sigma-rules

Author	SHA1	Message	Date
Justin Ibarra	14c46f50b9	[Rule Tuning] updates from documentation review for 7.16 (#1645 )	2021-12-07 15:42:58 -09:00
Austin Songer	521f0987ae	[New Rule] Azure Kubernetes Rolebindings Created (#1576 ) * Create azure_kubernetes_rolebinding_created_or_deleted.toml * Update * Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml * Update privilege_escalation_azure_kubernetes_rolebinding_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-11-29 09:16:00 -03:00
Austin Songer	3dd32608a0	[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579 ) * Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-11-17 19:38:12 -03:00
Justin Ibarra	ab17dfcc28	[Bug] Tighten definitions validation patterns (#1396 ) * [Bug] Anchor validation patterns * Deprecate rule with invalid rule_id and duplicate as new one Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-10-26 10:26:20 -05:00
Jonhnathan	4524c175c8	Add missing Integration field (#1537 ) * Add missing Integration field * Bump updated_date * Add test for integration<->path * Fix rule folder * bump updated date in rule Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2021-10-26 12:05:12 -03:00
Austin Songer	89553d84a9	[New Rule] AWS Route Table Created (#1257 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_created.toml * Update persistence_route_table_created.toml * Update rules/persistence_route_table_created.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update persistence_route_table_created.toml * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_created.toml * Update * Update Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-26 10:25:53 -03:00
Justin Ibarra	5bdf70e72c	Add min_stack_comments to metadata schema (#1573 ) * Add min_stack_comments to metadata schema	2021-10-19 20:52:53 -08:00
Austin Songer	3ab67d1562	[New Rule] AWS EventBridge Rule Disabled or Deleted (#1572 ) * Create aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update aws_eventbridge_rule_disabled_or_deleted.toml * Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-18 15:36:21 -03:00
Austin Songer	2c39bb962f	[New Rule] AWS EFS File System or Mount Deleted (#1462 ) * AWS EFS File System or Mount Deleted * Update impact_efs_filesystem_or_mount_deleted.toml * Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:23:07 -03:00
Austin Songer	702524b1f7	[New Rule] AWS Suspicious SAML Activity (#1498 ) * Create privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Add trailing / Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:11:15 -03:00
Austin Songer	50501bb40f	[New Rule] Azure Full Network Packet Capture Detected (#1420 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:06:27 -03:00
Austin Songer	790586fb57	[New Rule] Azure Virtual Network Device Modified or Deleted (#1421 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml * fix description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:11:05 -03:00
Austin Songer	761df5fe84	[New Rule] Azure Kubernetes Pods Deleted (#1309 ) * Create impact_kubernetes_pod_deleted.toml * Update impact_kubernetes_pod_deleted.toml * Update * Update impact_kubernetes_pod_deleted.toml * quote value in query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:07:39 -03:00
Austin Songer	dc980effb0	[New Rule] AWS RDS Snapshot Restored (#1312 ) * Create exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml * Delete exfiltration_rds_snapshot_restored.toml * Create exfiltration_rds_snapshot_restored.toml * Update * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:05:00 -03:00
Austin Songer	3303a4e255	[New Rule] Microsoft 365 - Mass download by a single user (#1348 ) * Create impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update impact_microsoft_365_mass_download_by_a_single_user.toml * Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:01:50 -03:00
Austin Songer	90504915ad	[New Rule] AWS Route53 hosted zone associated with a VPC (#1365 ) * Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:59:33 -03:00
Austin Songer	d7eab5bbf3	[New Rule] AWS STS AssumeRole Usage (#1214 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:56:10 -03:00
Austin Songer	27ba204f1c	[New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-15 15:42:25 -03:00
Austin Songer	7123d46623	[New Rule] Azure Blob Permissions Modification (#1499 ) * Create defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update description and query (spacing) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-14 06:59:24 -03:00
Austin Songer	3d15c2072d	[New Rule] Azure Kubernetes Events Deleted (#1307 ) * Create defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add quotes to azure query field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-14 06:57:33 -03:00
Austin Songer	11fa592c6f	[New Rule] Microsoft 365 - Impossible travel activity (#1344 ) * Create initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Updated Directory * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-12 19:11:32 -03:00
Austin Songer	c8ac37957d	[New Rule] Microsoft 365 - User Restricted from Sending Email (#1345 ) * Create initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Fix technique * update description and FP Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 18:32:54 -03:00
