db90345fd5
[Rule Tuning] Kubernetes Anonymous Request Authorized ( #2865 )
...
* rule tuning for exclusions
* optimized query
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 13:03:05 -04:00
0b64638bf7
[New Rule] AWS Credentials Searched For Inside a Container ( #2887 )
...
* new rule toml
* Updated query
updated query based on review and added additional search queries
* updated rule query based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 12:29:02 -04:00
0f5b5a3551
[Rule Tuning] Add Okta Investigation Guides Part 1 ( #2899 )
...
* adding investigation guides for Okta rules
* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added MFA to investigation guide for brute forcing
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 11:47:02 -04:00
8703c65f87
[Tuning] Azure Network Packet Capture Detected ( #2888 )
2023-06-28 16:32:56 +02:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
082e92c95c
[Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion ( #2854 )
...
* adding new rule for Okta ThreatInsight threat suspected
* added promotion tag
* removed new rule and tuned existing
* added promotion tag
* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-21 09:47:27 -04:00
7f249e6cc4
[Security Content] Add Google Workspace Investigation Guides ( #2540 )
...
* adding google workspace investigation guides
* updated 'Google Workspace Custom Gmail Route Created or Modified' guide
* updated 'Google Workspace Custom Gmail Route Created or Modified' guide
* updated 'Application Removed from Blocklist in Google Workspace'
* updated 'Domain Added to Google Workspace Trusted Domains'
* updated 'Google Workspace Bitlocker Setting Disabled'
* updated 'Google Workspace Admin Role Deletion'
* updated 'Application Added to Google Workspace Domain'
* updated 'Google Workspace Admin Role Assigned to a User'
* updated 'Google Workspace Role Modified'
* updated 'Google Workspace Custom Admin Role Created'
* updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority'
* updated 'Google Workspace Password Policy Modified'
* updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App'
* updated 'Google Workspace User Organizational Unit Changed'
* reverted 'Google Workspace User Group Access Modified to Allow External Access'
* removed new lines
* added 'Investigation Guide' tags
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed duplicate file
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
2023-05-18 10:16:20 -04:00
0eed8ce27f
[New Rule] SSH Process Launched From Inside A Container ( #2794 )
...
* [New Rule] SSH Process Launched From Inside A Container
new toml rule file
* changed "not" query
changed query to !=
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-16 17:32:58 -04:00
b0838cc2cb
[New Rule] SSH Connection Established Inside A Running Container ( #2793 )
...
* [New Rule] SSH Connection Established Inside A Running Container
new rule toml
* Update initial_access_ssh_connection_established_inside_a_container.toml
moved order of tactics
* Apply suggestions from code review
updated spacing based on code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 16:56:52 -04:00
515d393828
[New Rule] SSH Authorized Keys File Modified Inside a Container ( #2792 )
...
* [New Rule] SSH Authorized Keys File Modified Inside a Container
new rule toml
* toml file name change
changed duplicate toml file name
* Update persistence_ssh_authorized_keys_modification_inside_a_container.toml
added time intervals
* removed redundant event.type
removed event.type fields
* added back event.type and removed event.action per reviewer suggestion
removed redundant event.action fields
2023-05-16 16:30:17 -04:00
648dd8b3ed
[New Rule] Interactive Exec Command Launched Against A Running Container ( #2791 )
...
* [New Rule] Interactive Exec Command Launched Against A Running Container
new rule toml
* Update execution_interactive_exec_to_container.toml
updated reference links
* Update execution_interactive_exec_to_container.toml
fixed the comments
* Update execution_interactive_exec_to_container.toml
* Update execution_interactive_exec_to_container.toml
removed process.session_leader.same_as_process
* Update execution_interactive_exec_to_container.toml
added time intervals
* Apply suggestions from code review
updated spacing
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 16:09:10 -04:00
9e3dc112b3
[New Rule] Sensitive Files Compression Inside A Container ( #2790 )
...
new rule toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:49:42 -04:00
d8e9874d54
[New Rule] Sensitive Keys Or Passwords Searched For Inside A Container ( #2789 )
...
* [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container
new rule toml
* description update
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* added locate and mlocate based on review suggestion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 15:29:54 -04:00
73f87ad7e6
[New Rule] Suspicious Network Tool Launched Inside A Container ( #2759 )
...
* [New Rule] Suspicious Network Tool Launched Inside A Container
new rule
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* update based on reviews
added additional tools, added false positives section, raised risk score
* Update discovery_suspicious_network_tool_launched_inside_a_container.toml
adjusted tags
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:21:42 -04:00
5fd155849e
[New Rule] File Made Executable via Chmod Inside A Container ( #2757 )
...
