dfef597794
[Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service ( #2192 )
2022-08-23 10:10:40 -04:00
2204459e73
[Rule Tuning] Finder Sync Plugin Registered and Enabled ( #2172 )
2022-08-23 09:59:43 -04:00
2326b30a87
[Rule Tuning] Suspicious Browser Child Process ( #2138 )
2022-08-23 09:56:23 -04:00
c5ff8511a9
[Rule Tuning] Abnormal Process ID or Lock File Created ( #2113 )
...
* [Rule Tuning] Abnormal Process ID or Lock File Created
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update execution_abnormal_process_id_file_created.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-23 09:59:31 -03:00
6631c4927d
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #2240 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 09:43:09 -03:00
6e2d20362a
[Rule Tuning] Standardizing Risk Score according to Severity ( #2242 )
2022-08-21 22:29:39 -03:00
fbfe1e3530
set typing-inspect requirement to 0.7.1 ( #2248 )
2022-08-17 22:17:16 -04:00
d3420e3386
[Deprecate Rule] Suspicious Process from Conhost ( #2222 )
...
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:32:24 +02:00
8e0ae64a04
[Rule Tuning] Whoami Process Activity ( #2224 )
...
* added Whoami Process Activity
* Update discovery_whoami_command_activity.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:26:10 +02:00
0f7b29918c
[Rule Tuning] Suspicious Execution via Scheduled Task ( #2235 )
...
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
2022-08-15 21:50:23 +02:00
b89d6185b2
[Rule Tuning] Reduce FPs ( #2223 )
...
9 rules tuned to exclude common noisy FP patterns.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-15 09:15:48 -05:00
cb2ca45d56
Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2236 )
...
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-10 09:18:59 -04:00
e7a1afbba0
only run on pull request ( #2237 )
2022-08-09 21:21:30 -04:00
2a3b584433
Prep for 8.5 branch ( #2220 )
...
* adding first commit
* renamed branch
* adjusted packages, stack schema and updated schemas
* updated integrations manifest
* adjusted comments to be a little more organized
* adjusted stack-schema-map
* refreshed ecs and beats schema, adjusted stack schema map accordingly
2022-08-09 17:14:42 -04:00
fc7a384d19
[Security Content] 8.4 - Add Investigation Guides - Windows - 2 ( #2144 )
...
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2
* update date
* Apply suggestions from review
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-08 21:34:05 -03:00
89cdae87c5
only add related_integration if on the correct stack ( #2234 )
2022-08-08 18:41:56 -04:00
7d973a3b07
add new field related_integrations to the post build ( #2060 )
...
* add new field `related_integrations` to the post build
* add exception for endpoint `integration`
* Skip rules without related integrations
* lint
* refactor related_integrations to TOMLRuleContents class
* update to reflect required_fields updates
* add todo
* add new line for linting
* related_integrations updates, get_packaged_integrations returns list of dictionaries, started work on integrations py
* build_integrations_manifest command completed
* initial test completed for post-building related_integrations
* removed get_integration_manifest method from rule, removed global integrations path
* moved integration related methods to integrations.py and fixed flake issues
* adjustments for PipedQuery from eql sequence rules and packages with no integration
* adjusted github client import for integrations.py
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added integration manifest schema, made adjustments
* Update detection_rules/integrations.py
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* removed get_integrations_package to consolidate code
* removed type list return
* adjusted import flake errors
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted indentation error
* adjusted rule.get_packaged_integrations to account for kql.ast.OrExpr if event.dataset is not set
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted find_least_compatible_version in integrations.py
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fixed flake issues
* adjusted get_packaged_integrations
* iterate the ast for literal event.dataset values
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* made small adjustments to address errors during build manifests command
* addressing integrations.find_least_compatible method to return None instead of raise error only
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-08 13:44:36 -04:00
d1bc53e295
[Rule Tuning] Persistence via Folder Action Script ( #2174 )
...
