9146e0965d
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-14 18:00:25 -04:00
904e37b732
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-14 17:16:51 -04:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
4f33a40f48
[Bug] Duplicate tag on Okta rule ( #3020 )
...
* Fix double tag on rule
* fixed all rules; added unit test
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-21 10:42:47 -04:00
97d429e314
[New] Suspicious Microsoft 365 Mail Access by ClientAppId ( #2933 )
...
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId
Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
2023-07-19 16:05:13 +01:00
80e2b699b6
[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container ( #2837 )
...
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container
new rule
* removed priv_esc tag
removed priv_esc tag
* adjusted tags
adjusted tags
* updated tags
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 15:03:24 -04:00
db90345fd5
[Rule Tuning] Kubernetes Anonymous Request Authorized ( #2865 )
...
* rule tuning for exclusions
* optimized query
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 13:03:05 -04:00
0b64638bf7
[New Rule] AWS Credentials Searched For Inside a Container ( #2887 )
...
* new rule toml
* Updated query
updated query based on review and added additional search queries
* updated rule query based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 12:29:02 -04:00
0f5b5a3551
[Rule Tuning] Add Okta Investigation Guides Part 1 ( #2899 )
...
* adding investigation guides for Okta rules
* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added MFA to investigation guide for brute forcing
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 11:47:02 -04:00
8703c65f87
[Tuning] Azure Network Packet Capture Detected ( #2888 )
2023-06-28 16:32:56 +02:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
082e92c95c
[Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion ( #2854 )
...
* adding new rule for Okta ThreatInsight threat suspected
* added promotion tag
* removed new rule and tuned existing
* added promotion tag
* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-21 09:47:27 -04:00
7f249e6cc4
[Security Content] Add Google Workspace Investigation Guides ( #2540 )
...
* adding google workspace investigation guides
* updated 'Google Workspace Custom Gmail Route Created or Modified' guide
* updated 'Google Workspace Custom Gmail Route Created or Modified' guide
* updated 'Application Removed from Blocklist in Google Workspace'
* updated 'Domain Added to Google Workspace Trusted Domains'
* updated 'Google Workspace Bitlocker Setting Disabled'
* updated 'Google Workspace Admin Role Deletion'
* updated 'Application Added to Google Workspace Domain'
* updated 'Google Workspace Admin Role Assigned to a User'
* updated 'Google Workspace Role Modified'
* updated 'Google Workspace Custom Admin Role Created'
* updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority'
* updated 'Google Workspace Password Policy Modified'
* updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App'
* updated 'Google Workspace User Organizational Unit Changed'
* reverted 'Google Workspace User Group Access Modified to Allow External Access'
* removed new lines
* added 'Investigation Guide' tags
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed duplicate file
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
2023-05-18 10:16:20 -04:00
0eed8ce27f
[New Rule] SSH Process Launched From Inside A Container ( #2794 )
...
* [New Rule] SSH Process Launched From Inside A Container
new toml rule file
* changed "not" query
changed query to !=
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-16 17:32:58 -04:00
b0838cc2cb
[New Rule] SSH Connection Established Inside A Running Container ( #2793 )
...
* [New Rule] SSH Connection Established Inside A Running Container
new rule toml
* Update initial_access_ssh_connection_established_inside_a_container.toml
moved order of tactics
* Apply suggestions from code review
updated spacing based on code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 16:56:52 -04:00
515d393828
[New Rule] SSH Authorized Keys File Modified Inside a Container ( #2792 )
...
* [New Rule] SSH Authorized Keys File Modified Inside a Container
new rule toml
* toml file name change
changed duplicate toml file name
* Update persistence_ssh_authorized_keys_modification_inside_a_container.toml
added time intervals
* removed redundant event.type
removed event.type fields
* added back event.type and removed event.action per reviewer suggestion
removed redundant event.action fields
2023-05-16 16:30:17 -04:00
648dd8b3ed
[New Rule] Interactive Exec Command Launched Against A Running Container ( #2791 )
...
