bfca0ea414
[New Hunt] Commvault Supply Chain Threat ( #4748 )
...
* hunts for CommVault threat
* added lookback time to ESQL query
* updated query logic
2025-05-28 14:11:46 -04:00
17d98cc8dd
[Rule Tuning] Tuning Azure Entra Sign-in Brute Force against Microsoft 365 Accounts ( #4737 )
...
* rule tuning 'Potential Microsoft 365 Brute Force via Entra ID Sign-Ins'
* updated lookback windows, date truncation times
* updated investigation guide
2025-05-28 13:45:15 -04:00
4bd8469c38
[New Rule] Microsoft Entra ID Elevated Access to User Access Administrator ( #4742 )
...
* new rule Microsoft Entra ID Elevated Access to User Access Administrator
* updating uuid
2025-05-28 13:33:22 -04:00
22d780f9af
[New Rule] Microsoft Entra ID User Reported Suspicious Activity ( #4740 )
...
* new rule Microsoft Entra ID User Reported Suspicious Activity
* Update rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-05-28 11:55:51 -04:00
0d4db2ecfe
tuning 'Microsoft Entra ID High Risk Sign-in' ( #4739 )
2025-05-28 11:40:04 -04:00
fab0933df4
[Rule Tuning] Tuning Microsoft 365 Global Administrator Role Assigned ( #4738 )
...
* tuning 'Microsoft 365 Global Administrator Role Assigned'
* Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-05-21 12:47:58 -04:00
82bee3e9c2
[Rule Tuning] Microsoft Graph First Occurrence of Client Request ( #4728 )
...
* tuning 'Microsoft Graph First Occurrence of Client Request'
* updated update date
2025-05-19 14:56:21 -04:00
fcd70b284b
[New Rule] Multiple Microsoft 365 User Account Lockouts in Short Time Window ( #4717 )
...
* new rule 'Multiple Microsoft 365 User Account Lockouts in Short Time Window'
* adjusted logic
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-05-19 14:44:46 -04:00
3e0a9ec47b
[Rule Tuning] Potential Microsoft 365 User Account Brute Force ( #4716 )
...
* tuning M365 brute force rule
* updated logic
* updated references
* adds minstack for values
* removed ignoring MSFT ASN
* Update rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-05-19 14:08:38 -04:00
8f27c24528
[New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph ( #4704 )
...
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'
* updated patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-05-09 20:49:08 -04:00
d83e1c711a
[New Rule] Microsoft Entra Session Reuse with Suspicious Graph Access ( #4711 )
...
* new rule 'Microsoft Entra Session Reuse with Suspicious Graph Access'
* fixed tags; linted
* fixed mitre mappings
* updated name and investigation guide
2025-05-09 20:32:22 -04:00
762857f15f
[Rule Tuning] Tuning Suspicious Mailbox Permission Delegation in Exchange Online ( #4705 )
...
* rule tuning 'Suspicious Mailbox Permission Delegation in Exchange Online'
* Update rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml
* updated date
2025-05-08 11:01:00 -04:00
0f3bfcd98a
Fix new term doc broken link ( #4706 )
2025-05-07 17:03:58 +05:30
36d595ae2f
[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce ( #4405 )
...
* Add exceptions for non-interactive signin failures.
Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:
- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled
* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
* Update metadata for `updated_date`
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-05-06 22:43:15 +05:30
d3aa4b2f38
[Rule Tuning] Reduce Severity from Critical to High ( #4637 )
2025-05-06 21:37:47 +05:30
a34a26ddec
[Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity ( #4700 )
...
* tuning rule to exclude service principals added by MSFT
* added additional exclusions
* updated rule name and file name
* updated investigation guide and mitre
2025-05-06 11:19:50 -04:00
f480e98f16
[New] Concurrent Azure SignIns with Suspicious Properties ( #4670 )
2025-05-06 13:09:54 +05:30
6e3b38c645
[New] Suspicious Microsoft 365 UserLoggedIn via OAuth Code ( #4691 )
2025-05-06 12:53:33 +05:30
57be590d73
[New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User ( #4687 )
2025-05-06 12:41:57 +05:30
58d03d4043
[New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker ( #4695 )
...
* new rule 'Microsoft Entra ID SharePoint Access for User Principal via Auth Broker'
* updated severity
* added new terms note
2025-05-05 16:45:47 -04:00
dddc2a7bb9
[New] Microsoft 365 OAuth Redirect to Device Registration for User ( #4694 )
...
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal
https://github.com/elastic/ia-trade-team/issues/590
* Update non-ecs-schema.json
* Update pyproject.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* fixed investigation guide formatting; fixed unit test failure
* updated patch version
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-05-02 08:36:10 +01:00
ce66f52aad
[New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection ( #4689 )
...
* Adding new rule 'Microsoft Entra ID Protection Anonymized IP Risk Detection'
* updating description
* adding index
* updating mitre tactic mapping
* updating file name
2025-05-01 23:03:50 -04:00
bae7835f6a
[New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client ( #4642 )
...
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365
* changed m365 file name
* fixed duplicate tactics
* updaing non-ecs for graph activity logs
* updating rules; investigation guides; formatting, linting errors
2025-05-01 22:38:41 -04:00
ff2ecad573
[New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded ( #4617 )
...
* new rule 'AWS S3 Static Site JavaScript File Uploaded'
* adjusting name
* updated keep command
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-04-30 16:25:03 -04:00
f02ccfef64
[New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens ( #4628 )
...
