d16f56b4e2
[New Rule] SSH via Backdoored System User ( #4336 )
...
* [New Rule] SSH via Backdoored System User
* ++
* Update persistence_ssh_via_backdoored_system_user.toml
* Update persistence_ssh_via_backdoored_system_user.toml
* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-01-07 13:20:36 +01:00
2530c4d376
[New Rule] Pluggable Authentication Module Source Download ( #4301 )
...
* [New Rule] Pluggable Authentication Module Source Download
* Update persistence_pluggable_authentication_module_source_download.toml
* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
2025-01-07 13:04:05 +01:00
1a189a5749
[Python] Ignore Hunting Doc Changes for Version Code Checks ( #4331 )
...
* Ignore hunting docs for version code checks
* added index.md to be ignored
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-07 12:54:27 +01:00
318ab3ffa0
Enhance Readability of KQL validation check failures ( #4329 )
2025-01-06 22:18:05 +05:30
52db5e0361
Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. ( #4332 )
2025-01-06 21:48:11 +05:30
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created ( #4327 )
...
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
* Update detection_rules/etc/non-ecs-schema.json
* Update pyproject.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-06 09:40:26 -03:00
feaeabf60c
[New Rule] Dynamic Linker (ld.so) Creation ( #4306 )
2025-01-03 17:06:38 +01:00
fea5c90ed9
[New Rule] Kernel Object File Creation ( #4325 )
...
* [New Rule] Kernel Object File Creation
* ++
* Update rules/linux/persistence_kernel_object_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-03 16:49:59 +01:00
466097c31e
[Rule Tuning] Potential Persistence via File Modification ( #4310 )
...
* [Rule Tuning] Potential Persistence via File Modification
* Update persistence_suspicious_file_modifications.toml
* Update persistence_suspicious_file_modifications.toml
2025-01-03 16:19:58 +01:00
53ca51b20c
[New Rule] Simple HTTP Web Server Connection ( #4309 )
2025-01-03 16:06:28 +01:00
e26e4e40b4
[New Rule] Simple HTTP Web Server Creation ( #4308 )
2025-01-03 15:54:25 +01:00
0273997581
[New Rule] Loadable Kernel Module Configuration File Creation ( #4307 )
2025-01-03 15:33:31 +01:00
7e775a6c95
[New Rule] Unusual Preload Environment Variable Process Execution ( #4305 )
2025-01-03 15:23:41 +01:00
9424a57207
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration ( #4304 )
2025-01-03 15:05:05 +01:00
c9c8e3501e
[New Rule] Unusual SSHD Child Process ( #4303 )
...
* [New Rule] Unusual SSHD Child Process
* Update persistence_unusual_sshd_child_process.toml
2025-01-03 14:50:43 +01:00
c7fe940206
[New Rule] Pluggable Authentication Module Creation in Unusual Directory ( #4302 )
...
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory
* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
2025-01-03 14:35:08 +01:00
5384191934
[New Rule] PAM Version Discovery ( #4300 )
...
* [New Rule] PAM Version Discovery
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update rules/linux/discovery_pam_version_discovery.toml
2025-01-03 14:25:38 +01:00
aca416a779
[Rule Tuning] Windows misc Rule Tuning ( #4298 )
2025-01-02 07:44:01 -03:00
c99cf9279d
[Tuning] Uncommon Registry Persistence Change ( #4286 )
...
* Update persistence_registry_uncommon.toml
Add registry rules for additional SMSS persistence vectors
* Update persistence_registry_uncommon.toml
* Update persistence_registry_uncommon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-12-25 19:06:58 -03:00
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events ( #3533 )
...
* new endpoint security rules for specific alerts
* updated risk scores
* fixed rule names and UUIDs
* changed logic to use message field for detection vs prevention
* reverting changes
* reverting changes
* reverting to old commit
* reverting to old commit
* reverting to old commit
* reverting to old commit
* changed naming to Elastic Defend
* updated rule dates and min-stacks
* linted; adjusted queries
* updated ransomware, memory sig or shellcode risk
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* updated promotion rule
* fixed typos in naming
* updated setup guides
* added intervals
* added MITRE
* added investigation guide for Memory Threat
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update defense_evasion_elastic_memory_threat_prevented.toml
* toml-lint
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co >
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-12-19 13:24:23 -05:00
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules ( #4324 )
...