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:36:05 -04:00
4f55e9b05f
[Rule Tuning] Potential Persistence via Login Hook ( #2177 )
...
* Exclude FPs for iMazing Profile Editor and backupd
2022-08-05 14:25:31 -04:00
058f11f650
[Rule Tuning] Sublime Plugin or Application Script Modification ( #2180 )
...
* expand filter to sublime text contents
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-08-05 14:15:28 -04:00
b043695833
Remove ambiguity from impact_modification_of_boot_config.toml ( #2199 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-05 10:38:41 -03:00
73584407d7
[Bug] Opening Issues in this Repo Causes "Run failed: Community - main" ( #2214 )
...
* use ghv6 and catch errors
2022-08-03 14:36:08 -04:00
a76c51ae17
[Deprecation rule] DNS Activity to the Internet ( #2221 )
2022-08-02 20:59:35 -05:00
ecd10b672a
[Rule Tuning] Execution with Explicit Credentials via Scripting ( #2190 )
...
* add case sensitive Python process name and T1548
2022-08-02 14:21:00 -04:00
d8e0c0fee3
[Rule Tuning] Suspicious Calendar File Modification ( #2187 )
...
* exclude fps for Mail.app
2022-08-02 14:06:57 -04:00
50bb821708
[Rules Tuning] Add support for Sysmon ImageLoad Events ( #2215 )
...
* [Rules Tuning] Add support for Sysmon ImageLoad Events
added correct event.category and event.action to rules using library events to support sysmon eventid 7.
`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`
`dll.name` --> `file.name`
* added Suspicious RDP ActiveX Client Loaded
* Delete workspace.xml
2022-08-02 18:40:26 +02:00
b15f0de9a4
[Rules Tuning] Diverse Windows Rules - FPs reduction ( #2213 )
...
* [Rules Tuning] 7 diverse Windows rules
Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.
* Update initial_access_suspicious_ms_exchange_process.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update execution_psexec_lateral_movement_command.toml
* Update persistence_remote_password_reset.toml
* Update non-ecs-schema.json
* Update persistence_remote_password_reset.toml
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
2022-08-02 18:37:07 +02:00
a046dc0d29
[Deprecate rule] Whitespace Padding in Process Command Line ( #2218 )
...
very noisy and will require frequent tuning with very low TP rate.
2022-08-02 18:30:57 +02:00
e5ee8e024f
[Deprecate Rule] File and Directory Discovery ( #2217 )
...
* [Deprecate Rule] File and Directory Discovery
very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.
* Delete workspace.xml
2022-08-02 17:57:28 +02:00
19d9a7eb87
Rule tuning as part of Linux Detection Rules Review ( #2210 )
2022-08-02 17:46:57 +05:30
04dcf09c03
[Rule Tuning] Suspicious Process Creation CallTrace ( #2207 )
...
Excluding some FPs by process.parent.executable and process.parent.args.
2022-08-01 19:00:13 +02:00
1f21c5c57f
[Rule Tuning] Unusual Service Host Child Process - Childless Service ( #2208 )
...
Excluding some noisy unique processes.
2022-08-01 18:40:45 +02:00
8d34416049
[Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… ( #2209 )
...
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP
FPs in certain cases with no room for tuning.
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-01 18:28:26 +02:00
a22fef8723
[Rule Tuning] Suspicious Process Access via Direct System Call ( #2204 )
...
Excluding some FPs by calltrace.
2022-08-01 18:16:08 +02:00
6f69695820
[Rule Tuning] Remotely Started Services via RPC ( #2211 )
...
* [Rule Tuning] Remotely Started Services via RPC
excluding noisy FPs by process.executable to be compatible with winlog and endpoint
* Update lateral_movement_remote_services.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-01 18:11:11 +02:00
91896db453
[Rule Tuning] Process Termination followed by Deletion ( #2206 )
...
