d3dc231315
Refresh ECS, Beats manifest and schemas ( #3993 )
2024-08-20 20:45:20 +05:30
10ba6ad5a6
[FR] Add Alert Suppression for Addtional Rule Types ( #3986 )
2024-08-15 15:03:45 -05:00
4c44f98cd6
[Rule Tuning] LSASS Process Access via Windows API ( #3975 )
...
* [Rule Tuning] LSASS Process Access via Windows API
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
2024-08-14 11:42:18 -03:00
400b4dbd23
[Bug] [DAC] Fix Kibana action connector export to export details with action connectors ( #3984 )
...
* Create Nested Directories
* Fix Kibana export not exporting connector info
2024-08-13 14:28:17 -04:00
3500c3db15
[Rule Tuning] Tuning Direct Outbound SMB Connection ( #3485 )
...
* tuning 'Direct Outbound SMB Connection'
* removed lolbas references
* reverted EQL function due to escaped characters in substring match
* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* reverted internal address exclusion; adjusted rule name and description
* removing min-stack
* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-08-13 13:53:07 -04:00
74d8186aeb
[Rule Tuning] Tuning MsBuild Making Network Connections ( #3482 )
...
* tuning 'MsBuild Making Network Connections'
* added performance note; added comments in query
* adjusted array search
* linting
* updated query logic;updated date
* updated query logic
* fixed query error
* changed query logic
* removing min-stack
* reverting change
* updated network sequence event
2024-08-13 12:55:08 -04:00
f4c6939987
Fix Attribute Issue in RTA common.py ( #3983 )
2024-08-13 21:32:45 +05:30
b0fd8659a2
Fix Windows Path for file ( #3981 )
2024-08-13 20:46:28 +05:30
d0597e4260
Create Nested Directories ( #3980 )
2024-08-13 09:40:49 -04:00
e607d521b8
Add Unit Test test_index_or_data_view_id_present ( #3967 )
2024-08-12 17:48:05 +05:30
c58ae92dd1
[New Rule] Dynamic Linker Creation or Modification ( #3969 )
...
* [New Rule] Dynamic Linker Creation or Modification
* Removed new line from description
* Update rules/linux/defense_evasion_dynamic_linker_file_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update defense_evasion_dynamic_linker_file_creation.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 10:25:55 +02:00
55e81c1169
[Rule Tuning] Attempt to Disable IPTables or Firewall ( #3972 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 10:18:11 +02:00
b6ffb10ab2
[Rule Tuning] System Log File Deletion ( #3970 )
2024-08-10 10:04:56 +02:00
6e3e5f6373
[Rule Tuning] Potential Disabling of AppArmor ( #3971 )
...
* [Rule Tuning] Potential Disabling of AppArmor
* Update query
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 09:51:45 +02:00
8950d33539
[Rule Tuning] Suspicious PrintSpooler Service Executable File Creation ( #3964 )
...
* [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation
* .
* ++
2024-08-09 13:23:16 -03:00
20f4242566
[Rule Tuning] Simple KQL to EQL Conversion ( #3948 )
...
* [Rule Tuning] Simple KQL to EQL Conversion
* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update privilege_escalation_group_policy_iniscript.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-08-09 13:11:27 -03:00
fcc8aaaf63
[Rule Tuning] Fix missing Winlogbeat index ( #3976 )
...
* [Rule Tuning] Fix missing Winlogbeat index
* bump
2024-08-09 12:46:33 -03:00
207dc55ede
[Rule Tuning] Windows File-based Rules Tuning ( #3963 )
...
* [Rule Tuning] Windows File-based Rules Tuning
* Update credential_access_lsass_memdump_file_created.toml
* .
2024-08-09 12:26:58 -03:00
f5069763b6
[Rule Tuning] Add System tag to DRs ( #3968 )
...
* [Rule Tuning] Add System tag to DRs
* bump
2024-08-09 11:14:33 -03:00
698e830f9f
[Rule Tuning] Removing Minimum Stack Compatibility ( #3974 )
...
* removing min-stack
* removing min-stack
* updating date
2024-08-08 11:47:48 -04:00
fe9ba15a2a
[Rule Tuning] Tuning Suspicious HTML File Creation for Performance ( #3480 )
...