Austin Songer	98c217ece9	[New Rule] Microsoft 365 - Potential ransomware activity (#1346 ) * Create impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * Update * Update impact_microsoft_365_potential_ransomware_activity.toml * Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * bump to prod Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 18:26:17 -03:00
Austin Songer	82e72a956b	[New Rule] AWS Route Table Modified or Deleted (#1258 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 15:16:48 -03:00
Austin Songer	9508002bb3	[New Rule] AWS ElastiCache Security Group Created (#1363 ) * Create persistence_elasticache_security_group_creation.toml * Update * Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Re-add rule.threat * Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * remove extra space from query Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 14:00:29 -03:00
Austin Songer	3b0d2006b7	Made these pull requests before the directory restructure. (#1517 ) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 09:29:40 -03:00
Austin Songer	0a3c44e8db	[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514 )	2021-10-04 13:31:31 -08:00
Austin Songer	f41714642c	[New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364 ) * Create impact_aws_elasticache_security_group_modified_or_deleted.toml * Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Update * Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-04 15:38:37 -03:00
Jonhnathan	ba9c01be50	Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511 )	2021-09-30 13:08:35 -08:00
Jonhnathan	5e4a7e67df	[Rule Tuning] Small update on rule descriptions (#1508 )	2021-09-30 12:54:15 -08:00
Austin Songer	d28c48f20f	[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393 )	2021-09-29 09:08:09 -08:00
Austin Songer	a51ed86851	[New Rule] New or Modified Federation Domain (#1212 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_new-or-modified-federation-domain.toml * Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update * Update persistence_new_or_modified_federation_domain.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-29 09:16:17 -03:00
Austin Songer	93b8038d7d	[New Rule] AWS STS GetSessionToken Abuse (#1213 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_getsessiontoken_abuse.toml * Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update * Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-22 16:28:02 -03:00
Justin Ibarra	8e3b1d28c4	[Rule Tuning] Fix typos in rule metadata (#1494 ) Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-21 16:31:00 -03:00
dstepanic17	9ff3873ee7	[rule-tuning] Adding more context with triage/investigation (#1481 ) * [rule-tuning] Adding more context with triage/investigation * Adding mimikatz rule * Fixed updated date on mimikatz rule * Adding Defender update * Adding scheduled task * Adding AdFind * Adding rare process * Adding cloudtrail country * Adding cloudtrail spike * Adding threat intel * Fixed minor spelling/syntax * Fixed minor spelling/syntax p2 * Update rules/cross-platform/threat_intel_module_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_rare_process_by_host_windows.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Removed MITRE link, added Microsoft * Update ml_cloudtrail_error_message_spike.toml * Update ml_cloudtrail_rare_method_by_country.toml * Update ml_rare_process_by_host_windows.toml * Update credential_access_mimikatz_powershell_module.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update discovery_adfind_command_activity.toml * Update lateral_movement_dns_server_overflow.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-15 20:07:21 -05:00
Ross Wolf	c9d6527280	Revert #1440 new endpoint promotion rule (#1470 ) * Revert #1440 new endpoint promotion rule * Set the updated_at date	2021-09-03 08:07:20 -06:00
Nic	8b2c8c2e03	[Rule tuning] Azure Active Directory High Risk Sign-in (#1463 ) * Add Aggregated Risk Level * There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on. * An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types	2021-08-30 14:33:44 -08:00
Ross Wolf	675e870a30	Set min stack to 7.15 for Behavior Protection promotion	2021-08-26 08:53:02 -06:00
Ross Wolf	3b338baab0	[New Rule] Endpoint Security Behavior Protection (#1440 ) * [New Rule] Endpoint Security Behavioral Protection * Update readme and labeler for endpoint integration * Fix new rule to use event.code * Fix old rule to use event.code * Changed from behavioral to behavior * Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml * Back from the future (updated_date) Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-08-25 09:56:59 -06:00
Austin Songer	3b29498907	[Rule Tuning] AWS Security Group Configuration Change Detection (#1426 ) * move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration	2021-08-14 20:34:13 -08:00
Justin Ibarra	f8f643041a	[Rule tuning] Revise rule description and other text (#1398 )	2021-08-03 13:07:47 -08:00
Justin Ibarra	b736d6e748	[Rule Tuning] Rule description tweaks (#1388 )	2021-07-29 10:56:13 -08:00
Ross Wolf	1882f4456c	[Fleet] Track integrations in folder and metadata (#1372 ) * Track integrations in folder and metadata * Remove duplicate entry * Update note and tests	2021-07-21 15:24:56 -06:00

43 Commits