* adding new rule 'AWS IAM or STS API Calls via Temporary Session Tokens'
* updated name and query logic
* updated query logic
* changed rule to new terms
* fixed logic
* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml
* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml
* updated investigation guide; scoped to IAM only; updated naming
* updating file name
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-04-24 15:39:51 -04:00
b429be2bda
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #4648 )
2025-04-24 10:19:06 +05:30
ea31143b83
[New] Suspicious Azure Sign-in via Visual Studio Code ( #4639 )
...
* Create initial_access_entra_login_visual_code_phish.toml
* Update non-ecs-schema.json
* Update initial_access_entra_susp_visual_code_signin.toml
* Update pyproject.toml
* Update initial_access_entra_susp_visual_code_signin.toml
* Update non-ecs-schema.json
2025-04-23 14:06:05 +01:00
c58d59eeb7
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified ( #4625 )
...
* adding new rule 'AWS CLI with Kali Linux Fingerprint Identified'
* updating rule logic
* updating mitre mapping
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-04-21 12:06:57 -04:00
94237798a5
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration ( #4626 )
...
* adding new rule 'AWS IAM Virtual MFA Device Registration Attempt with Session Token'
* updating rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-04-21 11:02:14 -04:00
96c2d0ca85
[New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses ( #4624 )
...
* adding new rule 'AWS STS Temporary IAM Session Token Used from Multiple Addresses'
* updating rule assets
* updating mitre mapping
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-04-17 16:06:40 -04:00
ba16e27edb
[Rule Tuning] Tuning Azure Service Principal Credentials Added ( #4570 )
...
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
2025-04-16 13:58:17 -04:00
1a6669e5a6
[Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User ( #4562 )
...
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'
* updated MITRE ATT&CK mappings
* updated index target
* updated patch version
* updating patch version
* bumping patch version
* updating patch version
2025-04-16 12:21:41 -04:00
3966981dae
Add investigation guides ( #4600 )
2025-04-07 20:55:39 +05:30
e7806fc74f
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #4589 )
2025-04-02 09:52:34 -03:00
c6e37d6910
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 ( #4557 )
...
* tuning Azure rule for illicit grant activity; creating new rule for M365
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
* adjusted tags
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
2025-03-27 15:55:04 -04:00
280140650a
tuning 'Azure Conditional Access Policy Modified' ( #4558 )
2025-03-27 15:43:46 -04:00
2f3f4fbdef
deprecating 'Azure Virtual Network Device Modified or Deleted' ( #4559 )
2025-03-27 10:09:34 -04:00
2b3095a13c
Update Max signals value to supported limits ( #4556 )
2025-03-27 09:02:25 +05:30
63c1f47689
[Rule Tuning] Added OWA (outlook for web) new AppID ( #4568 )
...
* Added OWA (outlook for web) new AppID
**Title:** Add new Outlook for Web AppID to abnormal Microsoft 365 ClientAppID rule
**Description:**
This pull request updates the `initial_access_microsoft_365_abnormal_clientappid` rule to include the newly introduced Outlook for Web AppID:
- **New AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
### Context
Outlook for Web (OWA) is migrating to a new authentication platform using MSAL and a Single Page Application (SPA) auth model. As part of this backend change, Microsoft is replacing the existing OWA AppID with a new one. This change is being rolled out during the first half of calendar year 2024, with full deployment expected by Q4 2024.
- **Old OWA AppID**: `00000002-0000-0ff1-ce00-000000000000`
- **New OWA AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
Although no action is required for tenant administrators, this new AppID may show up in logs and should be accounted for in detections relying on known legitimate ClientAppIDs.
### Why this change?
The rule `initial_access_microsoft_365_abnormal_clientappid` flags potentially suspicious or unauthorized client applications accessing Microsoft 365 services. To prevent false positives caused by this official change from Microsoft, this PR adds the new OWA AppID to the allowlist.
### References
- Microsoft 365 Message Center notice (ref: MC715025)
- [MSAL documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview )
* Update initial_access_microsoft_365_abnormal_clientappid.toml
Updated updated_date
2025-03-26 15:15:28 -03:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
5e12f05a36
fixing double header in investigation notes ( #4490 )
2025-03-25 09:08:13 -04:00
db78756062
[New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors ( #4535 )
...
* new rules for AWS DynamoDB data exfiltration
* bumping patch version
* adjusting investigation guide
* updating patch version
* updating patch version
* updating patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-21 10:05:24 -04:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
955e973c00
Change description and name of problemchild ML detection-rules ( #4545 )
...
Changed description and name of problemchild ML detection-rules
2025-03-20 08:58:10 -04:00
5ccb7ed4af
Min stack rules from 4516 ( #4549 )
2025-03-19 20:27:30 -04:00
5b3dc4a4a7
Revert "Add new ML detection rules for Privileged Access Detection ( #4516 )" ( #4548 )
...
This reverts commit 2ff8d1bb56
2025-03-19 20:08:08 -04:00
2ff8d1bb56
Add new ML detection rules for Privileged Access Detection ( #4516 )
...
Add detection-rules for privileged access detection integration
2025-03-19 11:02:28 -04:00
0993ced309
Deprecate Cloud Defend Rules ( #4537 )
2025-03-14 21:27:37 +05:30
3ed820afa8
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) ( #4523 )
...
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'
* updating name
* added investigation guide
* updated investigation guide
* updated investigation guide
* removed unnecessary comment
* adjusted logic to count distinct on principal id; principal name will be in aggregations now
* updated Entra ID name
2025-03-11 11:25:10 -04:00
aacb376acf
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication ( #4524 )
...
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'
* updating tactic tag
* adjusted query logic for user type
* updated Entra ID name
2025-03-11 11:05:56 -04:00
Terrance DeJesus