* [New Rule] File Made Executable via Chmod Inside A Container
new rule
* edit threat matrix urls
add final / to reference urls
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
added Defense Evasion tag
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
adjusted tags
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:15:49 -04:00
4c996490ec
[New Rule] Netcat Listener Established Inside A Container ( #2756 )
...
* [New Rule] Netcat Listener Established Inside A Container
new rule toml
* remove references
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* remove false_positives
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* adjust from field from s to m for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update execution_netcat_listener_established_inside_a_container.toml
updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables
* optimized query
optimized query to deduplicate fields based on review feedback
* Update execution_netcat_listener_established_inside_a_container.toml
updated query comment
* Update execution_netcat_listener_established_inside_a_container.toml
added false positive section
* Update execution_netcat_listener_established_inside_a_container.toml
adjusted tags
* removed the != end query parameter
removed the exclusion of end events for this to account for short-lived netcat listener processes
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-16 15:08:20 -04:00
e954b6d7eb
[New Rule] Interactive Shell Spawned From Inside a Container ( #2752 )
...
* Create execution_interactive_shell_spawned_from_inside_a_container.toml
new rule
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
edited threat matrix
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
changed boolean in query from string type
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
added timestamp_override field
* Apply suggestions from code review
readability from field change, removed references field
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
index spacing, rule name, comment change
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query.
* Update rule query
updated rule query to use process.executable and an or field for event.action
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
adjusted tags
* changed "not" in query
event.action != end based on review suggestion
* spacing around comments
* removed ending wildcard causing FPs
removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-16 15:02:20 -04:00
ee86144565
[New Rule] Container Management Binary Run Inside A Container ( #2754 )
...
* [New Rule] Container Management Binary Run Inside A Container
new rule
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
description change, name change, index spacing
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update false_positives and query
added false positives section and updated query with container.id field
* Update execution_container_management_binary_launched_inside_a_container.toml
adjusted tags
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 14:41:27 -04:00
71d93e875e
[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms ( #2760 )
...
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms
* updated new terms
2023-05-03 09:28:59 -04:00
7435ac39d2
[Rule Tuning] added rule name override for cloud_defend integration rule ( #2767 )
2023-05-02 00:05:24 -04:00
f21a9e4793
updating min stack comments ( #2712 )
2023-04-12 14:30:34 -04:00
d6f277e379
[New Rule] Google Workspace New OAuth Login from Third-Party Application ( #2677 )
...
* adding new rule 'Google Workspace New OAuth Login from Custom Application'
* changed name and 'custom' to 'third-party'
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* updated non-ecs
2023-04-12 09:40:31 -04:00
4511ab0666
[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace ( #2674 )
...
* tuning rule to add token sequence
* updated date
* updated non-ecs, integration schemas and manifests
* added investigation guide
* Updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updated false positive description
* updating manifest and schemas with main to resolve conflicts
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-04-12 09:15:58 -04:00
d0ea8c6f98
[New Rule] new CWP rule to surface alerts from the cloud_defend integration ( #2679 )
...
* new CWP rule to surface alerts from the cloud_defend integration
* created new rule uuid
* updated version info. removed risk level overrides and endpoint exception list
* added event.module
* removed rule name override
* updated_date and min_stack_comments updated
* updated external alerts updated_date. added kubernetes to cwp rule tags
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-04-05 21:31:03 -03:00
71d12bdda4
[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests ( #2682 )
...
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
2023-04-03 09:42:40 -04:00
76500f0d46
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User ( #2654 )
...
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'
* updated MITRE ATT&CK mappings
2023-03-24 12:21:56 -04:00
7be5788945
[New Rule] Google Workspace Resource Copied from External Drive ( #2627 )
...
* added new rule 'Google Workspace Resource Copied from External Drive'
* adjusted mitre att&ck subtechnique ID
2023-03-20 14:37:58 -04:00
2c5470349c
[New Rule] External User Added to Private Organization Group ( #2577 )
...
* new rule 'External User Added to Google Workspace Group'
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added Investigation Guide tag
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-20 14:32:42 -04:00
38b8311482
[Security Content] Expand Abbreviated Tags ( #2414 )
...
* [Security Content] Expand Abbreviated Tags
* .
