ea46f01ed1
Update base branch in integrations-pr command ( #1733 )
...
(cherry picked from commit e26374cb40
2022-01-27 05:54:07 +00:00
a03b7b426a
Update tests to account for non-backported deprecations ( #1735 )
...
* Update tests to account for non-backported deprecations
* remove comment spacing
(cherry picked from commit 30f5d62bf5
2022-01-27 05:42:05 +00:00
5f053f3b66
Add pyproject.toml and setup.cfg ( #1672 )
...
* add pyproject.toml
* add setup.cfg
(cherry picked from commit 179ebb5bdb
2022-01-26 23:15:39 +00:00
b8f3e46ecf
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 ( #1732 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit e42fee2d84
2022-01-26 22:56:06 +00:00
6a62632105
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )" ( #1731 )
...
This reverts commit 625d1df2bf84d55c829d
2022-01-26 20:43:09 +00:00
bf9240a201
fix bug in yaml parsing for github workflows ( #1725 )
...
* fix bug in yaml parsing for github workflows
* fix kibana version
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit f7d93e20d4
2022-01-26 03:58:38 +00:00
59b6d6dd08
Prepare for creation of 8.1 branch ( #1700 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit 2e78da5c9a
2022-01-26 03:14:04 +00:00
363556fffa
Add pattern for "name" in rule schema ( #1669 )
...
(cherry picked from commit d753ecb8d8
2022-01-25 21:05:47 +00:00
07933449e6
MacOS FolderActionScripts Process List Update ( #1723 )
...
* update and expand process list
* fix query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit b564fa13fb
2022-01-25 20:29:34 +00:00
8ef8442a39
MacOS Launch Daemon Creation Rule - Query Fix ( #1722 )
...
* launch daemon creation syntax fix
* change updated date
(cherry picked from commit cfd4d431dd
2022-01-25 18:50:02 +00:00
30e6cac5d1
[New Rule] Startup/Logon Script added to Group Policy Object ( #1607 )
...
* "Startup/Logon Script added to Group Policy Object" Initial Rule
* Change severity
* nest non-ecs schema and move logs-system to winlogbeat
* format query and remove quotes
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add rule_ids and false_positives instance
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 95e3b87faf
2022-01-20 12:13:17 +00:00
216d39601a
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules ( #1610 )
...
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script
* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule
* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule
* Add logging policy reference
* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"
* Add Related Rules GUIDs
* Add Investigation Guide/config for "Potential Process Injection via PowerShell"
* Adjust Response and remediation
* Add Investigation Guide/config for "PowerShell Keylogging Script"
* bump updated_date
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions
* Revise line from investigation guides
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 49854aaae2
2022-01-20 11:58:49 +00:00
9f3fb94aad
[New Rule] Potential Priivilege Escalation via InstallerFileTakeOver ( #1629 )
...
* Create privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update description and change OFN from : to ==
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7fa0c0f719
2022-01-20 11:55:49 +00:00
6608f5b2d1
[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )
...
* Update execution_python_tty_shell.toml
* Update EQL query to sequence
* Remove auditbeat index
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 625d1df2bf
2022-01-20 11:52:20 +00:00
5ce04f8b27
[New Rule] Azure Suppression Rule Created ( #1666 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Moved to correct directory.
* Suppression Rule Created
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 96ada9e223
2022-01-20 11:48:22 +00:00
6e0b222524
[New Rule] Group Policy Abuse for Privilege Addition ( #1603 )
...
* "Group Policy Abuse for Privilege Addition" Initial Rule
* Update privilege_escalation_group_policy_privileged_groups.toml
* Add related rules
* fix missing comma
* Update non-ecs-schema.json
* Remove duplicated entries
* update note with code format
* Update rules/windows/privilege_escalation_group_policy_privileged_groups.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d7116485f3
2022-01-20 11:42:56 +00:00
70743a121c
[Rule Tuning] O365 Excessive Single Sign-On Logon Errors ( #1680 )
...
* Change event.category to authentication
The original had the event.category as "web" the correct value is "authentication"
* Changed updated_date to todays date
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 101b781bef
2022-01-20 11:34:29 +00:00
e9a47c69f4
[New Rule] Scheduled Task Execution at Scale via GPO ( #1605 )
...
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json
(cherry picked from commit 865771886e
2022-01-20 01:08:49 +00:00
d0b144acbc
[New Rule] PowerShell PSReflect Script ( #1558 )
...
(cherry picked from commit 7bbeaf3053
2022-01-20 00:32:55 +00:00
8459789a3a
[Rule Tuning] Connection to Commonly Abused Web Services ( #1708 )
...
Added Discord domains often abused to stage malicious files.
(cherry picked from commit 6a0164cbd3
2022-01-17 17:54:17 +00:00
501489b26c
[New Rule] Microsoft Defender Tampering ( #1575 )
...
* Create defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit fd824d1fd5
2022-01-13 22:51:57 +00:00
0248772eb1
[New Rule] Mailbox Audit Logging Bypass ( #1702 )
...
* "Mailbox Audit Logging Bypass" Initial Rule
* Add reference
* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit af354dc7e8
2022-01-13 20:35:10 +00:00
9dc4500cd7
[Rule Tuning] Change Rules to use Source.ip instead of source.address ( #1704 )
...
* Replace source.address to source.ip for compatibility
* Change query
* Missing and condition
(cherry picked from commit cbf0798646
2022-01-13 19:42:08 +00:00
6d784aa605
[New Rule] Shadowcopy via Symlink ( #1675 )
...