* tuning 'Suspicious HTML File Creation'
* TOML lint; reverted EQL function checks
* updated date
2024-08-08 11:12:55 -04:00
25ad765acb
[Rule Tuning] Include winlogbeat index in sysmon-related rules ( #3966 )
2024-08-08 12:02:23 -03:00
d7c7d9b1c3
Interactive Shell Spawned via Hidden Process Sync RTA ( #3937 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 19:42:01 +05:30
f47053b904
Suspicious Execution via a Hidden Process Sync RTA ( #3938 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 19:33:49 +05:30
ec1f617fdc
APT Package Manager Command Execution Sync RTA ( #3940 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 19:19:44 +05:30
e277ecd230
Suspicious Execution via setsid and nohup Sync RTA ( #3941 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 19:11:51 +05:30
292d7b9215
Egress Network Connection from DPKG Directory Sync RTA ( #3942 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 18:57:33 +05:30
ed9b145ebd
System V Init (init.d) Egress Network Connection Sync RTA ( #3943 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 18:48:05 +05:30
3cefbbe057
System V Init (init.d) Executed Binary from Unusual Location Sync RTA ( #3944 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 18:38:55 +05:30
fff326a7d4
Egress Network Connection by MOTD Child Sync RTA ( #3945 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 18:30:03 +05:30
aea7d578ed
Systemd Executing Binary in Unusual Location Sync RTA ( #3766 )
...
Co-authored-by: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 18:15:31 +05:30
cdc4e21aac
Scheduled Job Executing Binary in Unusual Location Sync RTA ( #3952 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-08 18:01:56 +05:30
0532f9f210
Egress Network Connection from RPM Package Sync RTA ( #3951 )
2024-08-08 17:53:22 +05:30
ff3d51721a
[Rule Tuning] Tuning Persistent Scripts in the Startup Directory ( #3479 )
...
* tuning 'Persistent Scripts in the Startup Directory'
* adjusted query logic; added note about performance
* adjusted query logic
* adjusted query logic; added note about performance
* removed newline
* adjusted query logic to be more inclusive
* adjusted query
* adjusted query to leave wildcard and substring searches towards the end
* TOML lint
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* adjusted note; removed setup
* adjusted note; removed setup
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-06 18:42:53 -04:00
47d7a3acaa
[DaC] Beta Release ( #3889 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2024-08-06 18:07:12 -04:00
f9717e71bb
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3961 )
2024-08-06 19:37:36 +05:30
2ee5ae1f19
Fix Version Bump for Related Integrations ( #3960 )
2024-08-06 18:48:24 +05:30
a6f1aa6fd7
[Rule Tuning] Windows Registry Rules Tuning - 2 ( #3958 )
2024-08-06 17:15:08 +05:30
9b85079da1
[Rule Tuning] Windows Registry Rules Tuning - 1 ( #3957 )
2024-08-06 17:05:17 +05:30
11636b159d
[New Rule] Outlook Home Page Registry Modification ( #3946 )
2024-08-05 11:27:58 -03:00
fbaac66f9f
[Rule Tuning] Accepted Default Telnet Port Connection ( #3954 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-03 20:15:06 -03:00
392e813e7a
[Rule Tuning] Microsoft IIS Service Account Password Dumped ( #3935 )
2024-08-02 16:37:45 -03:00
93d928625d
[Tuning] Executable Bit Set for Potential Persistence Script ( #3929 )
2024-08-02 21:13:19 +02:00
ff3f66cacf
[Rule Tuning] AWS S3 Object Versioning Suspended ( #3953 )
2024-08-02 13:36:11 -03:00
dfdc214be8
[New Rule] Potential Relay Attack against a Domain Controller ( #3928 )
...
* [New Rule] Potential Relay Attack against a Domain Controller
* Update credential_access_dollar_account_relay.toml
* Move to the correct folder
2024-08-02 13:03:20 -03:00
8d3ec2b8a3
[Rule Tuning] Sensitive Registry Hive Access via RegBack ( #3947 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-01 14:06:08 -03:00
485312d5f2
[Rule Tuning] System Binary Moved or Copied ( #3933 )
2024-08-01 18:47:58 +02:00
62982f9d8c
[New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User ( #3910 )
...
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User
* increased severity score
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-08-01 00:30:02 -04:00
f2eb78219c
[New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time ( #3923 )
...
* [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time
* Update discovery_new_terms_sts_getcalleridentity.toml
* Update execution_new_terms_ec2_instance_cloudformation_createstack.toml
* Update rules/integrations/aws/execution_new_terms_ec2_instance_cloudformation_createstack.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* rule name change, removed ec2
* Update rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-31 16:55:49 -04:00
1b58d0640b
[New Rule] AWS EC2 Instance Console Login via Assumed Role ( #3922 )
...
* [New Rule] AWS EC2 Instance Console Login via Assumed Role
* added reference for custom url creation
* added STS tag
* added event.provider to query
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-31 15:52:59 -04:00
shashank-elastic