sigma-rules

Author	SHA1	Message	Date
Terrance DeJesus	fc26e83bfb	removed googlecloud.audit from event datasets (#2105 ) (cherry picked from commit `9cefd88b90`)	2022-07-21 16:12:33 +00:00
Terrance DeJesus	dd5501d167	[Rule Tuning] GCP Firewall Rules Should Include App Engine (#2107 ) * removed googlecloud.audit and added app engine event actions * adjusted query for rule created * adjusted queries to exclude v1 * Update rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `5ff3844fbe`)	2022-07-21 15:57:30 +00:00
Jonhnathan	edef90b3ec	[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104 ) * [Security Content] Add Investigation Guides to Cloud Rules - AWS * Apply suggestion from review * Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from review * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * . * Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit `d854b943e5`)	2022-07-20 15:30:04 +00:00
Samirbous	900a8cdbe9	[New Rule] Suspicious LSASS Access via MalSecLogon (#2063 ) * [New Rule] Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value, this may indicate an attempt to leak an Lsass handle via abusing the Secondary Logon service in preparation for credential access. https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html Data: ``` { "_index": ".ds-logs-windows.sysmon_operational-default-2022.06.16-000005", "_id": "QxU4rIEBTJjT82fLq8Cf", "_score": 1, "_source": { "agent": { "name": "02694w-win10", "id": "85e87161-ea22-4847-a978-fb4ed45ebf0e", "type": "filebeat", "ephemeral_id": "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8", "version": "8.0.0" }, "process": { "name": "svchost.exe", "pid": 456, "thread": { "id": 15264 }, "entity_id": "{6a3c3ef2-3646-62ab-1300-00000000d300}", "executable": "C:\\WINDOWS\\system32\\svchost.exe" }, "winlog": { "computer_name": "02694w-win10.threebeesco.com", "process": { "pid": 2680, "thread": { "id": 3988 } }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "GrantedAccess": "0x14c0", "TargetProcessId": "680", "SourceUser": "NT AUTHORITY\\SYSTEM", "TargetImage": "C:\\WINDOWS\\system32\\lsass.exe", "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", "TargetProcessGUID": "{6a3c3ef2-3646-62ab-0c00-00000000d300}", "TargetUser": "NT AUTHORITY\\SYSTEM" }, "opcode": "Info", "version": 3, "record_id": "1825496", "task": "Process accessed (rule: ProcessAccess)", "event_id": "10", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "api": "wineventlog", "provider_name": "Microsoft-Windows-Sysmon", "user": { "identifier": "S-1-5-18", "domain": "NT AUTHORITY", "name": "SYSTEM", "type": "User" } }, "log": { "level": "information" }, "elastic_agent": { "id": "85e87161-ea22-4847-a978-fb4ed45ebf0e", "version": "8.0.0", "snapshot": false }, "message": "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM", "input": { "type": "winlog" }, "@timestamp": "2022-06-28T21:29:49.829Z", "ecs": { "version": "1.12.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "windows.sysmon_operational" }, "host": { "hostname": "02694w-win10", "os": { "build": "18363.815", "kernel": "10.0.18362.815 (WinBuild.160101.0800)", "name": "Windows 10 Enterprise", "type": "windows", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name": "02694w-win10.threebeesco.com", "id": "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac": [ "00:50:56:03:c6:93" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "ingested": "2022-06-28T21:30:04Z", "code": "10", "provider": "Microsoft-Windows-Sysmon", "created": "2022-06-28T21:29:51.107Z", "kind": "event", "action": "Process accessed (rule: ProcessAccess)", "category": [ "process" ], "type": [ "access" ], "dataset": "windows.sysmon_operational" }, "user": { "id": "S-1-5-18" } }, "fields": { "elastic_agent.version": [ "8.0.0" ], "event.category": [ "process" ], "host.os.name.text": [ "Windows 10 Enterprise" ], "winlog.provider_guid": [ "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" ], "winlog.provider_name": [ "Microsoft-Windows-Sysmon" ], "host.hostname": [ "02694w-win10" ], "winlog.computer_name": [ "02694w-win10.threebeesco.com" ], "process.pid": [ 456 ], "host.mac": [ "00:50:56:03:c6:93" ], "winlog.process.pid": [ 2680 ], "host.os.version": [ "10.0" ], "winlog.record_id": [ "1825496" ], "winlog.event_data.TargetUser": [ "NT AUTHORITY\\SYSTEM" ], "host.os.name": [ "Windows 10 Enterprise" ], "log.level": [ "information" ], "agent.name": [ "02694w-win10" ], "host.name": [ "02694w-win10.threebeesco.com" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "winlog.version": [ 3 ], "host.os.type": [ "windows" ], "user.id": [ "S-1-5-18" ], "input.type": [ "winlog" ], "data_stream.type": [ "logs" ], "host.architecture": [ "x86_64" ], "process.name": [ "svchost.exe" ], "event.provider": [ "Microsoft-Windows-Sysmon" ], "event.code": [ "10" ], "agent.id": [ "85e87161-ea22-4847-a978-fb4ed45ebf0e" ], "ecs.version": [ "1.12.0" ], "event.created": [ "2022-06-28T21:29:51.107Z" ], "winlog.event_data.CallTrace": [ "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51" ], "agent.version": [ "8.0.0" ], "host.os.family": [ "windows" ], "process.thread.id": [ 15264 ], "winlog.event_data.TargetProcessGUID": [ "{6a3c3ef2-3646-62ab-0c00-00000000d300}" ], "winlog.process.thread.id": [ 3988 ], "winlog.event_data.TargetImage": [ "C:\\WINDOWS\\system32\\lsass.exe" ], "winlog.event_data.TargetProcessId": [ "680" ], "process.entity_id": [ "{6a3c3ef2-3646-62ab-1300-00000000d300}" ], "host.os.build": [ "18363.815" ], "winlog.user.type": [ "User" ], "host.ip": [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "agent.type": [ "filebeat" ], "event.module": [ "windows" ], "host.os.kernel": [ "10.0.18362.815 (WinBuild.160101.0800)" ], "winlog.api": [ "wineventlog" ], "elastic_agent.snapshot": [ false ], "host.id": [ "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160" ], "process.executable": [ "C:\\WINDOWS\\system32\\svchost.exe" ], "winlog.user.identifier": [ "S-1-5-18" ], "winlog.event_data.SourceUser": [ "NT AUTHORITY\\SYSTEM" ], "winlog.task": [ "Process accessed (rule: ProcessAccess)" ], "winlog.user.domain": [ "NT AUTHORITY" ], "elastic_agent.id": [ "85e87161-ea22-4847-a978-fb4ed45ebf0e" ], "data_stream.namespace": [ "default" ], "winlog.event_data.GrantedAccess": [ "0x14c0" ], "message": [ "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM" ], "winlog.user.name": [ "SYSTEM" ], "winlog.event_id": [ "10" ], "event.ingested": [ "2022-06-28T21:30:04.000Z" ], "event.action": [ "Process accessed (rule: ProcessAccess)" ], "@timestamp": [ "2022-06-28T21:29:49.829Z" ], "winlog.channel": [ "Microsoft-Windows-Sysmon/Operational" ], "host.os.platform": [ "windows" ], "data_stream.dataset": [ "windows.sysmon_operational" ], "event.type": [ "access" ], "winlog.opcode": [ "Info" ], "agent.ephemeral_id": [ "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8" ], "event.dataset": [ "windows.sysmon_operational" ] } } ``` * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `59736e3973`)	2022-07-20 14:31:31 +00:00
Jonhnathan	c010acb175	[Rule Tuning] Elastic Agent Service Terminated (#2112 ) (cherry picked from commit `1276f98a70`)	2022-07-19 16:35:18 +00:00
Mika Ayenson	9951ee66e5	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-19 09:36:52 -04:00
Mika Ayenson	ec17d0b54d	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 20:15:19 -04:00
Mika Ayenson	62298d92f4	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Removed changes from: - rules/cross-platform/impact_hosts_file_modified.toml - rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/google_workspace_policy_modified.toml - rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit `a52751494e`)	2022-07-18 21:25:32 +00:00
Terrance DeJesus	c2bcfc575f	[New Rule] Elastic Agent Stopped (#1991 ) * new rule for detecting if elastic agent has been stopped * adjusted query based on feedback; added powershell, taskkill, pskill and processhacker	2022-07-18 17:15:01 -04:00
Colson Wilhoit	4235b5d798	[New Rule] Dynamic Linker Copy (#2099 ) * [New Rule] Dynamic Linker Copy * Update rules/linux/persistence_dynamic_linker_backup.toml * Update rules/linux/persistence_dynamic_linker_backup.toml * Update rules/linux/persistence_dynamic_linker_backup.toml (cherry picked from commit `9995558b2a`)	2022-07-13 15:18:44 +00:00
Colson Wilhoit	4913be81e0	[New Rule] Tc BPF Filter (#2091 ) * tc bpf filter * Update rules/linux/execution_tc_bpf_filter.toml (cherry picked from commit `58ad0823ca`)	2022-07-13 14:42:49 +00:00
