d28bd2abef
[Tuning] Linux DR Tuning - Part 5 ( #3456 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_dynamic_linker_via_od.toml
* Update discovery_esxi_software_via_find.toml
* Update discovery_esxi_software_via_grep.toml
* Update discovery_linux_hping_activity.toml
* Update discovery_linux_nping_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ae3f4737ab
2024-03-07 08:59:38 +00:00
59812dac4e
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3491 )
...
(cherry picked from commit bf3932f384
2024-03-06 17:45:52 +00:00
7043173371
Prepare For Next Elastic Stack Minor Release ( #3490 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit a4094df732
2024-03-06 16:03:19 +00:00
2f18b54ac8
[Tuning] Auditbeat event.action Compatibility ( #3471 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 83abf8d42c
2024-03-06 14:34:12 +00:00
e6db511ac7
[BBR Promotion] Linux BBR --> DR Promotion ( #3472 )
...
* [BBR Promotion] Linux BBR --> DR Promotion
* [BBR Promotion] Linux BBR --> DR Promotion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5a80423003
2024-03-06 13:55:08 +00:00
f8a7fe9cec
[Bug] Fix URL links in autogenerated security docs ( #3474 )
...
* added content() class method for guide and setup
* removed non-existent variable
* removed unnecessary newlines
* adjusted levels for titles
* reverting changes
* added method to convert markdown links to asciidoc
* adjusted regex to include trailing periods
* fixing linting errors
* adjusted regex pattern
* added content() class method for guide and setup
* stripped # out of investigation guide, setup or note
* adjusted formatting outcome
* changed function call
* fixed linting errors
* fixing auto-formatting for rule asciidoc
* fixing URL link removal
* fixing URL link removal
* removed strip() from string for setup
* fixed linting errors
* fixed linting errors
* adjusting code formatting for convert_markdown_to_asciidoc
(cherry picked from commit 8e0ca421ca
2024-02-23 21:55:30 +00:00
2312455d7a
[FR] Skip eql optimizations on parsing query for unique fields ( #3443 )
...
(cherry picked from commit 542053719b
2024-02-21 02:31:01 +00:00
c772b2a842
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3459 )
...
(cherry picked from commit 7815d23110
2024-02-20 17:32:25 +00:00
fb835e396d
[Tuning] Tuning Windows - 3 Rules ( #3388 )
...
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 853e18950f
2024-02-20 16:01:52 +00:00
7adff8ebd2
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
(cherry picked from commit 089e6671aa
2024-02-20 14:44:07 +00:00
24eea0e1e5
[Tuning] Event.dataset removal & Tag Addition ( #3451 )
...
* [Tuning] Removed event.dataset and added tag
* [Tuning] Removed event.dataset and added tag
* fixed typo
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 3484cac7eb
2024-02-20 14:23:44 +00:00
5af7ec1a4b
[Tuning] Linux DR Tuning - Part 3 ( #3454 )
...
(cherry picked from commit 5e6e4a359b
2024-02-20 13:56:14 +00:00
d09d0b0609
[Tuning] Linux DR Tuning - Part 1 ( #3452 )
...
* [Tuning] Linux DR Tuning - Part 1
* Update command_and_control_linux_tunneling_and_port_forwarding.toml
* Update command_and_control_cat_network_activity.toml
(cherry picked from commit 1dc7fd6a42
2024-02-20 13:44:07 +00:00
5b8b6c4450
[Tuning] Linux DR Tuning - Part 2 ( #3453 )
...
* [Tuning] Linux DR Tuning - Part 2
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
(cherry picked from commit 0e48747aa6
2024-02-20 13:22:50 +00:00
984f2a6fbf
[FR] NON_DATASET_PACKAGE list & Data Source tag for Auditd_manager ( #3430 )
...
* [FR] Add Auditd_Manager to NON_DATASET_PACKAGE
* Changed alphabetical order
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit a637bcec38
2024-02-19 08:42:19 +00:00
144754c8a5
[New] Suspicious Execution from INET Cache ( #3445 )
...
* Create initial_access_execution_from_inetcache.toml
* Update initial_access_execution_from_inetcache.toml
(cherry picked from commit 4809de6584
2024-02-15 19:19:30 +00:00
9c265abb41
[Rule Tuning] Windows BBR Tuning - 3 ( #3382 )
...
* [Rule Tuning] Windows BBR Tuning - 3
* Update defense_evasion_service_disabled_registry.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 5334601b6f
2024-02-14 18:06:02 +00:00
7758575430
[Rule Tuning] Windows BBR Tuning - 4 ( #3384 )
...
* [Rule Tuning] Windows BBR Tuning - 4
* Update discovery_system_time_discovery.toml
(cherry picked from commit 1a8271db2f
2024-02-14 17:26:31 +00:00
ba92fb7fde
[Rule Tuning] Windows BBR Tuning - 6 ( #3386 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit f233909e7d
2024-02-14 15:54:44 +00:00
a864d77e0a
[Rule Tuning] Windows BBR Tuning - 5 ( #3385 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 97e49795ab
2024-02-14 13:28:21 +00:00
0c0a5bdaad
[Rule Tuning] Windows BBR Tuning - 2 ( #3381 )
...
