dfd261590b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3615 )
...
(cherry picked from commit 374f21fbc4
2024-04-23 12:36:46 +00:00
868ab80c63
Fix minstack version for 0365 in azure integration rules ( #3612 )
...
(cherry picked from commit 7673ba484d
2024-04-22 13:55:15 +00:00
bda38d6f27
updating performance note ( #3608 )
...
(cherry picked from commit 69d42ecc71
2024-04-18 20:43:50 +00:00
fea73c9686
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6ae0902a38
2024-04-18 16:05:03 +00:00
4562d694b0
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 5004ff115c
2024-04-16 16:34:23 +00:00
f3d95cccce
adjust aws rule index patterns and tags ( #3595 )
...
(cherry picked from commit 74312797bf
2024-04-16 14:16:36 +00:00
e33d80804f
[Rule Tuning] Windows BBR Promotion ( #3577 )
...
* [Rule Tuning] Windows BBR Promotion
* Update non-ecs-schema.json
* Update persistence_netsh_helper_dll.toml
* Update persistence_werfault_reflectdebugger.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"
This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.
* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"
This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.
* Revert "Update discovery_security_software_wmic.toml"
This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit c2d1586270
2024-04-16 12:36:20 +00:00
06a9b0e3b6
Bump KQL Version in Init ( #3597 )
...
(cherry picked from commit 114db81f07
2024-04-15 15:14:10 +00:00
f291aa105d
Update defense_evasion_untrusted_driver_loaded.toml ( #3596 )
...
excluding `errorCode_endpoint:*` status (noisy)
(cherry picked from commit 919a438257
2024-04-15 14:00:51 +00:00
52e86dc8e8
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
(cherry picked from commit 9692e59abb
2024-04-11 11:18:52 +00:00
608a0ff0c2
[Rule Tuning] Windows BBR Rule Tuning - 1 ( #3579 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 1
* Update non-ecs-schema.json
* Update rules_building_block/command_and_control_certutil_network_connection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/collection_common_compressed_archived_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_dll_hijack.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d0dfa479bb
2024-04-08 13:46:29 +00:00
d21d94a8f8
[Rule Tuning] Windows BBR Rule Tuning - 3 ( #3581 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 3
* Update non-ecs-schema.json
* Update rules_building_block/execution_settingcontent_ms_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_startup_folder_lnk.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c5addae009
2024-04-08 12:55:35 +00:00
9756346df0
[Rule Tuning] Windows BBR Rule Tuning - 2 ( #3580 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Removed changes from:
- rules_building_block/discovery_posh_generic.toml
(selectively cherry picked from commit 1bc59bdc04
2024-04-08 12:42:20 +00:00
2a3a5a250e
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition ( #3576 )
...
* [Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Update rules_building_block/discovery_security_software_wmic.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Endgame tag
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 109e8a85a5
2024-04-08 12:05:42 +00:00
525997e4e7
[Rule Tuning] WRITEDAC Access on Active Directory Object ( #3583 )
...
(cherry picked from commit e125a4e4cf
2024-04-08 11:51:13 +00:00
74d428b09e
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit aa0cc42ff6
2024-04-08 10:57:52 +00:00
a2cb089d12
updated to v14.0 mitre ATT&CK ( #3289 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
(cherry picked from commit 0cb42983c1
2024-04-05 18:38:20 +00:00
02be3c08e9
Bump KQL lib Version ( #3575 )
...
(cherry picked from commit e6f48ade01
2024-04-05 17:46:47 +00:00
dee8c947de
Update default ( #3574 )
...
(cherry picked from commit fbb6df506e
2024-04-05 00:35:15 +00:00
72ba0b16a9
[Bug] KQL fails validation on uppercase keywords ( #3568 )
...
* add todo
* Add a normalize_kql_keywords function to utils
* update rule loader to normalize and warn
* optimized loading
* fix linting
* Moved conversion to kql module.
* Updated unit test
* Refactor KQL parser to normalize keywords via flag
* Fix logic typo
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update lib/kql/kql/__init__.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated to fix unit tests and remove warnings
* linting typo
* Added comments
* remove unused imports
* Update kql.parse default
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1566c29bae
2024-04-04 22:10:57 +00:00
645fa593a1
[Bug] New Terms Rule Import Failing ( #3569 )
...
* initial patch
* Update definitions to allow for brackets in name
* Update to prompt for required fields.
* Update detection_rules/cli_utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit fa75876322
2024-04-04 21:45:02 +00:00
5a28e1ecac
[Bug] Add explicit format preserver ( #3566 )
...
(cherry picked from commit c35652c8c8
2024-04-04 20:58:27 +00:00
ec275e8d99
[Bug] Threshold Rule Importing Failures ( #3560 )
...
* remove threshold specific req
* fix test event override
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a9cc323d09
2024-04-03 18:23:39 +00:00
a6ea41cae0
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 153657029b
2024-04-03 09:36:00 +00:00
fe9217892f
Deprecate Releasing to a patch kibana version workflow ( #3552 )
...