Jonhnathan	d8ee4473a2	[Security Content] 8.4 - Add Investigation Guides (#2069 ) * [Security Content] 8.4 - Add Investigation Guides * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update rules/windows/credential_access_cmdline_dump_tool.toml Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/windows/credential_access_credential_dumping_msbuild.toml Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Removed changes from: - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit `3a8efc8183`)	2022-07-13 14:29:48 +00:00
Colson Wilhoit	3e73a3c60a	[New Rule] Insmod kernel module load (#2093 ) * insmod kernel module load * Update rules/linux/persistence_insmod_kernel_module_load.toml * Update rules/linux/persistence_insmod_kernel_module_load.toml (cherry picked from commit `d7d0466344`)	2022-07-13 14:23:29 +00:00
Terrance DeJesus	e241df5d76	[Rule Tuning] Potential Reverse Shell Activity via Terminal (#2077 ) * adjusted query rule to exclude noisy FPs * adjusted event.action to be event.type (cherry picked from commit `7581234fe8`)	2022-07-13 02:34:43 +00:00
Mika Ayenson	06ce0015df	Add new `required_fields` as a build-time restricted field (#2059 ) * Add new `require_field` restricted field * validate new fields against BaseRuleData schema and global constant Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co> Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> (cherry picked from commit `c76a397969`)	2022-07-06 15:51:18 +00:00
Terrance DeJesus	de2a90090c	[New Rule] Domain Trust Enumeration via Nltest (#2010 ) * adding detection rule * removed changes from unrelated rule * adjusted threat technique * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `329530c8c3`)	2022-07-05 14:49:39 +00:00
Janeen Mikell-Straughn	45e804f3e5	Fixing doc bugs reported by QA. (#2065 ) Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com> (cherry picked from commit `13c63ceaef`)	2022-06-30 20:00:58 +00:00
Jonhnathan	8011420e71	Update discovery_privileged_localgroup_membership.toml (#2046 ) (cherry picked from commit `853f8db8d0`)	2022-06-30 17:27:15 +00:00
Craig Chamberlain	b47e763949	user risk score docs (#2055 ) * user risk score initial create of user risk score docs * add paragraph adding another paragraph for explainabiltiy as suggested by pm * Update docs/experimental-machine-learning/readme.md Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> * Update user-risk-score.md fixes and suggestions * Update user-risk-score.md rm int script reference * Update docs/experimental-machine-learning/user-risk-score.md Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> * Update user-risk-score.md * Update user-risk-score.md * Update user-risk-score.md Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> (cherry picked from commit `1bb2273c0c`)	2022-06-28 15:53:56 +00:00
Mika Ayenson	cf952854d6	test automatically prevent future merges when a backport fails (#1909 ) automatically prevent future merges when a backport fails	2022-06-27 11:31:49 -04:00
Justin Ibarra	179a3bd284	Add support for restricted fields (#2053 ) * Add support for restricted fields (fields valid only in min/max stack versions) * add test to ensure rule backports wont exceed min compat (cherry picked from commit `cc01d3fb1a`)	2022-06-27 15:03:32 +00:00
Mika Ayenson	eb6deea9ac	Update cli documentation for search-alerts (#2051 ) * Add cli documentation for search-alerts and table fields (cherry picked from commit `4ef1a1a627`)	2022-06-24 14:00:01 +00:00
Mika Ayenson	6c5e101e6f	test automatically prevent future merges when a backport fails (#1909 ) automatically prevent future merges when a backport fails (cherry picked from commit `4fdd978183`)	2022-06-23 19:00:24 +00:00
github-actions[bot]	fafe1e0ab6	Locked versions for releases: 7.16,8.0,8.1,8.2,8.3 (#2041 ) Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> (cherry picked from commit `fd9c9f8abf`)	2022-06-17 15:44:35 +00:00
shashank-elastic	69237c4ed2	[Rule tuning] existing strace activity rule. (#2028 ) * Update description and MITTRE Attack details (cherry picked from commit `2ee23bd80f`)	2022-06-16 11:49:16 +00:00
Jonhnathan	0973ac07ef	Update discovery_remote_system_discovery_commands_windows.toml (#2033 ) (cherry picked from commit `c8ff1dc9cb`)	2022-06-14 13:52:02 +00:00