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-12-19 13:03:50 -05:00
2ff2965cb9
Enhance Readability of validation check failures ( #4299 )
2024-12-13 19:03:47 +05:30
28ffebbf5c
[New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User ( #4280 )
...
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'
* updated version
* updating markdown
* bumping version
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-12 14:56:20 -05:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
3fa3349216
Update versioning support for 8.17 ( #4296 )
2024-12-10 23:43:04 +05:30
691126cd3d
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4295 )
2024-12-10 21:43:29 +05:30
f0291b440a
Minstack endpoint rules with process.group.id fields ( #4294 )
2024-12-10 21:03:32 +05:30
e6012b1db6
Removing ESQL query format error ( #4292 )
2024-12-10 09:27:37 -05:00
febdafa1f4
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 ( #4291 )
2024-12-09 21:38:33 +05:30
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS ( #4277 )
...
* new rule 'AWS IAM Login Profile Added for Root'
* added min-stack
* linted; fixed rule schema errors
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-09 08:55:20 -05:00
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application ( #4283 )
...
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
2024-12-06 17:27:38 -05:00
d3c05a08cc
Add all historical versions for v8.17.0 and above packages ( #4279 )
2024-12-03 23:36:32 +05:30
801efb3d93
Protections for AWS Bedrock ( #4270 )
2024-12-03 21:56:39 +05:30
53cfeb76e3
Add event dataset for missing rule in Github integration ( #4278 )
2024-12-03 20:32:55 +05:30
86cc61c233
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4274 )
...
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16
* Update detection_rules/etc/version.lock.json
* Update Patch version for version lock changes
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-11-27 09:34:54 -05:00
5ab7565923
Minstack versions for Okta and Github Integration ( #4273 )
2024-11-27 18:39:41 +05:30
4e28895e66
[Rule Tuning] Kernel Module Removal ( #4269 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-11-25 21:13:44 +01:00
2d79494068
new rule 'AWS STS AssumeRoot by Rare User and Member Account' ( #4271 )
2024-11-25 10:28:43 -05:00
04e1fc1436
Account for CCS '::' index pattern ( #4258 )
2024-11-13 11:17:08 +05:30
ebb3675ea0
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 ( #4267 )
2024-11-11 22:29:22 +05:30
4a7f83e432
Version Lock File Reconcile Ref: #4266
2024-11-11 10:48:43 -05:00
f36845318e
[New] First Time Seen User Auth via DeviceCode Protocol ( #4153 )
...
* Create credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update credential_access_first_time_seen_device_code_auth.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-11 13:04:18 +00:00
b66d0e0a0d
[New] Remote Desktop File Opened from Suspicious Path ( #4251 )
2024-11-11 18:08:48 +05:30
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules ( #4261 )
...
* adding investigation fields to specific aws rules
* updated patch
* removing min-stack requirements
* removed user.name redundancy
* adjusted order of investigation fields
* adding source address
2024-11-08 23:11:18 -05:00
33d832d4e4
[Rule Tuning] Tuning Process Termination followed by Deletion ( #4173 )
...
* adding rule tuning
* adjusted operators; fixed missing quotes
* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-11-08 16:38:17 -03:00
56e61a6321
[New Rule] Potential Hex Payload Execution ( #4241 )
...
* [New Rule] Potential Hex Payload Execution
* Update rules/linux/defense_evasion_hex_payload_execution.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 19:15:17 +01:00
54bb319f7b
[New Rule] Memory Swap Modification ( #4239 )
...
* [New Rule] Memory Swap Modification
* Update rules/linux/impact_memory_swap_modification.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 19:06:55 +01:00
3207ca37e4
[New Rule] Unusual Interactive Shell Launched from System User ( #4238 )
...
* [New Rule] Unusual Interactive Shell Launched from System User
* Update defense_evasion_interactive_shell_from_system_user.toml
* Update defense_evasion_interactive_shell_from_system_user.toml
* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:24:30 +01:00
Ruben Groenewoud