* Create credential_access_shadowcopy_via_symlink.toml
* Update credential_access_shadowcopy_via_symlink.toml
* Update and rename credential_access_shadowcopy_via_symlink.toml to credential_access_shadowcopy_via_mklink.toml
* Update credential_access_shadowcopy_via_mklink.toml
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_shadowcopy_via_mklink.toml
* Rename credential_access_shadowcopy_via_mklink.toml to credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
* Update credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 25327134a6
2022-01-12 10:55:35 +00:00
9e781091cd
Changing naming terminology ( #1671 )
...
(cherry picked from commit 0bdb6dec2f
2021-12-16 19:21:36 +00:00
0386728a6a
[New Rule] PowerShell Suspicious Script with Screenshot Capabilities ( #1581 )
...
* Create collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update rules/windows/collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update query condition
* lint
* Update execution_python_tty_shell.toml
* Revert "Update execution_python_tty_shell.toml"
This reverts commit d2d72ea5726415caca8786d59446b6dd60dcee54.
* Update collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 899642dd78
2021-12-14 22:32:39 +00:00
1b123098a3
[New Rules] PowerShell Suspicious Payload Encoded and Compressed ( #1580 )
...
* Create defense_evasion_posh_compressed.toml
* Update defense_evasion_posh_compressed.toml
* Add GzipStream, cover common variations withou using wildcard
* Update defense_evasion_posh_compressed.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f2a28e49fb
2021-12-14 22:27:06 +00:00
56dc73f7fa
[Rule Tuning] Bump max_signals on Endgame Promotion Rules ( #1662 )
...
* bump endgame max_signals to 10000
* bump updated_date
(cherry picked from commit 9cc342dab7
2021-12-14 14:54:18 +00:00
c44d51675d
[Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched ( #1661 )
...
(cherry picked from commit 9a60d7a26a
2021-12-13 18:02:03 +00:00
634dafa8b9
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1659 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
(cherry picked from commit a33de6bfb8
2021-12-11 04:08:06 +00:00
6b0717c258
[New Rule] Potential JAVA/JNDI Exploitation Attempt ( #1658 )
...
* [New Rule] Potential JAVA/JNDI Exploitation Attempt
Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/DNI injection vulnerability.
* rule ID
* expanded JAVA/DNI to Java Naming and Directory Interface
* added ruby and php to list of suspchildprocs
* Update execution_suspicious_java_netcon_childproc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7978b3cc9e
2021-12-11 01:08:29 +00:00
0dcd5e82c8
[Rule Tuning] Suspicious JAR Child Process ( #1657 )
...
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
(cherry picked from commit 410d4e5929
2021-12-11 01:06:29 +00:00
8d0275fe03
[New Rule] PowerShell Reflection Assembly Load ( #1559 )
...
* Create defense_evasion_posh_assembly_load.toml
* Update defense_evasion_posh_assembly_load.toml
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Change event.code to event.category
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d4e06beee6
2021-12-08 21:01:25 +00:00
3f6c9ac2bd
[Rule Tuning] Powershell Defender Exclusion ( #1644 )
...
* Split process.args condition
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit ee548328d5
2021-12-08 14:53:33 +00:00
1056bc516f
[New Rule] Enumeration of Privileged Local Groups Membership ( #1557 )
...
* [New Rule] Enumeration of Privileged Local Groups Membership
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
* removed endpoint index (not needed)
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b85818f49c
2021-12-08 10:25:38 +00:00
75b8fc94fd
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation ( #1544 )
...
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_via_rogue_named_pipe.toml
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 434e2d0426
2021-12-08 10:23:08 +00:00
1370ce26fa
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
(cherry picked from commit e3b76b7cf7
2021-12-08 10:18:18 +00:00
857ec6ba94
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 851c566730
2021-12-08 06:34:37 +00:00
8182d73800
Add issue to min_stack_comment ( #1652 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b7b5449033
2021-12-08 00:54:32 +00:00
a8919b9070
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
...
(cherry picked from commit 14c46f50b9
2021-12-08 00:45:10 +00:00
0b5cae5e2c
Updates Host Risk Score documentation ( #1643 )
...
* update host-risk-score.md
* Update docs/experimental-machine-learning/host-risk-score.md
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com >
Co-authored-by: Ryland Herrick <ryalnd@gmail.com >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit 0935a853fb
2021-12-08 00:07:43 +00:00
f37235581c
Add min_stack and indexes back ( #1648 )
...
(cherry picked from commit c21337fe4f
2021-12-07 13:02:54 +00:00
396cee32f1
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
(cherry picked from commit 7b0383ffe2
2021-12-07 12:11:11 +00:00
e37fc97c57
Limit index to logs-endpoint.events ( #1647 )
...
(cherry picked from commit f6a2437cf8
2021-12-06 16:47:17 +00:00
2ecbc87fed
Adding Beaconing docs ( #1621 )
...
* Adding beaconing docs
* Adding a call out about import options
* Adding a note about the AD job
* Adding more clarity on the release bundle
* Update beaconing.md
* Update docs/experimental-machine-learning/beaconing.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 237dcd2e19
2021-12-01 16:46:48 +00:00
d1fe62d903
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d43e3d8e4e
2021-11-30 20:37:41 +00:00
d1e73cb0c3
Updating host risk score and experimental detections docs ( #1639 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d061bf8e7c
2021-11-30 19:26:54 +00:00
d098c58d27
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit c619844b0d
2021-11-30 18:27:52 +00:00
423145dae7
[New Rule] Azure Kubernetes Rolebindings Created ( #1576 )
...
* Create azure_kubernetes_rolebinding_created_or_deleted.toml
* Update
* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 521f0987ae
2021-11-29 12:18:02 +00:00
c49501c4cc
[New Rule] Clearing Windows Console History ( #1623 )
...
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 13fc69b70a
2021-11-25 16:27:24 +00:00
Justin Ibarra