Isai	fa5fc6094e	[New Rule] Kubernetes execution_user_exec_to_pod (#1979 ) * Create execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml * Update non-ecs-schema.json * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * toml-linted file and add to false positive toml-linted the file and added to the false positive description * Create notepad.sct Added this back into the repo, deleted by mistake. * added min_stack_version based on integration min stack version determined by integration support of necessary fields Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `63fda01fdd`)	2022-06-09 21:53:15 +00:00
Justin Ibarra	8564185a7d	[Bug] resolves bug in Rule version methods (#2021 ) * [Bug] resolves bug in Rule version methods * comment out unused code with notes (cherry picked from commit `744f56d98e`)	2022-06-07 23:41:40 +00:00
Jonhnathan	57194b8e59	[Rule Tuning] M365 - Remove event.outcome condition from Auth Events (#2004 ) * Remove event.outcome condition * Update credential_access_microsoft_365_brute_force_user_account_attempt.toml * Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml" This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab. Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `3aa53fc6c5`)	2022-06-03 17:24:48 +00:00
Jonhnathan	835b342a43	Update persistence_sdprop_exclusion_dsheuristics.toml (#2017 ) (cherry picked from commit `b6631f200e`)	2022-06-03 17:22:33 +00:00
Jonhnathan	a51d251e05	Adds logs-system.* index pattern (#2016 ) (cherry picked from commit `f857e009c5`)	2022-06-03 16:57:26 +00:00
Justin Ibarra	c16442517e	[Bug] Fix test_matrix_to_lock_version_defaults test (#2014 ) (cherry picked from commit `e850f39526`)	2022-06-03 00:35:19 +00:00
Justin Ibarra	3a1a5fe12b	Collapse unsupported previous version entries (#2013 ) * Collapse unsupported previous version entries * drop the last entry in the matrix test (cherry picked from commit `f57950a3c9`)	2022-06-02 23:18:45 +00:00
Terrance DeJesus	220996b1b8	Prep for Creation of 8.4 Branch (#2001 ) * prepping for 8.4 branch * adjusted schemas init file * adjusted target matrix to only backport to 7.16, updated api schemas * adjusted the lock-versions workflow to account for 7.16 and up support only * Add test for version lock to schema map correlation * decouple from static 7.13 references * keep patch version for lock * Update detection_rules/etc/packages.yml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Removed changes from: - detection_rules/etc/packages.yml (selectively cherry picked from commit `35b1a69ff5`)	2022-06-02 18:59:56 +00:00
shashank-elastic	b12d1cb978	[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012 ) * Add MITRE Details to existing hping activity rule. (cherry picked from commit `f02325fe2f`)	2022-06-02 05:08:23 +00:00
shashank-elastic	821e04aaf8	Linux binary(s) ftp shell evasion threat (#2007 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `98a85ddcee`)	2022-06-01 16:40:06 +00:00
Samirbous	29cf0c8f77	[New Rule] Suspicious Microsoft Diagnostics Wizard Execution (#2005 ) * [New Rule] Suspicious Microsoft Diagnostics Wizard Execution https://lolbas-project.github.io/lolbas/Binaries/Msdt/ https://twitter.com/nao_sec/status/1530196847679401984 * Update rules/windows/defense_evasion_proxy_execution_via_msdt.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `d6e96a83d5`)	2022-06-01 15:04:54 +00:00
Jonhnathan	1484c20795	[Security Content] 8.3 Add Investigation Guides - 3 (#1990 ) * [Security Content] 8.3 Add Investigation Guides - 3 * bump date * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> (cherry picked from commit `27f5c2e695`)	2022-05-31 15:59:13 +00:00
Jonhnathan	d575fd4b3c	[Security Content] 8.3 - Add Investigation Guides 2 (#1989 ) * [Security Content] 8.3 - Add Investigation Guides 2 - Initial Commit * . * Add Related rules * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * . * . * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> (cherry picked from commit `e5d3c6329c`)	2022-05-31 15:56:50 +00:00
Samirbous	10c2d9de3d	[Rule Tuning] Suspicious MS Office Child Process (#2003 ) added msdt.exe as a response to this in the wild 0day (works without vba and on latest office) -> https://twitter.com/nao_sec/status/1530196847679401984 https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection (cherry picked from commit `bfea11c99f`)	2022-05-31 12:23:08 +00:00
