f3d55185c2
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses ( #3263 )
...
* new Okta threshold rules for client addresses and sessions
* adjusting references
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0578bd4caa
2023-11-28 00:07:30 +00:00
bff1ce7e5d
[New Rule] Detection for Okta Sign-In Events via Third-Party IdP ( #3259 )
...
* adding new rule 'Okta Sign-In Events via Third-Party IdP'
* fix creation date
* fixed query efficiency
* added investigation guide
* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8eeb95f545
2023-11-27 23:35:54 +00:00
3e2cbe2163
adding new rule 'New Okta Identity Provider (IdP) Added by Admin' ( #3258 )
...
(cherry picked from commit 73288af642
2023-11-27 23:11:28 +00:00
900e7a9ec0
[New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy ( #3261 )
...
* new rule 'First Occurrence of Okta User Session Started via Proxy'
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
(cherry picked from commit 8321cfe018
2023-11-27 22:54:46 +00:00
ab8ab6d596
[New Rule] Adding Detection for New Okta Authentication Behavior ( #3260 )
...
* new rule 'New Okta Authentication Behavior Detected'
* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f19506f3a2
2023-11-27 22:43:48 +00:00
315b4df8ca
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 88f752bf8b
2023-11-27 18:42:12 +00:00
a3388dbf36
Setup Guide information for MacOS rules ( #3274 )
...
(cherry picked from commit 7854081cc0
2023-11-22 14:53:02 +00:00
633f364632
[New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations ( #3279 )
...
* new rule 'Okta User Sessions Started from Different Geolocations'
* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
(cherry picked from commit 832ee02aed
2023-11-21 22:36:50 +00:00
699c835043
[Rule Tuning] Fix Menasec Expired Links ( #3271 )
...
(cherry picked from commit f53f46efd5
2023-11-14 13:23:48 +00:00
9c271c6591
Enhance Setup Guide information ( #3256 )
...
(cherry picked from commit d52546eee5
2023-11-03 13:41:40 +00:00
90c06f5fce
Setup information for Linux Rules - Set8 ( #3200 )
...
(cherry picked from commit 5c5d1b214b
2023-10-30 15:34:50 +00:00
a31d788dcb
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
...
(cherry picked from commit a568c56bc1
2023-10-30 11:28:47 +00:00
473039ceb8
[New Rule] Attempt to Clear Kernel Ring Buffer ( #3217 )
...
* [New Rule] Attempt to Clear Kernel Ring Buffer
* Update defense_evasion_clear_kernel_ring_buffer.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 618a1dbe06
2023-10-30 08:42:54 +00:00
700b6c5168
[Tuning] Access to Stored Browser Credentials ( #3066 )
...
* Exclude FPs
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 6400bb3237
2023-10-27 20:15:40 +00:00
936db2cd9b
[Rule Tuning] Review and Tune Potential Malicious File Downloaded from Google Drive ( #3197 )
...
* added tuning to remove signed binaries and benign processes
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e7db39a492
2023-10-27 18:18:25 +00:00
924056878d
[Rule Tuning] Windows DR Tuning - 4 ( #3214 )
...
* [Rule Tuning] Windows DR Tuning - 4
* Update credential_access_remote_sam_secretsdump.toml
(cherry picked from commit 1133b3a8a9
2023-10-27 00:04:57 +00:00
44cf454ce2
[Rule Tuning] Windows DR Tuning - 3 ( #3212 )
...
* [Rule Tuning] Windows DR Tuning - 3
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_moving_registry_hive_via_smb.toml
(cherry picked from commit 3d73427e29
2023-10-26 22:04:49 +00:00
4d98afbc1d
[Rule Tuning] Windows DR Tuning - 2 ( #3209 )
...
* [Rule Tuning] Windows DR Tuning - 2
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
* Update credential_access_kerberoasting_unusual_process.toml
* Update command_and_control_teamviewer_remote_file_copy.toml
(cherry picked from commit efa7c428ea
2023-10-26 21:17:05 +00:00
aa62790ae6
[Rule Tuning] Windows DR Tuning - 1 ( #3198 )
...
