sigma-rules

Author	SHA1	Message	Date
Jonhnathan	625d1df2bf	[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix (#1649 ) * Update execution_python_tty_shell.toml * Update EQL query to sequence * Remove auditbeat index * Update rules/linux/execution_python_tty_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-01-20 08:50:30 -03:00
Justin Ibarra	5bdf70e72c	Add min_stack_comments to metadata schema (#1573 ) * Add min_stack_comments to metadata schema	2021-10-19 20:52:53 -08:00
Justin Ibarra	d31ea6253e	Refresh ATT&CK mappings to v9.0 (#1401 ) * Refresh ATT&CK mappings to v9.0 * Update rules to reflect ATT&CK changes	2021-08-04 14:16:10 -08:00
Ross Wolf	9b559d0cd9	[Rule Tuning] Creation of Hidden Files and Directories (#1357 ) * [Rule Tuning] Creation of Hidden Files and Directories * Remove redundant `A` from the regex	2021-07-21 11:47:40 -06:00
Brent Murphy	12577f7380	[Rule Tuning] Update network rule address blocks (#1227 ) * Update network rule address blocks Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-06-15 09:22:59 -04:00
Brent Murphy	ff45539369	[Deprecation] Deprecate inherently noisy rules based on testing (#1122 ) * Demote maturity Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-04-21 15:10:06 -04:00
Samirbous	170b87097d	[New Rule] Potential Protocol Tunneling via EarthWorm (#1094 ) * [New Rule] Potential Protocol Tunneling via EarthWorm * fixed tactic ID * fixed rule_id * tactic case sensitive * tags * Update rules/linux/command_and_control_tunneling_via_earthworm.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-04-15 10:17:56 +02:00
Samirbous	3e1169317f	[Rule Tuning] Timestomping using Touch Command (#1006 ) * [Rule Tuning] Timestomping using Touch Command * removed process_started from event.type * update date * Update defense_evasion_timestomp_touch.toml * lint and resolve conflict Co-authored-by: Brent Murphy <bmurphy@endgame.com>	2021-03-19 10:26:40 +01:00
Justin Ibarra	0b65678d8c	[Rule tuning] Correct tags with associated threat mappings (#1003 )	2021-03-08 14:12:29 -09:00
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
Justin Ibarra	645a0cd67b	[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) * [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation	2021-02-17 19:49:58 -09:00
brokensound77	2e0bb6c617	remove deprecated rule again	2021-02-17 14:15:21 -09:00
brokensound77	a77bd6178f	Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 # Conflicts: # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml	2021-02-17 14:11:50 -09:00
Justin Ibarra	90a9320f93	[Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951 ) * remove timestamp_override from endgame promotion rules * updated version.lock to previous state for endgame promotion rule changes * fix incorrect year in updated_date	2021-02-17 13:48:57 -09:00
brokensound77	32e3c02c4e	remove deprecated rule	2021-02-17 12:19:36 -09:00
brokensound77	6ce418877f	Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 # Conflicts: # etc/version.lock.json # rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml # rules/cross-platform/impact_hosts_file_modified.toml # rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml # rules/cross-platform/privilege_escalation_sudoers_file_mod.toml # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml # rules/linux/defense_evasion_timestomp_touch.toml # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml # rules/macos/credential_access_credentials_keychains.toml # rules/macos/credential_access_promt_for_pwd_via_osascript.toml # rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml # rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml # rules/promotions/external_alerts.toml # rules/windows/collection_email_powershell_exchange_mailbox.toml # rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml # rules/windows/collection_winrar_encryption.toml # rules/windows/command_and_control_common_webservices.toml # rules/windows/command_and_control_encrypted_channel_freesslcert.toml # rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml # rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml # rules/windows/command_and_control_teamviewer_remote_file_copy.toml # rules/windows/credential_access_cmdline_dump_tool.toml # rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml # rules/windows/credential_access_credential_dumping_msbuild.toml # rules/windows/credential_access_domain_backup_dpapi_private_keys.toml # rules/windows/credential_access_dump_registry_hives.toml # rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml # rules/windows/credential_access_iis_connectionstrings_dumping.toml # rules/windows/credential_access_kerberoasting_unusual_process.toml # rules/windows/credential_access_lsass_memdump_file_created.toml # rules/windows/credential_access_mimikatz_memssp_default_logs.toml # rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml # rules/windows/defense_evasion_clearing_windows_event_logs.toml # rules/windows/defense_evasion_code_injection_conhost.toml # rules/windows/defense_evasion_cve_2020_0601.toml # rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml # rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml # rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml # rules/windows/defense_evasion_dotnet_compiler_parent_process.toml # rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml # rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml # rules/windows/defense_evasion_execution_lolbas_wuauclt.toml # rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml # rules/windows/defense_evasion_execution_msbuild_started_by_script.toml # rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml # rules/windows/defense_evasion_execution_msbuild_started_renamed.toml # rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml # rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml # rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml # rules/windows/defense_evasion_hide_encoded_executable_registry.toml # rules/windows/defense_evasion_iis_httplogging_disabled.toml # rules/windows/defense_evasion_injection_msbuild.toml # rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml # rules/windows/defense_evasion_masquerading_renamed_autoit.toml # rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml # rules/windows/defense_evasion_masquerading_trusted_directory.toml # rules/windows/defense_evasion_modification_of_boot_config.toml # rules/windows/defense_evasion_port_forwarding_added_registry.toml # rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml # rules/windows/defense_evasion_sdelete_like_filename_rename.toml # rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml # rules/windows/defense_evasion_suspicious_managedcode_host_process.toml # rules/windows/defense_evasion_suspicious_zoom_child_process.toml # rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml # rules/windows/defense_evasion_unusual_dir_ads.toml # rules/windows/defense_evasion_unusual_system_vp_child_program.toml # rules/windows/defense_evasion_via_filter_manager.toml # rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml # rules/windows/discovery_adfind_command_activity.toml # rules/windows/discovery_admin_recon.toml # rules/windows/discovery_file_dir_discovery.toml # rules/windows/discovery_net_command_system_account.toml # rules/windows/discovery_net_view.toml # rules/windows/discovery_peripheral_device.toml # rules/windows/discovery_process_discovery_via_tasklist_command.toml # rules/windows/discovery_query_registry_via_reg.toml # rules/windows/discovery_remote_system_discovery_commands_windows.toml # rules/windows/discovery_security_software_wmic.toml # rules/windows/discovery_whoami_command_activity.toml # rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml # rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml # rules/windows/execution_command_shell_started_by_powershell.toml # rules/windows/execution_command_shell_started_by_svchost.toml # rules/windows/execution_command_shell_started_by_unusual_process.toml # rules/windows/execution_command_shell_via_rundll32.toml # rules/windows/execution_from_unusual_directory.toml # rules/windows/execution_from_unusual_path_cmdline.toml # rules/windows/execution_shared_modules_local_sxs_dll.toml # rules/windows/execution_suspicious_cmd_wmi.toml # rules/windows/execution_suspicious_image_load_wmi_ms_office.toml # rules/windows/execution_suspicious_pdf_reader.toml # rules/windows/execution_suspicious_powershell_imgload.toml # rules/windows/execution_suspicious_psexesvc.toml # rules/windows/execution_suspicious_short_program_name.toml # rules/windows/execution_via_compiled_html_file.toml # rules/windows/execution_via_hidden_shell_conhost.toml # rules/windows/execution_via_net_com_assemblies.toml # rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml # rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml # rules/windows/initial_access_script_executing_powershell.toml # rules/windows/initial_access_suspicious_ms_office_child_process.toml # rules/windows/initial_access_suspicious_ms_outlook_child_process.toml # rules/windows/initial_access_unusual_dns_service_children.toml # rules/windows/initial_access_unusual_dns_service_file_writes.toml # rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml # rules/windows/lateral_movement_execution_from_tsclient_mup.toml # rules/windows/lateral_movement_local_service_commands.toml # rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml # rules/windows/lateral_movement_rdp_enabled_registry.toml # rules/windows/lateral_movement_rdp_tunnel_plink.toml # rules/windows/lateral_movement_remote_file_copy_hidden_share.toml # rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml # rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml # rules/windows/persistence_adobe_hijack_persistence.toml # rules/windows/persistence_appcertdlls_registry.toml # rules/windows/persistence_appinitdlls_registry.toml # rules/windows/persistence_evasion_registry_ifeo_injection.toml # rules/windows/persistence_gpo_schtask_service_creation.toml # rules/windows/persistence_local_scheduled_task_commands.toml # rules/windows/persistence_ms_office_addins_file.toml # rules/windows/persistence_ms_outlook_vba_template.toml # rules/windows/persistence_priv_escalation_via_accessibility_features.toml # rules/windows/persistence_registry_uncommon.toml # rules/windows/persistence_run_key_and_startup_broad.toml # rules/windows/persistence_services_registry.toml # rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml # rules/windows/persistence_startup_folder_scripts.toml # rules/windows/persistence_suspicious_com_hijack_registry.toml # rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml # rules/windows/persistence_suspicious_scheduled_task_runtime.toml # rules/windows/persistence_suspicious_service_created_registry.toml # rules/windows/persistence_system_shells_via_services.toml # rules/windows/persistence_user_account_creation.toml # rules/windows/persistence_via_application_shimming.toml # rules/windows/persistence_via_hidden_run_key_valuename.toml # rules/windows/persistence_via_lsa_security_support_provider_registry.toml # rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml # rules/windows/persistence_via_update_orchestrator_service_hijack.toml # rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml # rules/windows/privilege_escalation_named_pipe_impersonation.toml # rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml # rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml # rules/windows/privilege_escalation_rogue_windir_environment_var.toml # rules/windows/privilege_escalation_uac_bypass_com_clipup.toml # rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml # rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml # rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml # rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml # rules/windows/privilege_escalation_uac_bypass_event_viewer.toml # rules/windows/privilege_escalation_uac_bypass_mock_windir.toml # rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml # rules/windows/privilege_escalation_unusual_parentchild_relationship.toml # rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml	2021-02-17 12:18:06 -09:00
Justin Ibarra	61deed3fd2	[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948 ) * [Rule Tuning] Add timestamp_override field to 7.11.0 rules * Lock versions for 7.11.2 rules	2021-02-16 10:52:48 -09:00
Justin Ibarra	4e6ff388fc	[Rule Tuning] Feedback from 7.12 Kibana PR (#942 )	2021-02-11 13:32:58 -09:00
Andrew Stucki	6e77f5176d	[New Rule] auditd login anomalies (#33 ) * Add auditd login anomaly rules * Flip logic to start with less-specific filters * remove event.category from queries and update metadata * surround event.action with quotes to account for dash * update tags Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 14:24:55 -05:00
Samirbous	ffaf689778	[New Rule] Persistence via KDE AutoStart Script or Desktop File Modif… (#809 ) * [New Rule] Persistence via KDE AutoStart Script or Desktop File Modification * Update persistence_kde_autostart_modification.toml * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * format * date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-09 10:47:05 +01:00
Samirbous	82fe227030	[New Rule] Sensitive Files Compression (#756 ) * [New Rule] Sensitive Files Compression * conv to kql * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-08 16:31:00 +01:00
Samirbous	99a4aaff58	[New Rule] Modification of the Dynamic Linker Preload Shared Object (#921 ) * [New Rule] Modification of the Dynamic Linker Preload Shared Object * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 16:11:37 +01:00
Samirbous	732770e855	[New Rule] Potential OpenSSH Backdoor Logging Activity (#749 ) * [New Rule] Known SSH Backdoor Logging File * updated query to common patterns * updated rule name * relinted * added extra path * renamed * adjusted some filepaths * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added kobalos OpenSSH credential stealer added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf * relinted * adjusted MITRE technique * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-05 21:27:15 +01:00
Samirbous	bec5211814	[Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod (#875 ) * [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod * Update privilege_escalation_setuid_setgid_bit_set_via_chmod.toml * relinted	2021-02-04 16:29:53 +01:00
