_dll.toml
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-04 07:56:07 +00:00
3dbb87e46c
Update credential_access_kerberoasting_unusual_process.toml ( #2444 )
2023-01-04 07:50:04 +00:00
73ebdb64c3
Update privilege_escalation_persistence_phantom_dll.toml ( #2443 )
2023-01-04 07:46:59 +00:00
953e8d98ae
[Bug] Adjust Kibana Path for File System Rules ( #2397 )
...
* adjusted kibana rules path
* addressed flake errors for long string
* added missing / to directory path
2023-01-03 14:54:24 -05:00
0acbe1d832
[New Rule] Multiple Alerts Involving a User ( #2401 )
...
* [New Rule] Multiple Alerts Involving a User
* Update definitions.py
* update query
* Update multiple_alerts_involving_user.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-01-03 12:25:40 -03:00
be884a1cf3
[Rule Tuning] Screensaver Plist File Modified by Unexpected Process ( #2413 )
2022-12-22 10:27:10 -05:00
7cf14dd515
[Rule Tuning] Parent Process PID Spoofing ( #2432 )
...
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-22 14:23:13 +00:00
ae4f671bae
[New Rule] First Time Seen Driver Loaded ( #2434 )
...
* Create persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-12-22 14:10:33 +00:00
baa6b77040
[Rule Tuning] Change Guided Onboarding Rule to Experimental ( #2439 )
...
* initial commit with rule changes
* removed rule from version lock file to pass unit testing; adjusted rule file name
* adjusted maturity to development
2022-12-21 13:36:24 -05:00
9c1bd50a63
[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF ( #2438 )
...
* [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF
* s/host.id/winlog.computer_name
2022-12-21 11:30:04 -03:00
2516a4013a
[Rule Tuning] PrivEsc via Print Spool Service ( #2431 )
...
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2022-12-21 11:51:26 +00:00
e9169b4cfa
[Bug] Add Non-ECS Checks to New Terms Rule Validation ( #2435 )
...
* initial commit with changes to new terms validation
* adjusted validation to call KQLValidator for flattened ECS variable
* changed call to KQLValidator instead of super; validate from same variable
* removed testing rules
* removed commented line
* Version() called on all string versions prior to comparison logic
* adjusted assert error punctuation
2022-12-19 12:44:42 -05:00
80548b97f4
[Rule Tuning] Access to a Sensitive LDAP Attribute ( #2430 )
...
* Update credential_access_ldap_attributes.toml
* Update credential_access_ldap_attributes.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-18 20:36:17 +00:00
9f6a54e645
[Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host ( #2423 )
...
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update non-ecs-schema.json
* Remove duplicated value on non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-16 16:05:18 -03:00
ae4e59ec7d
[FR] Update ATT&CK Package to v12.1 ( #2422 )
...
* initial update to v12.1 attack package
* added additional click echo output
* addressed flake errors
* updated rules with refreshed att&ck data
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-16 12:04:20 -05:00
06053fa0c6
initial commit and updates ( #2424 )
2022-12-13 10:52:45 -05:00
5bf69b7967
Update package and install process ( #1948 )
2022-12-08 15:49:49 -05:00
7e459dd585
[FR] Add support for New Terms Fields and Window Start History ( #2360 )
...
* adding support new_terms_fields and window_start_history
* adjusted rule.py to address flake errors
* added assertion error if history_window_start does not exist
* removed sample rule
* removed self.rule_id from DataValidator
* added new_terms to RuleType
* changed new terms to its own class in rule.py
* removed nonexisting function call in DataValidator class
* adjusted new_terms field value in dataclass
* changed literal type for history_window_start; view-rule working
* removing test TOML rule
* addressed flake errors for missing newlines
* added validation option and adjusted object referencing
* adjusted validation method call in post_validation
* addressed flake errors for multiple spaces
* added transform method to NewTermsRuleData class
* added validation for min stack version and new terms array length restraints
* added validation for unique new terms array
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* removed historywindowstart definition and adjusted subclass
* removed test rule from commit
* adjusted if/else for data transform method check
* adjusted stack-schema-map; validation method name
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added assertion for history_window_start field value
* added variables for feature min stack and extended field min stack
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors for continuation line with same indent
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-05 14:07:33 -05:00
c6f5d47cdf
Update guided_onborading_sample_rule.toml ( #2408 )
...
changed name to "My First Rule"
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2022-11-28 08:47:37 -08:00
f8bcfe6800
Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2407 )
...
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-28 09:15:53 -05:00
b0085f4304
[Rule Tuning] Temporarily Scheduled Task Creation ( #2411 )
2022-11-28 09:50:08 -03:00
57b8f630de
initial commit with changes for 8.7 branch creation ( #2406 )
2022-11-21 12:55:01 -05:00
Samirbous