* [Rule Tuning] Windows DR Tuning - 1
* Update collection_winrar_encryption.toml
(cherry picked from commit a5240e4063
2023-10-26 20:26:43 +00:00
85458c65cd
[New Rule] Network Activity Detected via kworker ( #3202 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* [New Rule] Network Activity Detected via kworker
* White space
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_linux_kworker_netcon.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 1ac3775743
2023-10-25 13:30:50 +00:00
1b9aaa3730
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control ( #3221 )
...
* adding adjusted Okta rules
* adding adjusted AWS rules
* adding adjusted AWS rules
(cherry picked from commit 3d57209705
2023-10-24 16:58:20 +00:00
8c03047130
[New Rule] Potential Linux Hack Tool Launched ( #3125 )
...
* [New Rule] Potential Linux Hack Tool Launched
* changed description slightly
* Updated description
* Update rules/linux/execution_potential_hack_tool_executed.toml
* Update rules/linux/execution_potential_hack_tool_executed.toml
(cherry picked from commit 3855dd06d8
2023-10-23 19:42:37 +00:00
223bfe0a6d
[Promote] Potential Masquerading as Communication Apps ( #3181 )
...
* [Promote] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6fcf26b20e
2023-10-23 18:01:34 +00:00
574a130346
[Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver ( #3215 )
...
* [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver
* Update privilege_escalation_installertakeover.toml
(cherry picked from commit a471f6fc60
2023-10-23 17:40:51 +00:00
4ed6c7d594
[New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules ( #3193 )
...
* adding new LotL rules
* added endpoint tags; updated technique mapping
* added missing data source tag
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* updated note, references and date
* changed ATT&CK technique to binary proxy execution
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 835be9b245
2023-10-23 16:29:59 +00:00
ab55bc399d
[New Rule] Netcat Listener Established via rlwrap ( #3124 )
...
* [New Rule] Netcat Listener Established via rlwrap
* Update rules/linux/execution_nc_listener_via_rlwrap.toml
(cherry picked from commit ff268cc6a0
2023-10-23 15:37:35 +00:00
916b1a2cad
[Promote] Expired or Revoked Driver Loaded ( #3185 )
...
* [Promote] Expired or Revoked Driver Loaded
* Update privilege_escalation_expired_driver_loaded.toml
(cherry picked from commit 18ff85ce84
2023-10-23 14:50:52 +00:00
9b2e74b220
[Rule Tuning] Linux Rules ( #3092 )
...
* [Rule Tuning] [WIP] Linux DR
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Fixed tag
* Added additional tuning
* unit test fix
* Additional tuning
* tuning
* added max signals
* Added max_signals=1 to brute force rules
* Cross-Platform Tuning
* Small fix
* new_terms conversion
* typo
* new_terms conversion
* Ransomware rule tuning
* performance tuning
* new_terms conversion for auditd_manager
* tune
* Need coffee
* kql/eql stuff
* formatting improvement
* new_terms sudo hijacking conversion
* exclusion
* Deprecations that were added last tuning
* Deprecations that were added last tuning
* Increased max timespan for brute force rules
* version bump
* added domain tag
* Two tunings
* More tuning
* Additional tuning
* updated_date bump
* query optimization
* Tuning
* Readded the exclusions for this one
* Changed int comparison
* Some tunings
* Update persistence_systemd_scheduled_timer_created.toml
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml
* Update rules/linux/command_and_control_cat_network_activity.toml
* Update persistence_message_of_the_day_execution.toml
* Changed max_signals
* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"
This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.
* Revertable merge
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* File name change
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 020fff3aea
2023-10-23 14:34:55 +00:00
60475f6aa0
Move Setup information into setup filed ( #3206 )
...
(cherry picked from commit 7254c582c5
2023-10-23 14:04:26 +00:00
85854896e6
[New Rule] Upgrade of Non-interactive Shell ( #3113 )
...
* [New Rule] Upgrade of Non-interactive Shell
* Changed numbers to int
* Changed severity
* [New Rule] Pot. Rev Shell via Background Process
* Revert "[New Rule] Pot. Rev Shell via Background Process"
This reverts commit bbb36eae26561dbef4bf57f6c1388cebe7a8b88d.
* Update rules/linux/execution_interpreter_tty_upgrade.toml
(cherry picked from commit 9f41c9f35c
2023-10-18 14:53:36 +00:00
6b03cbb54b
[New Rules] cap_setuid/cap_setgid privesc ( #3075 )
...