* [Rule Tuning] Windows BBR Tuning - 2
* Update defense_evasion_masquerading_windows_system32_exe.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit ae00f30574
2024-02-14 13:03:47 +00:00
1f418fa9e5
[FR] Add New Kibana Schema Issue Template ( #3441 )
...
(cherry picked from commit df6dd09db4
2024-02-13 22:41:12 +00:00
bde05d63c6
[FR] Add support for Threshold Alert Suppression ( #3433 )
...
(cherry picked from commit c3ca01ebcc
2024-02-12 16:01:10 +00:00
00fe4c8283
[Bug] Adjust build-release CLI and fix links when generating security docs ( #3434 )
...
* removed historical argument; added setup string; fixed links
* fixing flake errors
* added types for command arguments
* adjusted get_release_diff to append strings for release tags
* set fetch-depth to 0 for integrations checkout in workflow
* changed the name of the workflow
* removed TODOs
* adjusted release docs workflow to remove prefix for release tags
* adjusted URL replacement only if pointed to docs site
* added elastic website to regex pattern
* add docstrings; adjusted regex; add note for stopgap
* added a note about the regex pattern for elastic URLs
(cherry picked from commit 06b97ec79b
2024-02-12 15:13:42 +00:00
934edfd618
Add the Zen of Security Rules to philosophy ( #3437 )
...
(cherry picked from commit 298d1bce0d
2024-02-09 19:52:03 +00:00
4ac56fbd40
[Rule Tuning] Suspicious Antimalware Scan Interface DLL ( #3432 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 21b559c97f
2024-02-08 09:32:22 +00:00
10d36f6872
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3431 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
* updated downloadable updates file to reconcile changes
* Removed spacing from downloadable updates file
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 827dfa7327
2024-02-06 19:54:15 +00:00
7201490af1
[Bug] Update Prebuilt Detection Rules Release Process ( #3403 )
...
* release fleet workflow updates; build package integration reference changes
* updated commit hash extraction to output to env
* adjusted bump-pkg-versions to only include release if necessary
* fixed flake errors
* add historical argument for build-release set to yes by default
* Update detection_rules/devtools.py
* fixed fleet workflow; updated registry data references
* updated job names
* removed extract commit hash job and consolidated into fleet pr job
* added echo statement for current branch before checkout
* removed id from extract commit hash
(cherry picked from commit 7df7ab5101
2024-02-06 14:04:40 +00:00
e037d57c82
[New Rules] DDExec Analysis ( #3408 )
...
* [New Rules] DDExec Analysis
* Increased rule scope
* [New Rule] Dynamic Linker Discovery via od
* Revert "[New Rule] Dynamic Linker Discovery via od"
This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.
* [New Rule] Dynamic Linker Discovery via od
* [New Rule] Potential Memory Seeking Activity
* [New BBR] Suspicious Memory grep Activity
* Added endgame + auditd_manager support
* Removed auditd_manager support for now
* Removed auditd_manager support for now
* Update discovery_suspicious_memory_grep_activity.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d41855a2ac
2024-02-06 13:53:27 +00:00
27b01ac788
[New Rule] Executable Masquerading as Kernel Process ( #3421 )
...
* [New Rule] Executable Masquerading as Kernel Proc
* Bumped dates
* Added endgame support
* Added auditd_manager support
* Removed auditd_manager support for now
(cherry picked from commit 90d64f0714
2024-02-06 09:54:53 +00:00
35dd5ad3c6
[New Rules] APT Package Manager Persistence ( #3418 )
...
* [New Rule] apt Package Manager Persistence
* [New Rules] APT Package Manager Persistence
* [New Rules] APT Package Manager Persistence
(cherry picked from commit 208b2e999c
2024-02-06 09:34:38 +00:00
8d3eed8d4d
[New Rule] Suspicious Network Connection via systemd ( #3420 )
...
* [New Rule] Network Connection via systemd
* Removed space from description
* Added updated query
(cherry picked from commit 4f303ab77e
2024-02-06 09:25:09 +00:00
66458bd33d
Update lateral_movement_remote_task_creation_winlog.toml ( #3419 )
...
(cherry picked from commit 6906a27c3a
2024-02-05 18:41:54 +00:00
67acfbae4d
[Rule Tuning] Windows BBR Tuning - 1 ( #3380 )
...
* [Rule Tuning] Windows BBR Tuning - 1
* .
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 8274f9a816
2024-02-05 15:52:57 +00:00
5edd21a169
[Rule Tuning] Startup or Run Key Registry Modification ( #3367 )
...
(cherry picked from commit edd3556b63
2024-02-05 15:33:38 +00:00
41ee5b7509
[New] Potential Enumeration via Active Directory Web Service ( #3416 )
...