(cherry picked from commit 3fbffa24ed
2024-04-03 03:12:07 +00:00
112ae41cd3
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3567 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 8d5bd3b0f6
2024-04-02 18:37:42 +00:00
4e88c2d024
Fix minstack version for O365 prod rules ( #3565 )
...
(cherry picked from commit 0e2eb5a84c
2024-04-02 16:13:40 +00:00
eca9b72a2c
[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution ( #3545 )
...
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4ab7c9b178
2024-04-02 14:15:05 +00:00
6cf92b25d3
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 69173872da
2024-04-02 13:49:39 +00:00
22857aca2e
[New Rule] Suspicious Access to LDAP Attributes ( #2504 )
...
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit f025616cbd
2024-04-02 13:05:41 +00:00
5a18a6cea2
[Rule Tuning] Potential Application Shimming via Sdbinst ( #3553 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c781376188
2024-04-02 09:43:02 +00:00
de3db7007a
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f2490007e8
2024-04-02 04:22:46 +00:00
21f23f6d33
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit b47b91b9ec
2024-04-01 23:52:53 +00:00
7838042839
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml
(selectively cherry picked from commit 67ca13c1ce
2024-04-01 20:53:09 +00:00
c1dd8cae21
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 400a84628e
2024-04-01 19:10:34 +00:00
e74f7a4d6b
[FR] Add support for investigation_fields ( #3550 )
...
(cherry picked from commit bb907a4d76
2024-04-01 16:59:59 +00:00
69d2f4b607
Fix create PR in release workflow ( #3528 )
...
(cherry picked from commit 8b215eac41
2024-04-01 15:54:59 +00:00
57627e562f
[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory ( #3477 )
...
* deprecating
* adjusted matury tag; updated dates
(cherry picked from commit d4bf04256d
2024-04-01 15:08:51 +00:00
e7416a6a68
[FR] Add required-fields option to import-rules ( #3546 )
...
(cherry picked from commit b6a7e7ebda
2024-03-28 23:37:15 +00:00
5a7d7cf4a0
[New Rules] Potential PowerShell Pass-the-Hash/Relay Script ( #3543 )
...
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script
* Update credential_access_posh_relay_tools.toml
* Update execution_posh_hacktool_functions.toml
* Update credential_access_posh_relay_tools.toml
* Update credential_access_posh_relay_tools.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 218c3bead6
2024-03-28 10:16:03 +00:00
c871bbb6d6
[New Rule] Creation of a DNS-Named Record ( #3539 )
...
* [New Rule] Creation of a DNS-Named Record
* Update credential_access_dnsnode_creation.toml
* Update rules/windows/credential_access_dnsnode_creation.toml
(cherry picked from commit 954a93c3b4
2024-03-27 21:28:37 +00:00
06dcbb80f5
[New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation ( #3535 )
...
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation
* Update credential_access_adidns_wildcard.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 67e9ebf8e1
2024-03-27 13:15:24 +00:00
bfd3289680
[New] Suspicious Execution via ScreenConnect ( #3541 )
...
* [New] Suspicious Execution via ScreenConnect
- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)
* Update command_and_control_screenconnect_childproc.toml
* Update rules/windows/initial_access_webshell_screenconnect_server.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_screenconnect_childproc.toml
* Update command_and_control_screenconnect_childproc.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit d7aff43621
2024-03-27 12:02:12 +00:00
e388aaf409
fix typo in lateral_movement_remote_services.toml ( #3538 )
...
(cherry picked from commit 138447221f
2024-03-27 10:46:36 +00:00
75a0a3f338
[Rule Tuning] Scheduled Task Activity via pwsh ( #3534 )
...
(cherry picked from commit 760b99bcc1
2024-03-26 13:53:05 +00:00
5ce96738c4
[New] Suspicious JetBrains TeamCity Child Process ( #3532 )
...
* [New] Suspicious JetBrains TeamCity Child Process
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
(cherry picked from commit fc76a8bcb5
2024-03-25 16:40:44 +00:00
6bf3a82f51
Update sort parameter ( #3531 )
...
(cherry picked from commit 3503786154
2024-03-25 15:54:13 +00:00
dda6a33f70
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3526 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit eaf4658620
2024-03-21 15:09:40 +00:00
43d0fa1aad
[Bug] Update lock versions dependencies ( #3525 )
...
(cherry picked from commit fc7cc2c06a
2024-03-21 13:43:56 +00:00
b6aff9b2e5
[New Rules] Veeam Credential Access DRs ( #3516 )
...
* [New Rules] Veeam Credential Access DRs
* bump
* Update credential_access_veeam_commands.toml
* Update credential_access_veeam_backup_dll_imageload.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update credential_access_veeam_commands.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 779fa7710d
2024-03-21 13:09:29 +00:00
github-actions[bot]