d3aa90f6a8
[Rule Tuning] Remove logs-windows.* index ( #1928 )
...
* Remove `logs-windows.*` index
* Update discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 0943ffba5f
2022-04-14 12:27:47 +00:00
2889bf7d4e
MInor changes from Investigation Guides Review ( #1927 )
...
(cherry picked from commit 258418785f
2022-04-14 00:55:20 +00:00
10bc32b9aa
remove min_stack_version so old versions get config note ( #1926 )
2022-04-13 16:13:27 -04:00
3adff3c865
Revert "Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 ( #1922 )" ( #1925 )
...
This reverts commit 8789c15ae653673c0c49
2022-04-13 07:07:55 +00:00
3b4db7e47a
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 ( #1922 )
...
(cherry picked from commit 8789c15ae6
2022-04-13 06:31:52 +00:00
c3ab31632f
[Security Content] Current Investigation Guides Review ( #1896 )
...
* Modify investigation guides
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Rewrite and apply previous reviews
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Update rules/windows/credential_access_spn_attribute_modified.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit ebeb270075
2022-04-13 01:07:09 +00:00
03677ca4e8
[Security Content] Add Investigation Guides - 5 ( #1895 )
...
* [Security Content] Add Investigation Guides - 5
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 46f5af436e
2022-04-13 00:15:04 +00:00
7fdf870d31
[Security Content] Add Investigation Guides - 3 ( #1836 )
...
* [Security Content] Add Investigation Guides - 3
* Adjust Investigation Guides and Config
* Adjust Config
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
(cherry picked from commit 3a5fceac3b
2022-04-13 00:00:52 +00:00
a911907422
Remove deprecated elasticsearch parameter ( #1913 )
...
(cherry picked from commit b3e789a202
2022-04-12 20:08:06 +00:00
deed08b896
Update discovery_net_command_system_account.toml ( #1912 )
...
(cherry picked from commit 3b6c594a22
2022-04-11 18:05:59 +00:00
dfa41821ef
[Rule Tuning] AWS RDS Instance/Cluster Deletion ( #1916 )
...
* add RDS instance deletion to aws rule
I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.
* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9640ecb3fe
2022-04-10 19:35:26 +00:00
3c503f7c95
[Security Content] Add Investigation Guides - 4 ( #1871 )
...
* [Security Content] Add Investigation Guides - 4
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/initial_access_script_executing_powershell.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* lint
* Update persistence_user_account_creation.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* .
* Fixes and lint
* .
* .
* revert modifications
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update impact_stop_process_service_threshold.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 290763d9bb
2022-04-10 18:38:57 +00:00
b3e51520c4
[Rule Tuning] AWS Security Group Configuration Change Detection ( #1915 )
...
* Update persistence_ec2_security_group_configuration_change_detection
Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.
* update to improve rule coverage
I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.
* Revert "update to improve rule coverage"
This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
(cherry picked from commit 5073ef8be7
2022-04-07 18:49:16 +00:00
bd5ada51e3
Update elasticsearch dependency to 8.1 ( #1911 )
...
(cherry picked from commit ad99c6b489
2022-04-06 19:54:26 +00:00
c425d98de1
[Rule Tuning] Add EQL optional field syntax ( #1910 )
...
* Add optional EQL syntax
* Add min_stack_version
(cherry picked from commit 49074ddeaa
2022-04-05 19:35:15 +00:00
eeb8ab7744
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml
(selectively cherry picked from commit 6bdfddac8e
2022-04-01 23:28:54 +00:00
2edb1e0ee7
Prep for Creation of 8.3 Branch ( #1906 )
...
* updating with changes for 8.3 prep
* adding updates
* adjusted version in packages.yml
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit 648daf1237
2022-04-01 21:35:14 +00:00
1ca68f9d85
added comprehensive timeline template definitions ( #1905 )
...
(cherry picked from commit e72031a71a
2022-04-01 16:53:55 +00:00
8d322f40c0
Svchost spawning Cmd - False Positives Tuning ( #1894 )
...
(cherry picked from commit e1b4a0d87c
2022-03-31 22:30:43 +00:00
4ed2fbe932
[Security Content] Adjust Investigation Guides to be less generic ( #1805 )
...
* PowerShell Suspicious Script with Audio Capture Capabilities
* PowerShell Keylogging Script
* PowerShell MiniDump Script
* Potential Process Injection via PowerShell
* PowerShell Suspicious Discovery Related Windows API Functions
* Suspicious Portable Executable Encoded in Powershell Script
* PowerShell PSReflect Script
* Startup/Logon Script added to Group Policy Object
* Group Policy Abuse for Privilege Addition
* Scheduled Task Execution at Scale via GPO
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Adjust Posh desc
* .
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* .
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update privilege_escalation_group_policy_scheduled_task.toml
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 8a59b49fea
2022-03-31 14:31:43 +00:00
5a263b253d
[Security Content] Add Investigation Guides - 2 ( #1822 )
...
* Add Investigation Guides for Windows Rules - First half
* + 1/2
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update credential_access_mod_wdigest_security_provider.toml
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update defense_evasion_amsienable_key_mod.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update command_and_control_certutil_network_connection.toml
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update collection_winrar_encryption.toml
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit a3d7427d29
2022-03-30 17:46:02 +00:00
150ff0502e
Linux Shell Evasion Rule Tuning ( #1878 )
...
* Linux Shell Evasion Rule Tuning
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_apt_binary.toml
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
* Update execution_perl_tty_shell.toml
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-29 21:03:35 -04:00
Jonhnathan