* [New Rule] Interactive Exec Command Launched Against A Running Container
new rule toml
* Update execution_interactive_exec_to_container.toml
updated reference links
* Update execution_interactive_exec_to_container.toml
fixed the comments
* Update execution_interactive_exec_to_container.toml
* Update execution_interactive_exec_to_container.toml
removed process.session_leader.same_as_process
* Update execution_interactive_exec_to_container.toml
added time intervals
* Apply suggestions from code review
updated spacing
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 16:09:10 -04:00
9e3dc112b3
[New Rule] Sensitive Files Compression Inside A Container ( #2790 )
...
new rule toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:49:42 -04:00
d8e9874d54
[New Rule] Sensitive Keys Or Passwords Searched For Inside A Container ( #2789 )
...
* [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container
new rule toml
* description update
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* added locate and mlocate based on review suggestion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 15:29:54 -04:00
73f87ad7e6
[New Rule] Suspicious Network Tool Launched Inside A Container ( #2759 )
...
* [New Rule] Suspicious Network Tool Launched Inside A Container
new rule
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* update based on reviews
added additional tools, added false positives section, raised risk score
* Update discovery_suspicious_network_tool_launched_inside_a_container.toml
adjusted tags
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:21:42 -04:00
5fd155849e
[New Rule] File Made Executable via Chmod Inside A Container ( #2757 )
...
* [New Rule] File Made Executable via Chmod Inside A Container
new rule
* edit threat matrix urls
add final / to reference urls
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
added Defense Evasion tag
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
adjusted tags
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:15:49 -04:00
4c996490ec
[New Rule] Netcat Listener Established Inside A Container ( #2756 )
...
* [New Rule] Netcat Listener Established Inside A Container
new rule toml
* remove references
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* remove false_positives
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* adjust from field from s to m for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update execution_netcat_listener_established_inside_a_container.toml
updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables
* optimized query
optimized query to deduplicate fields based on review feedback
* Update execution_netcat_listener_established_inside_a_container.toml
updated query comment
* Update execution_netcat_listener_established_inside_a_container.toml
added false positive section
* Update execution_netcat_listener_established_inside_a_container.toml
adjusted tags
* removed the != end query parameter
removed the exclusion of end events for this to account for short-lived netcat listener processes
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-16 15:08:20 -04:00
e954b6d7eb
[New Rule] Interactive Shell Spawned From Inside a Container ( #2752 )
...
* Create execution_interactive_shell_spawned_from_inside_a_container.toml
new rule
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
edited threat matrix
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
changed boolean in query from string type
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
added timestamp_override field
* Apply suggestions from code review
readability from field change, removed references field
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
index spacing, rule name, comment change
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query.
* Update rule query
updated rule query to use process.executable and an or field for event.action
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
adjusted tags
* changed "not" in query
event.action != end based on review suggestion
* spacing around comments
* removed ending wildcard causing FPs
removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-16 15:02:20 -04:00
ee86144565
[New Rule] Container Management Binary Run Inside A Container ( #2754 )
...
* [New Rule] Container Management Binary Run Inside A Container
new rule
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
description change, name change, index spacing
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update false_positives and query
added false positives section and updated query with container.id field
* Update execution_container_management_binary_launched_inside_a_container.toml
adjusted tags
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 14:41:27 -04:00
71d93e875e
[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms ( #2760 )
...
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms
* updated new terms
2023-05-03 09:28:59 -04:00
7435ac39d2
[Rule Tuning] added rule name override for cloud_defend integration rule ( #2767 )
2023-05-02 00:05:24 -04:00
f21a9e4793
updating min stack comments ( #2712 )
2023-04-12 14:30:34 -04:00
d6f277e379
[New Rule] Google Workspace New OAuth Login from Third-Party Application ( #2677 )
...
* adding new rule 'Google Workspace New OAuth Login from Custom Application'
* changed name and 'custom' to 'third-party'
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* updated non-ecs
2023-04-12 09:40:31 -04:00
4511ab0666
[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace ( #2674 )
...
