e8c39d19a7
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-07-22 14:30:34 -04:00
9a739b7e4c
Modifying rules assoc w/ deprecation of v2 ML jobs ( #1846 )
...
* modifying rules assoc w/ deprecation of v2 ML jobs
* modified updated_date field
* fixed machine_learning_job_id and added min_stack_version
* replacing rest of deprecated jobs with new naming convention
* Update ml_suspicious_login_activity.toml
* removing rules assoc w/ deprecated ML jobs
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* updated ml job rules to reflect 8.3 changes
* updating min_stack_version for ml detection rules
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
2022-05-20 13:02:27 -07:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
72c64de3f5
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-28 10:41:22 -09:00
5bdf70e72c
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
2021-10-19 20:52:53 -08:00
5e4a7e67df
[Rule Tuning] Small update on rule descriptions ( #1508 )
2021-09-30 12:54:15 -08:00
9ff3873ee7
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-15 20:07:21 -05:00
51a2bc815b
[Rule tuning] Fix typo in ML rule descriptions ( #1484 )
2021-09-14 11:37:01 -05:00
655f7d91d0
[Rule tuning] Fix spacing in reference URLs ( #1455 )
2021-08-31 15:59:06 -08:00
ddec37b731
Fix typos discovered by codespell ( #1430 )
2021-08-14 20:29:10 -08:00
f8f643041a
[Rule tuning] Revise rule description and other text ( #1398 )
2021-08-03 13:07:47 -08:00
1882f4456c
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
2021-07-21 15:24:56 -06:00
c82e89ad34
Add min_stack_version to 7.14+ only rules ( #1321 )
2021-07-06 13:42:09 -06:00
e41fe620e6
[New Rule] Add detection rules for auth ML jobs ( #1283 )
...
* Adding detection rules for auth ML jobs
* name prefix
added the prefix "auth" to the file names
* Added descriptions
* Adding new lines and updating license
* FP text
added FP metadata
Co-authored-by: Craig <mailredirector36@gmail.com >
2021-06-16 16:00:17 -07:00
e0fa25ae8e
Fix rules which were note using v2 license ( #1291 )
2021-06-16 08:21:30 -06:00
49cb2e8dbf
[Bug] Fix ML job IDs that used hyphens ( #1287 )
...
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
2021-06-15 11:40:47 -06:00
1f7c88c6f4
Updating rules to query v2 ( #1254 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-06-15 07:20:50 -07:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
3876ef3a37
Adjust loopback for Cloudtrail ( #1103 )
...
* #1092 adjusting loopback for cloudtrail
* refactored time interval, adjusted updated_date
* reverting bucket interval back to 15m
2021-04-13 13:58:13 -04:00
0095a80014
Network rules for the 7.13 release ( #1087 )
...
* Adding network rules for the 7.13 release
* Adding rule guids
* Update rules/ml/ml_high_count_network_denies.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_high_count_network_events.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_spike_in_traffic_to_a_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Minor changes
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-08 09:34:47 -07:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2e422f7159
[Rule Tuning] Minor Rule Tweaks for 7.10 ( #400 )
...
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-10-22 09:07:04 -04:00
a7dee682cc
Add Tags to Unusual Sudo Activity Rule ( #340 )
...
* Update ml_linux_anomalous_sudo_activity.toml
added T1548
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
2020-09-28 16:07:41 -04:00
0affb48b07
[New Rule] Unusual User Calling the Metadata Service [Linux] ( #327 )
...
* Create ml_linux_anomalous_metadata_user.toml
rule create
* Update rules/ml/ml_linux_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_metadata_user.toml
* Update ml_linux_anomalous_metadata_user.toml
* Update rules/ml/ml_linux_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-28 12:13:06 -04:00
746c175669
[New Rule] Unusual User Calling the Metadata Service [Windows] ( #328 )
...
* Create ml_windows_anomalous_metadata_user.toml
* Update ml_windows_anomalous_metadata_user.toml
* Update rules/ml/ml_windows_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_windows_anomalous_metadata_user.toml
* Update rules/ml/ml_windows_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-28 12:09:14 -04:00
4473f6d8f3
[New Rule] Unusual Sudo Activity ( #263 )
...
* Create ml_linux_anomalous_sudo_activity.toml
rule to accompany the unusual sudo activity job
* Update ml_linux_anomalous_sudo_activity.toml
added fp field
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
linting
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
* Update rules/ml/ml_linux_anomalous_sudo_activity.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-24 14:55:33 -04:00
e39d857a11
[New Rule] Unusual Linux System Network Configuration Discovery ( #265 )
...
