d7d8c414ec
[New Rule] File Creation in /var/log via Suspicious Process ( #4528 )
...
* [New Rule] File Creation in /var/log via Suspicious Process
* ++
* ++
2025-03-12 12:50:48 +01:00
02be7cac0a
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md ( #4530 )
2025-03-12 12:49:43 +05:30
3ed820afa8
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) ( #4523 )
...
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'
* updating name
* added investigation guide
* updated investigation guide
* updated investigation guide
* removed unnecessary comment
* adjusted logic to count distinct on principal id; principal name will be in aggregations now
* updated Entra ID name
2025-03-11 11:25:10 -04:00
aacb376acf
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication ( #4524 )
...
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'
* updating tactic tag
* adjusted query logic for user type
* updated Entra ID name
2025-03-11 11:05:56 -04:00
fd1369a164
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User ( #4525 )
...
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'
* linted; updated UUID
* adjusted rule name and logic to focus on any rare authentication requirements
* adjusted file name
2025-03-11 10:51:01 -04:00
7c4f334a00
[New Hunt] Adding Hunting Queries for Azure Entra Sign-In Anomalies ( #4527 )
...
* adding new hunts for Azure entra sign-in anomalies
* fixing commented query logic; added hydra user agent
2025-03-11 10:27:08 -04:00
4deb6a73b8
[FR] [DaC] Update Readme with DaC Support References ( #4526 )
...
* Update Readme with DaC Support References
* Patch bump
* Call out DaC Pipeline support
2025-03-10 21:24:12 -04:00
eadcd9d3e0
[FR] Add Env Var DR_CLI_MAX_WIDTH and DaC Docs Updates ( #4518 )
...
* Add Env Var DR_CLI_MAX_WIDTH
* Version Bump
* Update limit from 120 to 240
* Clean references to reference main
* Update Readme with DaC Info
* Add DaC to Table of Contents
* Bump Patch Version
* Updated naming and add dac md
* Organize Imports
* Deprecate upload-rule
* Update docs/detections-as-code.md
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* move docs to docs-dev
* Sort custom rules imports
* Remove duplicate
* Fix typo
* Bump Patch Version
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-03-10 12:59:12 -04:00
3bdda091e1
chore: use docs-dev instead of docs dir for docs ( #4522 )
...
* chore: use `docs-dev` instead of `docs` folder
* patch version bump
* Rollback an incorrect rename
* Use exact docs dir in the helper comment
* Revert some overeager renamings
* Moving `docs` to `docs-dev`
* Update Docs Paths
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2025-03-07 14:34:51 +01:00
e28512a32f
Deprecation Notice to Cloud Defend Rules ( #4520 )
...
* Deprecation Notice to Cloud Defend Rules
* Udpate names in investigation guide
* Adding deprecation note under Setup field
* reverting back to setup field name
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-03-07 00:20:00 -05:00
561ab703de
[New Rule] Uncommon Destination Port Connection by Web Server ( #4515 )
2025-03-06 22:01:33 +05:30
9fb7b57a47
[New Rule] Unusual File Creation from Web Server Parent ( #4514 )
...
* [New Rule] Unusual File Creation from Web Server Parent
* Update rules/linux/persistence_web_server_sus_file_creation.toml
* Move to BBR
2025-03-06 17:21:47 +01:00
fe0a9f4935
[New/Tuning] Docker Socket Enumeration ( #4510 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-06 17:07:10 +01:00
8dfa5da3bf
[New Rules] Potential Port/Subnet Scanning Activity from Compromised Host ( #4509 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-06 16:57:33 +01:00
fe06843636
[New Rule] Unusual Process Spawned from Web Server Parent ( #4513 )
2025-03-06 16:46:12 +01:00
6eed757b66
Revert "Moving docs to docs-dev"
...
This reverts commit 75abb8d0b5
2025-03-06 16:29:37 +01:00
75abb8d0b5
Moving docs to docs-dev
2025-03-06 16:27:26 +01:00
7ce6aaf566
[New Rule] Unusual Command Execution from Web Server Parent ( #4512 )
...
* [New Rule] Unusual Command Execution from Web Server Parent
* ++
2025-03-06 16:25:38 +01:00
a1d6ff4a50
Added ML detection-rules for new Security Host package ( #4519 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
2025-03-06 19:53:29 +05:30
081bd03618
fix(ci): use negative patterns in paths instead of paths-ignore ( #4521 )
2025-03-06 13:57:41 +01:00
8854b3bea0
Ignore changes in rules/integrations except endpoint, and in _deprecated ( #4498 )
2025-03-05 12:49:46 +01:00
5f54eb8006
chore: Removing RTAs ( #4437 )
...
* Delete RTAs
* Delete RTA-related orchestration code
* Drop RTAs from tests
* Remove RTAs from README
* Further cleanup
* Readme update
* Version bump and no more RTAs
* Styling fixes
* Drop RTAs from config files
* Drop `rule-mapping.yaml`
* Bring back event collector / normalizer
* Drop rta mention
* Cleanup rta leftovers
* Style fix
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-03-05 12:35:57 +01:00
49c361dd98
[New Rules] Azure OpenAI ( #3701 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-03-04 22:59:38 +05:30
b1470a480b
[New] WDAC Policy File by an Unusual Process ( #4504 )
...
* [New] WDAC Policy File by an Unusual Process
https://github.com/logangoins/Krueger/tree/main
* Update defense_evasion_wdac_policy_by_unusual_process.toml
* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_wdac_policy_by_unusual_process.toml
* Update defense_evasion_wdac_policy_by_unusual_process.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-03-04 15:21:58 +00:00
467034ee5b
Deprecate an APM BBR rule ( #4511 )
2025-03-04 17:39:45 +05:30
b9e8115c2f
[New Rule] Python Site or User Customize File Creation ( #4500 )
...