* tuning rule to add token sequence
* updated date
* updated non-ecs, integration schemas and manifests
* added investigation guide
* Updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updated false positive description
* updating manifest and schemas with main to resolve conflicts
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-04-12 09:15:58 -04:00
d0ea8c6f98
[New Rule] new CWP rule to surface alerts from the cloud_defend integration ( #2679 )
...
* new CWP rule to surface alerts from the cloud_defend integration
* created new rule uuid
* updated version info. removed risk level overrides and endpoint exception list
* added event.module
* removed rule name override
* updated_date and min_stack_comments updated
* updated external alerts updated_date. added kubernetes to cwp rule tags
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-04-05 21:31:03 -03:00
71d12bdda4
[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests ( #2682 )
...
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
2023-04-03 09:42:40 -04:00
76500f0d46
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User ( #2654 )
...
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'
* updated MITRE ATT&CK mappings
2023-03-24 12:21:56 -04:00
7be5788945
[New Rule] Google Workspace Resource Copied from External Drive ( #2627 )
...
* added new rule 'Google Workspace Resource Copied from External Drive'
* adjusted mitre att&ck subtechnique ID
2023-03-20 14:37:58 -04:00
2c5470349c
[New Rule] External User Added to Private Organization Group ( #2577 )
...
* new rule 'External User Added to Google Workspace Group'
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added Investigation Guide tag
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-20 14:32:42 -04:00
38b8311482
[Security Content] Expand Abbreviated Tags ( #2414 )
...
* [Security Content] Expand Abbreviated Tags
* .
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Revert changes to deprecated rules
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-03-06 17:37:52 -03:00
bb4f7acf27
deprecate 'Google Workspace User Group Access Modified to Allow External Access' ( #2576 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-02 11:29:14 -05:00
46b18b5a07
[New Rule] Google Workspace - Suspended User Account Renewed ( #2592 )
...
* new rule for suspended user account renewal in Google Workspace
* fixed risk score; toml linted
* Update rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-03-02 11:23:49 -05:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
e5d81e77f7
[New Rule] Add Google Workspace Alert Center Promotional Rule ( #2471 )
...
* Add Google Workspace Alert Center Promotional Rule
* added severity mapping overrides
2023-01-17 12:09:13 -05:00
b61da98f97
[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 ( #2467 )
...
* Bumping min-stack version for Google Workspace to 8.4
* changed 'updated_date' values
2023-01-13 13:29:28 -05:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
ae4e59ec7d
[FR] Update ATT&CK Package to v12.1 ( #2422 )
...
* initial update to v12.1 attack package
* added additional click echo output
* addressed flake errors
* updated rules with refreshed att&ck data
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-16 12:04:20 -05:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
7adb199afa
[Deprecation] GCP Kubernetes Rolebindings Created or Patched ( #2340 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Deprecating this rule due to high false positive rate. This behavior is too generic for an effective malicious behavior detection.
* move toml file to _deprecated
move toml file to _deprecated
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-09 12:51:52 -05:00
4997f95300
[Rule Tuning] Link Elastic Security Labs content to compatible rules ( #2388 )
...
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
4615b462be
[New Rule] AWS KMS CMK Disabled or Scheduled for Deletion ( #2318 )
...
* [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion
* Fixed double double quotes
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add min_stack metadata
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rule description as per suggestion
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Remove MITRE ATT&CK tactic
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rule_id
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Indent false positive section
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Keep ownership as per suggestion
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rule name
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Fix FPs section
* Delete .dccache
* Revert "Update rule name"
This reverts commit 8611c926dfe312f897399343c19d2a37783ada71.
* Revert "Fix FPs section"
This reverts commit 14148392dadf9a7870be1b0b4dbacf311dbbb4af.
* Update FPs section
* Delete .dccache
* Update rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-10-20 14:29:08 -03:00
Isai