* [New Rules] cap_setuid/cap_setgid privesc
* Update persistence_setuid_setgid_capability_set.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 6ea11cd9ad
2023-10-18 14:29:35 +00:00
71f4ba024c
[New Rule] Potential SSH-IT SSH Worm Downloaded ( #3121 )
...
* [New Rule]
* Fixed grammar mistake
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
(cherry picked from commit 4190c3a6a7
2023-10-18 14:14:42 +00:00
28c04cbdcf
[New Rule] Pot. Network Scan Executed from Host ( #3070 )
...
(cherry picked from commit 7d674db11e
2023-10-18 13:52:28 +00:00
118f11daf6
Setup information for Linux Rules - Set7 ( #3190 )
...
(cherry picked from commit 276c0f9cd3
2023-10-17 14:21:37 +00:00
b873968d3a
Setup information for Linux Rules - Set6 ( #3189 )
...
(cherry picked from commit 5a98208b53
2023-10-17 14:09:16 +00:00
a7e83681e3
Setup information for Linux Rules - Set5 ( #3188 )
...
(cherry picked from commit 2a48db0598
2023-10-17 13:46:52 +00:00
95f45de9cc
Setup information for Linux Rules - Set4 ( #3179 )
...
(cherry picked from commit 25b527c149
2023-10-17 13:35:14 +00:00
f99b745866
Setup information for Linux Rules - Set3 ( #3178 )
...
(cherry picked from commit d2c2987d72
2023-10-17 13:13:05 +00:00
34ef0f1752
Setup information for Linux Rules - Set2 ( #3177 )
...
(cherry picked from commit 1801a4ee7e
2023-10-17 13:01:51 +00:00
97ce9d7478
[Rule Tuning] Potential Masquerading as System32 DLL ( #3184 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit e4e68c2dd8
2023-10-17 11:35:05 +00:00
6bc1104f86
[Rule Tuning] Adjust Lucene queries to use Uppercase operators ( #3196 )
...
(cherry picked from commit 82685e36ce
2023-10-16 20:14:08 +00:00
cad094abbd
[New Rule] Adding DGA Rules from Advanced Analytic DGA Package ( #3102 )
...
* Adding DGA rules
* Adding references
* updated rule tags and queries
* Updating min stack version
* added logic to handle ml jobs
* added code comments for clarity
* removing subbed security docs folder
* added event dataset to queries for endpoint; updated note
* removed event dataset
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit a5a606e804
2023-10-16 19:54:30 +00:00
9426d79b1c
[Tuning] Adjusted Rules for Anti-Evasion ( #3163 )
...
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 24b0aa5c63
2023-10-16 17:02:08 +00:00
ef715864f4
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
(cherry picked from commit f584fb6e31
2023-10-15 21:18:03 +00:00
2f7471e749
[New Rule] Adding Data Exfiltration Rules from Advanced Analytic DED Package ( #3126 )
...
* Adding DED rules
* adding integration manifests and schemas for DED
* Updating min stack version
* updating manifests and schemas to match main
* added setup note; updated references
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 97ff7fb26e
2023-10-14 17:29:24 +00:00
3351e87789
Improve exsisting setup configurations for Linux ( #3141 )
...
(cherry picked from commit 15718ea09e
2023-10-13 08:15:12 +00:00
094ad60ff6
[New Rule] New GitHub App Installed ( #3055 )
...
* new rule
* Update rules/integrations/github/execution_new_github_app_installed.toml
* Update rules/integrations/github/execution_new_github_app_installed.toml
edits from review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* change query from event.module to event.dataset
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 374c9c6257
2023-10-13 00:16:30 +00:00
d72996c401
[New Rule] Migrate Lateral Movement Detection Rules ( #3175 )
...
* adding LMD rules
* added setup note; updated references
* adds 2.0.0 lmd manifest and schema
* adjusted min-stack for non-ML rules
(cherry picked from commit 1e514afa57
2023-10-12 19:07:54 +00:00
788f2ce884
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
...
(cherry picked from commit 3f2a709370
2023-10-11 21:03:44 +00:00
c9a1edd9fc
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit 89cfdcd440
2023-10-11 14:48:20 +00:00
Terrance DeJesus