* [New Rule] Python Site or User Customize File Creation
* Update persistence_site_and_user_customize_file_creation.toml
* Update persistence_site_and_user_customize_file_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-03 15:30:33 +01:00
d948279af6
[New Rule] Python Path File (pth) Creation ( #4499 )
...
* [New Rule] Python Path File (pth) Creation
* ++
* Update persistence_pth_file_creation.toml
* Update persistence_pth_file_creation.toml
* Update persistence_pth_file_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-03 15:20:00 +01:00
f70eafb8e7
[New Rule] Successful SSH Authentication from Unusual User ( #4481 )
...
* [New Rule] Succesful SSH Authentication from Unusual User
* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml
* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml
* Update initial_access_successful_ssh_authentication_by_unusual_user.toml
* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-03-03 11:55:27 +01:00
5653190d08
[Rule Tuning] Remove hardcoded logic from description ( #4503 )
2025-02-28 14:38:18 -03:00
06002cd9ac
[New Rule] Kill Command Execution ( #4485 )
...
* [New Rule] Kill Command Execution
* Update defense_evasion_kill_command_executed.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 11:26:50 +01:00
9bb3b9f204
[New Rule] Unusual File Transfer Utility Launched ( #4487 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 11:15:21 +01:00
029fd45bb1
[New Rule] Base64 Decoded Payload Piped to Interpreter ( #4488 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 11:01:52 +01:00
a2a120858f
[New Rule] Unusual Base64 Encoding/Decoding Activity ( #4486 )
...
* [New Rule] Unusual Base64 Encoding/Decoding Activity
* Update defense_evasion_base64_decoding_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 10:09:48 +01:00
8c250db3c3
[New Rule] Successful SSH Authentication from Unusual IP-Address ( #4482 )
...
* [New Rule] Successful SSH Authentication from Unusual IP-Address
* Apply suggestions from code review
* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 09:55:35 +01:00
89f79c6e4f
[New Rule] Successful SSH Authentication from Unusual SSH Public Key ( #4478 )
...
* [New Rule] First Time Public Key Authentication
* Update initial_access_first_time_public_key_authentication.toml
* Update initial_access_first_time_public_key_authentication.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-28 09:44:51 +01:00
fe48309daf
[New Rule] Linux User Account Credential Modification ( #4484 )
...
* [New Rule] Linux User Account Credential Modification
* Update rules/linux/persistence_user_credential_modification_via_echo.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 16:42:11 +01:00
342e18075b
[New Rule] SSH Authorized Keys File Deletion ( #4483 )
...
* [New Rule] Authorized Keys File Deletion
* Apply suggestions from code review
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 16:29:51 +01:00
46c4a80015
[Tuning] Remote File Copy to a Hidden Share ( #4494 )
...
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 11:50:02 -03:00
7b15acf9dd
Update defense_evasion_amsi_bypass_powershell.toml ( #4477 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 11:36:15 -03:00
0340335cf4
[Rule Tuning] Sysmon rules that uses event.action ( #4496 )
...
* [Rule Tuning] Sysmon rules that uses `event.action`
* Adjust queries
* Fix unit test :thinking-hard:
2025-02-27 11:24:42 -03:00
a614da5900
[New Rule] Remote File Creation in World Writeable Directory ( #4475 )
...
* [New Rule] Remote File Creation in World Writeable Directory
* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
* Update lateral_movement_remote_file_creation_world_writeable_dir.toml
* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
2025-02-26 10:11:55 +01:00
59473f09ac
[New Rule] Potential Malware-Driven SSH Brute Force Attempt ( #4474 )
...
* [New Rule] Potential Malware-Driven SSH Brute Force Attempt
* Update impact_potential_bruteforce_malware_infection.toml
* Update rules/linux/impact_potential_bruteforce_malware_infection.toml
* Update impact_potential_bruteforce_malware_infection.toml
2025-02-26 10:00:31 +01:00
758e155231
[New Rule] High Number of Egress Network Connections from Unusual Executable ( #4473 )
...
* [New Rule] High Number of Egress Network Connections from Unusual Executable
* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml
* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml
* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-02-26 09:43:54 +01:00
8a221325e9
[New Rule] Unusual Remote File Creation ( #4476 )
...
* [New Rule] Unusual Remote File Creation
* Description update
* ++
* ++
* Update rules/linux/lateral_movement_unusual_remote_file_creation.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-02-26 09:30:47 +01:00
73aaad98f0
[Rule Tuning] MsBuild Making Network Connections ( #4479 )
...
* [Rule Tuning] MsBuild Making Network Connections
* Remove Minstack
* Revert MMinstack removal
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-02-25 10:04:04 -03:00
bc3e12da38
[Rule Tuning] Adapt Rules to work with Sysmon ( #4480 )
...
* [Rule Tuning] Remove Sysmon from rules that would never trigger based on its events
* bump updated_date
* Update rules/windows/lateral_movement_incoming_wmi.toml
* Update Logic to support sysmon data
* Update command_and_control_tool_transfer_via_curl.toml
2025-02-25 09:54:18 -03:00
8e3ad57672
Update defense_evasion_via_filter_manager.toml ( #4493 )
2025-02-25 09:29:36 +00:00
4b8676c586
[Bug] [DaC] Fix Typo in CLI.md ( #4491 )
...
* Fix Typo in CLI.md
2025-02-24 10:15:19 -05:00
66996ac597
Fix typo in error message ( #4489 )
2025-02-24 20:16:43 +05:30
1851ab91fd
new hunting queries for Azure device code ( #4468 )
2025-02-21 11:00:34 -05:00
Ruben Groenewoud