* Create discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
(cherry picked from commit 5a68ccfd0d
2024-02-02 14:24:50 +00:00
332afabf04
[Rule Tuning] Potential Modification of Accessibility Binaries ( #3401 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 50df6f3e9b
2024-02-01 14:32:00 +00:00
c8b1b59079
[Tuning] Suspicious File Downloaded from Google Drive ( #3411 )
...
* Update command_and_control_google_drive_malicious_file_download.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update command_and_control_google_drive_malicious_file_download.toml
(cherry picked from commit 4c74588c00
2024-01-31 17:00:17 +00:00
50be89783c
[Tuning] DCSync Rules - 4662 event.action ( #3410 )
...
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_replication_rights.toml
(cherry picked from commit d7f4d7972e
2024-01-30 11:48:48 +00:00
bad1eff29b
[New Rule] Suspicious Passwd File Event Action ( #3396 )
...
* [New Rule] Suspicious Passwd File Event Action
* Description fix
* Pot. UT fix
* Pot. UT fix.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 381ccf43ed
2024-01-26 08:42:09 +00:00
c2eb386789
[New BBR] Reverse Connection through Port Knocking ( #3219 )
...
* [New BBR] Reverse Connection through Port Knocking
* Attempt to fix unit testing error
* Mitre list fix?
* Revert "Mitre list fix?"
This reverts commit 83682b8a58c2954911495d218392a33ee0615db2.
* Update command_and_control_linux_port_knocking_reverse_connection.toml
* Update command_and_control_linux_port_knocking_reverse_connection.toml
* Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml
* Update command_and_control_linux_port_knocking_reverse_connection.toml
* Update command_and_control_linux_port_knocking_reverse_connection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a66394c550
2024-01-24 15:35:55 +00:00
df82c11b4a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3402 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit d093336125
2024-01-23 21:42:17 +00:00
9ce2cdf675
[Rule Tuning] Windows DR Tuning - 15 ( #3377 )
...
* [Rule Tuning] Windows DR Tuning - 15
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update defense_evasion_msbuild_making_network_connections.toml
(cherry picked from commit 92804343bc
2024-01-23 19:54:02 +00:00
c421546055
[Rule Tuning] Direct Outbound SMB Connection ( #3400 )
...
* [Rule Tuning] Direct Outbound SMB Connection
* Update lateral_movement_direct_outbound_smb_connection.toml
(cherry picked from commit e33389b2ef
2024-01-23 18:39:31 +00:00
7db74abede
[Rule Tuning] Host Files System Changes via Windows Subsystem for Linux ( #3398 )
...
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux
* Update defense_evasion_wsl_filesystem.toml
(cherry picked from commit e0bdb59deb
2024-01-22 21:53:12 +00:00
e1f10c70ba
removed query var; using is_sequence method; removed integration var ( #3395 )
...
(cherry picked from commit 164b7d4028
2024-01-22 20:28:29 +00:00
cfb4f1a013
[New Rules] UEBA GItHub BBRs and Rules ( #3174 )
...
* [New Rules] UEBA GItHub BBRs and Rules
A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.
* Update rules/integrations/github/impact_github_member_removed_from_organization.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* edited BBR rules
-removed newly added member rule
* updated integration manifests and schemas
* Updated min_stack for some rules based on newest GitHub integration schema manifest
* testing min_stack bump to 8.8 for new fields
* removing offending rule to troubleshoot seperately
* added UEBA tags and created UEBA threshold rule
* updated non-ecs-schema to add signal.rule.tags
* updated non-ecs-schema with kibana.alert.workflow_status
* updated rule.threat.tactic
* added user.name to non-ecs-schema
* added quotes to kibana.alert.workflow_status value
* removed trailing space from rule name
* update tags and optimize query for UEBA threshold rule
* removed integration field from Higher-Order rule
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* adjusted new_terms order and rule types based on review feedback
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* remove user.name from detection_rules/etc/non-ecs-schema.json
* fix json formatting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 442435830f
2024-01-22 17:53:42 +00:00
cdbf64d360
[New Rule] Potential Buffer Overflow Attack Detected ( #3312 )
...
* [New Rule] Potential Buffer Overflow Attack
* Added timestamp_override
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 48d8b650e5
2024-01-22 15:34:03 +00:00
ebd743efd5
[New Rule] Chroot Container Escape via Mount ( #3387 )
...
* [New Rule] Chroot Container Escape via Mount
* description fix
(cherry picked from commit ec5f4d596c
2024-01-22 08:23:26 +00:00
0a6ad4adc3
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 ( #3350 )
...
* [Security Content] Add IGs to Persistence - 2
* [Security Content] Add IGs to Persistence - 2
* fixes
* fix
* added ig note
(cherry picked from commit 26747aa8a4
2024-01-20 18:41:48 +00:00
Ruben Groenewoud