Brent Murphy	236c630c90	[Rule Tuning] Update rules using case sensitive wildcard function (#904 ) * update rules using case sensitive wildcard function * add appropriate spacing * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update == * Apply suggestions from code review * remove info update index * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update persistence_evasion_hidden_local_account_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-04 10:23:32 -05:00
Samirbous	4a5085ee54	[Rule Tuning] Sudoers File Modification (#873 ) * [Rule Tuning] Sudoers File Modification * 2021! * Update rules/cross-platform/privilege_escalation_sudoers_file_mod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 17:57:40 +01:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Samirbous	3fc4aaec0f	[New Rule] Modification of OpenSSH Binaries (#747 ) * [New Rule] Modification of SSH Binaries * Update persistence_credential_access_modify_ssh_binaries.toml * exclude unrelated auditbeat FP events * updated TIDs and Tactics * fix order of TIDs and Tactics * relinted * added libkeyutils.so used by Ebury Backdoor loaded by all OpenSSH processes * renamed * conv to kql and added one FP * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:46:30 +01:00
Samirbous	ebf365693e	[Rule Tuning] Deletion of Bash Command Line History (#752 ) * [Rule Tuning] Deletion of Bash Command Line History * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-01-26 08:48:06 +01:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Justin Ibarra	e272800a5d	Add ATT&CK sub-technique support to CLI (#614 ) * Add Mitre sub-technique support to CLI * Add subtechnique enum to schema * Add test to prevent duplicative tactics in mapping	2020-12-08 21:56:55 -09:00
Samirbous	6bc4a6b9bb	[New Rule] Linux System Log Files Deleted (#461 ) * [New Rule] Linux System Log Files Deleted * Update defense_evasion_log_files_deleted.toml * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added linux to rule name as sug by JLB * ecs_version * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * adjusted format Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:34:33 +01:00
Justin Ibarra	97ee8cc9ac	Refresh beats and ecs schemas and default to use latest to validate (#570 ) * Refresh beats and ecs schemas and default to use latest to validate * remove incorrect ecs_version from zoom rule * remove stale ecs_version from rules	2020-12-01 13:24:20 -09:00
Samirbous	eb487f9433	[New Rule] Timestomping using Touch Command (#463 ) * [New Rule] Timestomping using Touch Command * Update defense_evasion_timestomp_touch.toml * added macOS tag * Update rules/linux/defense_evasion_timestomp_touch.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 23:29:47 +01:00
Justin Ibarra	f87f2a46f4	[Rule Tuning] Remove all rule timelines (#466 )	2020-11-03 09:51:53 -09:00
Justin Ibarra	da64bacac1	[Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452 )	2020-11-02 14:12:20 -09:00
Justin Ibarra	a575cf9ff3	[Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431 )	2020-10-29 11:06:24 -08:00
Justin Ibarra	0d3c35886c	Remove connection type from endpoint network rules (#426 )	2020-10-28 12:35:34 -08:00
Derek Ditch	580db2c13e	Add timeline_id to detection rules (#95 ) * Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date'	2020-10-27 13:34:16 -05:00
seth-goodwin	2065af89b1	[Rule Tuning] Tag Categorization Updates (#380 ) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100	2020-10-26 13:50:45 -05:00
Justin Ibarra	2460333595	[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 )	2020-09-30 16:16:04 -08:00
Justin Ibarra	3c0d982d8f	[Rule Tuning] Mknod Process Activity (#276 )	2020-09-24 13:27:16 -08:00
Justin Ibarra	065bcd8018	Refresh ATT&CK data to v7.2 and expand threat validation (#330 ) * refresh to latest ATT&CK 7.2 * add new unit test to further validate threat mappings * updated threat mappings in rules to reflect changes * new func to download and refresh mitre data based on version	2020-09-23 22:03:29 -08:00
brokensound77	aec3ec31b9	Merge branch '7.9' into main	2020-08-27 15:54:44 -08:00
Justin Ibarra	79a0dfefbe	Add ECS 1.6.0 schema for validation testing (#220 ) * Add ecs 1.6.0 and refresh master ecs (2.0.0) * update rule metadata to use ecs_version 1.6.0	2020-08-27 11:54:49 -05:00
Justin Ibarra	be08536880	Increase lookback for endpoint rules (#200 )	2020-08-21 12:23:43 -05:00
Brent Murphy	7efe33e01d	[Rule Tuning] Update Index Pattern for Detection Engine Rules (#101 ) * [Rule Tuning] Update Index Pattern for Detection Engine Rules * update indices	2020-08-03 15:46:57 -04:00
Justin Ibarra	95908c22a4	Improve ECS compatibility for endpoint rules	2020-07-07 15:41:23 -06:00
David French	51fed4f537	Update defense_evasion_attempt_to_disable_iptables_or_firewall.toml (#11 )	2020-07-02 11:31:19 -06:00
Francesco Soncina	46a4008570	[Rule tuning] Fix evasion for disable iptables rule (#5 )	2020-07-01 12:08:32 -06:00

1 2

51 Commits