Jonhnathan	1d69a2bbae	[Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993 ) * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `1f8813d02f`)	2022-05-25 20:04:28 +00:00
Justin Ibarra	6199bd4524	Refresh ECS/beats schemas up to 8.2 (#1995 ) (cherry picked from commit `0428e161a8`)	2022-05-25 19:53:52 +00:00
Mika Ayenson	3988b2ed5e	Skip previous validation on pre/post load/dump (#1942 ) * Build out the dataclasses for a base entry and version lock explicitly * Ensure previous field does not have a nested previous * Test validation on version lock for previous fields. (cherry picked from commit `e1266a6fd3`)	2022-05-25 17:36:12 +00:00
shashank-elastic	75f8928d1f	[Rule tuning] Linux binary(s) shell evasion threat * Linux binary(s) git shell evasion threat (cherry picked from commit `fd7a6d63b0`)	2022-05-25 13:53:22 +00:00
shashank-elastic	44046642e7	[Rule tuning] Linux binary(s) shell evasion threat (#1957 ) * Linux binary(s) shell evasion threat Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `51b2d9da4b`)	2022-05-25 03:04:53 +00:00
Justin Ibarra	c5e3312727	[Rule tuning] Whitespace Padding in Process Command Line (#1967 ) * [Rule tuning] Whitespace Padding in Process Command Line * bump updated_date * update comment Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `72c186b30b`)	2022-05-23 19:35:44 +00:00
Justin Ibarra	0796082300	[Rule tuning] Unusual Process Execution - Temp (#1968 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `1840a638c8`)	2022-05-23 15:06:55 +00:00
Bobby Filar	e57cf31867	Modifying rules assoc w/ deprecation of v2 ML jobs (#1846 ) * modifying rules assoc w/ deprecation of v2 ML jobs * modified updated_date field * fixed machine_learning_job_id and added min_stack_version * replacing rest of deprecated jobs with new naming convention * Update ml_suspicious_login_activity.toml * removing rules assoc w/ deprecated ML jobs * Update rules/ml/ml_linux_anomalous_compiler_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_linux_anomalous_compiler_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * updated ml job rules to reflect 8.3 changes * updating min_stack_version for ml detection rules Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> Removed changes from: - rules/ml/ml_linux_anomalous_compiler_activity.toml - rules/ml/ml_linux_anomalous_metadata_process.toml - rules/ml/ml_linux_anomalous_metadata_user.toml - rules/ml/ml_linux_anomalous_network_activity.toml - rules/ml/ml_linux_anomalous_network_port_activity.toml - rules/ml/ml_linux_anomalous_process_all_hosts.toml - rules/ml/ml_linux_anomalous_sudo_activity.toml - rules/ml/ml_linux_anomalous_user_name.toml - rules/ml/ml_linux_system_information_discovery.toml - rules/ml/ml_linux_system_network_configuration_discovery.toml - rules/ml/ml_linux_system_network_connection_discovery.toml - rules/ml/ml_linux_system_process_discovery.toml - rules/ml/ml_linux_system_user_discovery.toml - rules/ml/ml_rare_process_by_host_linux.toml - rules/ml/ml_rare_process_by_host_windows.toml - rules/ml/ml_suspicious_login_activity.toml - rules/ml/ml_windows_anomalous_metadata_process.toml - rules/ml/ml_windows_anomalous_metadata_user.toml - rules/ml/ml_windows_anomalous_network_activity.toml - rules/ml/ml_windows_anomalous_path_activity.toml - rules/ml/ml_windows_anomalous_process_all_hosts.toml - rules/ml/ml_windows_anomalous_process_creation.toml - rules/ml/ml_windows_anomalous_script.toml - rules/ml/ml_windows_anomalous_service.toml - rules/ml/ml_windows_anomalous_user_name.toml - rules/ml/ml_windows_rare_user_runas_event.toml - rules/ml/ml_windows_rare_user_type10_remote_login.toml (selectively cherry picked from commit `9a739b7e4c`)	2022-05-20 20:04:28 +00:00
Mika Ayenson	a2dbfff31b	[Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974 ) * add support for osx, zsh, and expand tampering techniques * migrate to cross-platform and add macOS tag (cherry picked from commit `77966473d1`)	2022-05-20 15:12:56 +00:00
Jonhnathan	18277206f8	[Security Content] 8.3 - Add Investigation Guides (#1937 ) * 8.3 - Add Investigation Guides * Apply suggestions * Apply the refactor * Apply suggestions from Samir * . Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `a1bdf2b564`)	2022-05-19 16:25:46 +00:00

1 2

97 Commits