Excluded some FPs by process.executable and file.path.
2022-08-01 18:01:31 +02:00
049fbf7979
[Rule Tuning] Potential Remote Credential Access via Registry ( #2203 )
...
* [Rule Tuning] Potential Remote Credential Access via Registry
Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)
* Update credential_access_remote_sam_secretsdump.toml
2022-08-01 17:49:39 +02:00
527507835f
[Rule Tuning] Kerberos Traffic from Unusual Process ( #2202 )
...
Excluding couple of FPs by process.executables to reduce FPs rate.
2022-07-29 22:27:59 +02:00
386a8202c0
[Rule Tuning] Persistence via Update Orchestrator Service Hijack ( #2195 )
...
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack
I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions.
* Update persistence_via_update_orchestrator_service_hijack.toml
revert back to eql
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-07-29 16:11:16 -04:00
6d61a68c29
[Rule Tuning] Modification of WDigest Security Provider ( #2201 )
...
excluding svchost.exe running as system (main src of FPs for this use case).
2022-07-29 19:45:33 +02:00
b2b5c170dd
Rule(s) to identify potential mining activities ( #2185 )
2022-07-29 23:00:18 +05:30
8afded11e7
Rule tuning as part of Linux Detection Rules Review ( #2170 )
2022-07-29 21:55:49 +05:30
998afcf9c4
[Rule Tuning] MacOS Installer Package Net Event ( #2193 )
...
* [Rule Tuning] MacOS Installer Package Net Event
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update execution_installer_package_spawned_network_event.toml
just deleting a typo
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-07-28 15:16:10 -05:00
026a822840
[New Rule] Kubernetes Suspicious Self-Subject Review ( #2067 )
...
* Create discovery_suspicious_self_subject_review.toml
Adding new rule
* non-ecs-schema fields added and query change to specify fields
added non ecs-schema fields for all coming k8s rules and added specific fields to the query instead of using regex
* Update discovery_suspicious_self_subject_review.toml
* Update rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 15:30:47 -04:00
3d88dc2cf5
[New Rule] Kubernetes Privileged Pod Created ( #2070 )
...
* new rule privileged pod created
created toml for new rule and added to the non-ecs-schema with all fields
* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 15:19:15 -04:00
80734b3f21
[New Rule] Kubernetes Pod Created With HostPID ( #2071 )
...
* [New Rule] Kubernetes Pod Created With HostPID
new rule toml for pod created with hostPID and updated non-ecs-schema with all k8s fields
* Update privilege_escalation_pod_created_with_hostpid.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 14:51:17 -04:00
ecba0fc489
[New Rule] Kubernetes Pod Created With HostNetwork ( #2072 )
...
* [New Rule] Kubernetes Pod Created With HostNetwork
new rule toml for pod created with hostNetwork and added all k8s fields to non-ecs-schema json
* Update privilege_escalation_pod_created_with_hostnetwork.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 13:57:43 -04:00
f516241f1f
[New Rule] Kubernetes Pod Created With HostIPC ( #2074 )
...
* [New Rule] Kubernetes Pod Created With HostIPC
new rule toml file for pod created with hostIPC and k8s fields added to non-ecs-schema json
* Rename privilege_escalation_pod_created_with_hostIPC.toml to privilege_escalation_pod_created_with_hostipc.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 13:43:58 -04:00
97f3a8cad2
[New Rule] Kubernetes Exposed Service Created With Type NodePort ( #2075 )
...
* [New Rule] Kubernetes Exposed Service Created With Type NodePort
new rule toml for exposed service created with type nodeport and added all k8s fields to non-ecs-schema
* Update rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 13:18:56 -04:00
c1486407aa
[New Rule] Kubernetes Pod Created with Sensitive hostPath Volume ( #2094 )
...
* [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume
created new rule toml and updated non-ecs-schema with k8s fields
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-07-28 13:09:26 -04:00
Mika Ayenson