security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,062 Commits 1 Branch 0 Tags
bfea11c99fd92d7d2bceeeca970a4f330fd7de0e
Commit Graph

72 Commits

Author SHA1 Message Date
Pete Hampton 34655374c1 [New Rule] AWS Redshift Cluster Creation (#1921) 
* Add rule for Redshift data warehouse creation.

* Add fp block.

* Add AWS integration metadata.

* Add timestamp override.

* Add note.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update description for redshift instance creation.

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-04-28 14:43:26 -04:00
Jonhnathan f050b0ce0c [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1939) 
* [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created

* Update non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-04-27 09:09:25 -03:00
Jonhnathan 20d2e92cfe Review & Fix Invalid References (#1936) 2022-04-26 17:57:15 -03:00
Isai 9640ecb3fe [Rule Tuning] AWS RDS Instance/Cluster Deletion (#1916) 
* add RDS instance deletion to aws rule

I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.

* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-04-10 15:33:33 -04:00
Isai 5073ef8be7 [Rule Tuning] AWS Security Group Configuration Change Detection (#1915) 
* Update persistence_ec2_security_group_configuration_change_detection

Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.

* update to improve rule coverage

I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.

* Revert "update to improve rule coverage"

This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
 2022-04-07 14:47:09 -04:00
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
 2022-04-01 15:27:08 -08:00
Justin Ibarra 46c2383e5b [New Rule] Okta User Session Impersonation (#1867) 
* [New Rule] Okta User Session Impersonation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-03-22 16:11:29 -08:00
Stijn Holzhauer 2ed97d2e8c [Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion (#1833) 
* Adding event.provider

* Removing new line

* Updating updated_date field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-03-22 20:36:53 -03:00
Jonhnathan 8a9b52f7e1 Update impact_azure_service_principal_credentials_added.toml (#1802) 2022-03-02 05:36:21 -03:00
Jonhnathan 1c50f35aed [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-03-01 21:39:30 -03:00
Jonhnathan 8664ef59f4 Update persistence_azure_conditional_access_policy_modified.toml (#1788) 2022-02-22 15:26:28 -03:00
Jonhnathan dec4243db0 [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-16 07:42:06 -09:00
Jonhnathan 5a16a222ad [Documentation] Fix O365 Integration name on Rules and Unit Test (#1684) 
* Adjust Integration Name

* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

* Update integration name

* .

* Case

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-09 19:03:30 -03:00
Jonhnathan 26d5bad914 [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741) 
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year
 2022-01-31 21:02:02 -03:00
Justin Ibarra 72c64de3f5 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-28 10:41:22 -09:00
Jonhnathan 189c2b152c [New Rule] Email Reported by User as Malware or Phish (#1699) 
* Email Reported by User as Malware or Phish Initial Rule

* Update initial_access_o365_user_reported_phish_malware.toml

* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 16:30:46 -03:00
Jonhnathan f7bc13b437 [New Rule] OneDrive Malware File Upload (#1693) 
* "OneDrive Malware File Upload" Initial Rule

* bump severity
 2022-01-27 16:19:16 -03:00
Jonhnathan 1676844640 [New Rule] SharePoint Malware File Upload (#1691) 
* "SharePoint Malware File Upload" Initial Rule

* s/onedrive/sharepoint

* bump severity
 2022-01-27 16:12:17 -03:00
Jonhnathan 14252d45ee [New Rule] Global Administrator Role Assigned (#1686) 
* Initial Global Administrator Role Assigned Rules

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 09:53:02 -03:00
Jonhnathan 7e4325dd7a Create credential_access_mfa_push_brute_force.toml (#1682) 2022-01-27 09:37:49 -03:00
Jonhnathan 38ae64f729 [Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718) 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 09:31:51 -03:00
Jonhnathan 0a23d820c9 [Rule Tuning] Fix event.outcome condition on O365 failed logon related rules (#1687) 
* Tune rule query

* Update credential_access_microsoft_365_potential_password_spraying_attack.toml

* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml

* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"

This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
 2022-01-27 09:22:42 -03:00
Jonhnathan 50c7d5f262 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683) 
* Inbox Rule Tuning

* Add RedirectTo

* Update non-ecs-schema.json
 2022-01-27 09:20:49 -03:00
Jonhnathan fdeb8cb1de [Rule Tuning] Azure Virtual Network Device Modified or Deleted (#1679) 
* Update impact_virtual_network_device_modified.toml

* Change case
 2022-01-27 09:15:22 -03:00
Jonhnathan b6d1c1476b [Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706) 
* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version
 2022-01-25 16:51:20 -09:00
Austin Songer 96ada9e223 [New Rule] Azure Suppression Rule Created (#1666) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Moved to correct directory.

