* [Rule Tuning] Linux DR Tuning - 8
* Revise investigation guide for THC tool downloads
Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity.
* Update exfiltration_unusual_file_transfer_utility_launched.toml
* Refine ESQL query for brute force malware detection
Updated the query to include additional fields and modified the conditions for filtering events.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 10
* Update persistence_udev_rule_creation.toml
* Refactor ESQL query for Linux process events
* Refactor query in persistence_web_server_sus_command_execution rule
Removed unnecessary fields from the query and added new fields for event dataset and data stream namespace.
* Update persistence_systemd_netcon.toml
* Update persistence_web_server_sus_child_spawned.toml
* Refactor process.parent.name conditions in TOML file
* Update persistence_web_server_unusual_command_execution.toml
* Update persistence_web_server_unusual_command_execution.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 9
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Fix formatting in persistence_boot_file_copy.toml
* Update persistence_chkconfig_service_add.toml
* Change user.id values to string format in TOML
* Fix condition for Java process working directory
* Fix logical operator in OpenSSL passwd hash rule
* Fix syntax for working_directory check
* Fix condition for original file name check
* Update persistence_web_server_unusual_command_execution.toml
* Add cloud CLI tools to persistence rules
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Tuning] Windows BruteForce Rules Tuning
#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)
#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.
* ++
* Update execution_shell_evasion_linux_binary.toml
* Update execution_shell_evasion_linux_binary.toml
* Update defense_evasion_indirect_exec_forfiles.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update persistence_service_windows_service_winlog.toml
* Update credential_access_lsass_openprocess_api.toml
* Update persistence_suspicious_scheduled_task_runtime.toml
* Update impact_hosts_file_modified.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
* Update rules/windows/credential_access_lsass_openprocess_api.toml
* Update rules/windows/credential_access_bruteforce_admin_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update credential_access_lsass_openprocess_api.toml
* Update impact_hosts_file_modified.toml
* Update credential_access_dollar_account_relay.toml
* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New Rule] Pod or Container Creation with Suspicious Command-Line
* Added container domain tag
* Update execution_suspicious_pod_or_container_creation_command_execution.toml
* Refine EQL query for suspicious pod/container creation
* Update rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
* Update execution_suspicious_pod_or_container_creation_command_execution.toml
* Update process name conditions for suspicious execution
* [Rule Tuning] File Transfer or Listener Established via Netcat
* Formatting
* Update execution_file_transfer_or_listener_established_via_netcat.toml
* Update execution_file_transfer_or_listener_established_via_netcat.toml
* Add timestamp override to netcat execution rule
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Rule Tuning] Potential Port Scanning Activity from Compromised Host
* Update rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
* Update port scanning detection query
Refine query to include source IP and limit destination port range.
* Update discovery_port_scanning_activity_from_compromised_host.toml
* Update query in discovery port scanning rule
* Update discovery_port_scanning_activity_from_compromised_host.toml
Ruben Groenewoud