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Revert changes to deprecated rules
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-03-06 17:37:52 -03:00
bb4f7acf27
deprecate 'Google Workspace User Group Access Modified to Allow External Access' ( #2576 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-02 11:29:14 -05:00
46b18b5a07
[New Rule] Google Workspace - Suspended User Account Renewed ( #2592 )
...
* new rule for suspended user account renewal in Google Workspace
* fixed risk score; toml linted
* Update rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-03-02 11:23:49 -05:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
e5d81e77f7
[New Rule] Add Google Workspace Alert Center Promotional Rule ( #2471 )
...
* Add Google Workspace Alert Center Promotional Rule
* added severity mapping overrides
2023-01-17 12:09:13 -05:00
b61da98f97
[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 ( #2467 )
...
* Bumping min-stack version for Google Workspace to 8.4
* changed 'updated_date' values
2023-01-13 13:29:28 -05:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
ae4e59ec7d
[FR] Update ATT&CK Package to v12.1 ( #2422 )
...
* initial update to v12.1 attack package
* added additional click echo output
* addressed flake errors
* updated rules with refreshed att&ck data
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-16 12:04:20 -05:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
7adb199afa
[Deprecation] GCP Kubernetes Rolebindings Created or Patched ( #2340 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Deprecating this rule due to high false positive rate. This behavior is too generic for an effective malicious behavior detection.
* move toml file to _deprecated
move toml file to _deprecated
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-09 12:51:52 -05:00
4997f95300
[Rule Tuning] Link Elastic Security Labs content to compatible rules ( #2388 )
...
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
4615b462be
[New Rule] AWS KMS CMK Disabled or Scheduled for Deletion ( #2318 )
...
* [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion
* Fixed double double quotes
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add min_stack metadata
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rule description as per suggestion
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Remove MITRE ATT&CK tactic
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rule_id
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Indent false positive section
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Keep ownership as per suggestion
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rule name
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Fix FPs section
* Delete .dccache
* Revert "Update rule name"
This reverts commit 8611c926dfe312f897399343c19d2a37783ada71.
* Revert "Fix FPs section"
This reverts commit 14148392dadf9a7870be1b0b4dbacf311dbbb4af.
* Update FPs section
* Delete .dccache
* Update rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-10-20 14:29:08 -03:00
aad546e65b
[Rule Tuning] Kubernetes Rules- Add MITRE technique "Deploy Container" ( #2341 )
...
* [Rule Tuning] Kubernetes Rules adds Mitre Execution-Deploy Container
This adds the following attacker threat and technique to each of these rules. Execute.Deploy Container
* updated_date
update the updated_date fields
2022-10-18 09:29:59 -04:00
78d6093176
[New Rule] Kubernetes Container Created with Excessive Linux Capabilites ( #2313 )
...
* [New Rule] Kubernetes Container Created with Excessive Linux Capabilites
This rule detects a container deployed with one or more dangerously permissive Linux capabilities. Using the Linux capabilities feature you can grant certain privileges to a process without granting all the privileges of the root user. Added capabilities entitle containers in a pod with additional privileges that can be used to change core processes and networking settings of a cluster. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster or the host machine. This rule detects the following capabilities and leaves space for the exception of trusted permissive containers specific to your environment:
BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.
NET_ADMIN - Perform various network-related operations.
SYS_ADMIN - Perform a range of system administration operations.
SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
SYS_MODULE - Load and unload kernel modules.
SYS_PTRACE - Trace arbitrary processes using ptrace(2).
SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).
SYSLOG - Perform privileged syslog(2) operations.
* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml
Edited description, false positives, and elaborated with a partial investigation guide.
* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml
added exception to rule query
* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml
add Execution.Deploy Container Tactic.Technique
2022-10-04 17:28:03 -04:00
701c8a0e22
Rule Changes ( #2337 )
...
K8s Rule Changes
2022-10-04 16:56:45 -04:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
5b8593559c
[Rule Tuning] Kubernetes - update min_stack for new rules ( #2310 )
...
## Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_denied_service_account_request.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
## Description
<!-- Provide a detailed description of the suggested changes -->
min_stack change to 8.4 with new required fields added to Kubernetes Integration
2022-09-20 17:09:22 -04:00
963d01ba89
[New Rule] Kubernetes Suspicious Assignment of Controller Service Account ( #2298 )
...
* [New Rule] Kubernetes Suspicious Assignment of Controller Service Account
Issues
--
#2034
Summary
--
This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.
* Update privilege_escalation_suspicious_assignment_of_controller_service_account.toml
updated query after testing
* Update non-ecs-schema.json
added new field used in query update
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-09-19 13:35:37 -04:00
Isai