* Suppression Rule Created

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-20 08:46:24 -03:00
Trevor Miller 101b781bef [Rule Tuning] O365 Excessive Single Sign-On Logon Errors (#1680) 
* Change event.category to authentication

The original had the event.category as "web" the correct value is "authentication"

* Changed updated_date to todays date

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-20 08:32:30 -03:00
Jonhnathan af354dc7e8 [New Rule] Mailbox Audit Logging Bypass (#1702) 
* "Mailbox Audit Logging Bypass" Initial Rule

* Add reference

* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-13 17:33:08 -03:00
Justin Ibarra 9a60d7a26a [Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched (#1661) 2021-12-13 08:59:56 -09:00
Justin Ibarra 14c46f50b9 [Rule Tuning] updates from documentation review for 7.16 (#1645) 2021-12-07 15:42:58 -09:00
Austin Songer 521f0987ae [New Rule] Azure Kubernetes Rolebindings Created (#1576) 
* Create azure_kubernetes_rolebinding_created_or_deleted.toml

* Update

* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-29 09:16:00 -03:00
Austin Songer 3dd32608a0 [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) 
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 19:38:12 -03:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 89553d84a9 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 10:25:53 -03:00
Justin Ibarra 5bdf70e72c Add min_stack_comments to metadata schema (#1573) 
* Add min_stack_comments to metadata schema
 2021-10-19 20:52:53 -08:00
Austin Songer 3ab67d1562 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) 
* Create aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-18 15:36:21 -03:00
Austin Songer 2c39bb962f [New Rule] AWS EFS File System or Mount Deleted (#1462) 
* AWS EFS File System or Mount Deleted

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:23:07 -03:00
Austin Songer 702524b1f7 [New Rule] AWS Suspicious SAML Activity (#1498) 
* Create privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Add trailing /

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:11:15 -03:00
Austin Songer 50501bb40f [New Rule] Azure Full Network Packet Capture Detected (#1420) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:06:27 -03:00
Austin Songer 790586fb57 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml

* fix description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:11:05 -03:00
Austin Songer 761df5fe84 [New Rule] Azure Kubernetes Pods Deleted (#1309) 
* Create impact_kubernetes_pod_deleted.toml

* Update impact_kubernetes_pod_deleted.toml

* Update

* Update impact_kubernetes_pod_deleted.toml

* quote value in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:07:39 -03:00
Austin Songer dc980effb0 [New Rule] AWS RDS Snapshot Restored (#1312) 
* Create exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

* Delete exfiltration_rds_snapshot_restored.toml

* Create exfiltration_rds_snapshot_restored.toml

* Update

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:05:00 -03:00
Austin Songer 3303a4e255 [New Rule] Microsoft 365 - Mass download by a single user (#1348) 
* Create impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:01:50 -03:00
Austin Songer 90504915ad [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) 
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:59:33 -03:00
Austin Songer d7eab5bbf3 [New Rule] AWS STS AssumeRole Usage (#1214) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_assumerole_abuse.toml

* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add note field

* Update privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Adding Reference

* Expand STS

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:56:10 -03:00
Austin Songer 27ba204f1c [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-15 15:42:25 -03:00
Austin Songer 7123d46623 [New Rule] Azure Blob Permissions Modification (#1499) 
* Create defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update description and query (spacing)

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-14 06:59:24 -03:00
Austin Songer 3d15c2072d [New Rule] Azure Kubernetes Events Deleted (#1307) 
* Create defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add quotes to azure query field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-14 06:57:33 -03:00
Austin Songer 11fa592c6f [New Rule] Microsoft 365 - Impossible travel activity (#1344) 
* Create initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Updated Directory

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-12 19:11:32 -03:00