* Create ml_linux_system_network_configuration_discovery.toml
ML rule to accompany the network configuration discovery job
* Update ml_linux_system_network_configuration_discovery.toml
added fp field
* Update ml_linux_system_network_configuration_discovery.toml
* Update ml_linux_system_network_configuration_discovery.toml
linting
* Update ml_linux_system_network_configuration_discovery.toml
* Update ml_linux_system_network_configuration_discovery.toml
* Update rules/ml/ml_linux_system_network_configuration_discovery.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-24 09:07:34 -04:00
065bcd8018
Refresh ATT&CK data to v7.2 and expand threat validation ( #330 )
...
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00
1e43896cf1
[New Rule] Unusual Process Calling the Metadata Service [Windows] ( #323 )
...
* Create ml_windows_anomalous_metadata_process.toml
rule create
* Update rules/ml/ml_windows_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_windows_anomalous_metadata_process.toml
* Update ml_windows_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-23 15:50:43 -04:00
dd65dad9dc
[New Rule] Unusual Process Calling the Metadata Service [Linux] ( #321 )
...
* Create ml_linux_anomalous_metadata_process.toml
rule creation
* Update rules/ml/ml_linux_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_metadata_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-23 15:29:48 -04:00
baefaeeaff
[New Rule] Unusual Linux Network Connection Discovery ( #266 )
...
* Create ml_linux_system_network_connection_discovery.toml
ML rule to accompany the unsual network connection discovery job
* Update ml_linux_system_network_connection_discovery.toml
set author
* Update ml_linux_system_network_connection_discovery.toml
added fasle positve field
* Update ml_linux_system_network_connection_discovery.toml
* Update ml_linux_system_network_connection_discovery.toml
linting
* Update rules/ml/ml_linux_system_network_connection_discovery.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update ml_linux_system_network_connection_discovery.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-22 16:27:17 -04:00
f1f88e3b3a
[New Rule] Unusual Linux System Information Discovery Activity ( #264 )
...
* Create ml_linux_system_information_discovery.toml
rule to accompany the system information discovery job
* Update ml_linux_system_information_discovery.toml
* Update ml_linux_system_information_discovery.toml
added fp field
* Update ml_linux_system_information_discovery.toml
* Update ml_linux_system_information_discovery.toml
linting
* Update ml_linux_system_information_discovery.toml
* Update rules/ml/ml_linux_system_information_discovery.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-22 16:25:59 -04:00
92633ed51a
[New Rule] Anomalous Linux Compiler Activity ( #262 )
...
* Create ml_linux_anomalous_compiler_activity.toml
rule to accompany the rare compiler activity job
* Update ml_linux_anomalous_compiler_activity.toml
added fp field
* Update ml_linux_anomalous_compiler_activity.toml
* Update ml_linux_anomalous_compiler_activity.toml
* Update ml_linux_anomalous_compiler_activity.toml
2020-09-22 16:24:32 -04:00
8e2d4cbfc8
[New Rule] Unusual Linux System Owner or User Discovery Activity ( #267 )
...
* Create ml_linux_system_user_discovery.toml
ML rule to accompany the unusual system owner / user discovery job
* Update rules/ml/ml_linux_system_user_discovery.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_system_user_discovery.toml
added fp field
* Update ml_linux_system_user_discovery.toml
* Update ml_linux_system_user_discovery.toml
* Update ml_linux_system_user_discovery.toml
* Update ml_linux_system_user_discovery.toml
lint
* Update ml_linux_system_user_discovery.toml
* Update rules/ml/ml_linux_system_user_discovery.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-22 16:22:41 -04:00
0a0c5986c5
[New Rule] Anomalous Kernel Module Activity ( #257 )
...
* Create ml_linux_rare_kernel_module_arguments.toml
* rare module rule
* Update ml_linux_anomalous_kernel_module_arguments.toml
* Update ml_linux_anomalous_kernel_module_arguments.toml
* Update ml_linux_anomalous_kernel_module_arguments.toml
* Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-22 16:18:51 -04:00
14a62ae93f
[New Rule] Unusual Linux Process Discovery Activity ( #261 )
...
* Create ml_linux_system_process_discovery.toml
* Update ml_linux_system_process_discovery.toml
* Update ml_linux_system_process_discovery.toml
added fp field
* Update ml_linux_system_process_discovery.toml
* Update ml_linux_system_process_discovery.toml
* Update rules/ml/ml_linux_system_process_discovery.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* linting
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2020-09-22 16:15:36 -04:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
f75b126ec4
Update terminology in ML job rules
2020-07-14 21:22:34 -06:00
f24666bf12
[New Rule] Add Cloudtrail ML Rules
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com >
2020-07-14 15:16:58 -06:00
680a04da8f
Fix terminology and doc links ( #54 )
2020-07-13 12:47:42 -06:00
5fcece8416
Populate rules/ directory.
...
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com >
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com >
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 22:57:03 -06:00
Terrance DeJesus