0a8c3ca471
new rule for bloodhound user agents ( #4769 )
2025-06-04 09:11:13 -04:00
71c82ec475
[New Rule] Entra ID Protection - Risk Detection - User Risk ( #4762 )
...
* new rule Entra ID Protection - Risk Detection - User Risk
* adding max signals note
* adjusted mitre mapping
* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-06-04 08:59:01 -04:00
61fb056f05
[Rule Tuning] Microsoft Entra ID Protection Anonymized IP Risk Detection ( #4759 )
...
* tuning Microsoft Entra ID Protection Anonymized IP Risk Detection
* adjusted tags and mappings
* added max signals
* adjusted file name
* adding max signals note
* adjusted mitre mapping
2025-06-04 08:31:21 -04:00
bfca0ea414
[New Hunt] Commvault Supply Chain Threat ( #4748 )
...
* hunts for CommVault threat
* added lookback time to ESQL query
* updated query logic
2025-05-28 14:11:46 -04:00
17d98cc8dd
[Rule Tuning] Tuning Azure Entra Sign-in Brute Force against Microsoft 365 Accounts ( #4737 )
...
* rule tuning 'Potential Microsoft 365 Brute Force via Entra ID Sign-Ins'
* updated lookback windows, date truncation times
* updated investigation guide
2025-05-28 13:45:15 -04:00
4bd8469c38
[New Rule] Microsoft Entra ID Elevated Access to User Access Administrator ( #4742 )
...
* new rule Microsoft Entra ID Elevated Access to User Access Administrator
* updating uuid
2025-05-28 13:33:22 -04:00
22d780f9af
[New Rule] Microsoft Entra ID User Reported Suspicious Activity ( #4740 )
...
* new rule Microsoft Entra ID User Reported Suspicious Activity
* Update rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-05-28 11:55:51 -04:00
0d4db2ecfe
tuning 'Microsoft Entra ID High Risk Sign-in' ( #4739 )
2025-05-28 11:40:04 -04:00
82bee3e9c2
[Rule Tuning] Microsoft Graph First Occurrence of Client Request ( #4728 )
...
* tuning 'Microsoft Graph First Occurrence of Client Request'
* updated update date
2025-05-19 14:56:21 -04:00
8f27c24528
[New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph ( #4704 )
...
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'
* updated patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-05-09 20:49:08 -04:00
d83e1c711a
[New Rule] Microsoft Entra Session Reuse with Suspicious Graph Access ( #4711 )
...
* new rule 'Microsoft Entra Session Reuse with Suspicious Graph Access'
* fixed tags; linted
* fixed mitre mappings
* updated name and investigation guide
2025-05-09 20:32:22 -04:00
0f3bfcd98a
Fix new term doc broken link ( #4706 )
2025-05-07 17:03:58 +05:30
36d595ae2f
[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce ( #4405 )
...
* Add exceptions for non-interactive signin failures.
Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:
- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled
* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
* Update metadata for `updated_date`
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-05-06 22:43:15 +05:30
a34a26ddec
[Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity ( #4700 )
...
* tuning rule to exclude service principals added by MSFT
* added additional exclusions
* updated rule name and file name
* updated investigation guide and mitre
2025-05-06 11:19:50 -04:00
f480e98f16
[New] Concurrent Azure SignIns with Suspicious Properties ( #4670 )
2025-05-06 13:09:54 +05:30
57be590d73
[New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User ( #4687 )
2025-05-06 12:41:57 +05:30
58d03d4043
[New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker ( #4695 )
...
* new rule 'Microsoft Entra ID SharePoint Access for User Principal via Auth Broker'
* updated severity
* added new terms note
2025-05-05 16:45:47 -04:00
dddc2a7bb9
[New] Microsoft 365 OAuth Redirect to Device Registration for User ( #4694 )
...
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal
https://github.com/elastic/ia-trade-team/issues/590
* Update non-ecs-schema.json
* Update pyproject.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* fixed investigation guide formatting; fixed unit test failure
* updated patch version
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-05-02 08:36:10 +01:00
ce66f52aad
[New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection ( #4689 )
...
* Adding new rule 'Microsoft Entra ID Protection Anonymized IP Risk Detection'
* updating description
* adding index
* updating mitre tactic mapping
* updating file name
2025-05-01 23:03:50 -04:00
bae7835f6a
[New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client ( #4642 )
...
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365
* changed m365 file name
* fixed duplicate tactics
* updaing non-ecs for graph activity logs
* updating rules; investigation guides; formatting, linting errors
2025-05-01 22:38:41 -04:00
ea31143b83
[New] Suspicious Azure Sign-in via Visual Studio Code ( #4639 )
...
* Create initial_access_entra_login_visual_code_phish.toml
* Update non-ecs-schema.json
* Update initial_access_entra_susp_visual_code_signin.toml
* Update pyproject.toml
* Update initial_access_entra_susp_visual_code_signin.toml
* Update non-ecs-schema.json
2025-04-23 14:06:05 +01:00
ba16e27edb
[Rule Tuning] Tuning Azure Service Principal Credentials Added ( #4570 )
...
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
2025-04-16 13:58:17 -04:00
1a6669e5a6
[Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User ( #4562 )
...
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'
* updated MITRE ATT&CK mappings
* updated index target
* updated patch version
* updating patch version
* bumping patch version
* updating patch version
2025-04-16 12:21:41 -04:00
c6e37d6910
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 ( #4557 )
...
* tuning Azure rule for illicit grant activity; creating new rule for M365
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
* adjusted tags
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
2025-03-27 15:55:04 -04:00
280140650a
tuning 'Azure Conditional Access Policy Modified' ( #4558 )
2025-03-27 15:43:46 -04:00
2f3f4fbdef
deprecating 'Azure Virtual Network Device Modified or Deleted' ( #4559 )
2025-03-27 10:09:34 -04:00
5e12f05a36
fixing double header in investigation notes ( #4490 )
2025-03-25 09:08:13 -04:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
3ed820afa8
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) ( #4523 )
...
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'
* updating name
* added investigation guide
* updated investigation guide
* updated investigation guide
* removed unnecessary comment
* adjusted logic to count distinct on principal id; principal name will be in aggregations now
* updated Entra ID name
2025-03-11 11:25:10 -04:00
aacb376acf
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication ( #4524 )
...
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'
* updating tactic tag
* adjusted query logic for user type
* updated Entra ID name
2025-03-11 11:05:56 -04:00
fd1369a164
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User ( #4525 )
...
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'
* linted; updated UUID
* adjusted rule name and logic to focus on any rare authentication requirements
* adjusted file name
2025-03-11 10:51:01 -04:00
ec4523a6a9
[Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol ( #4466 )
...
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'
* bumping patch version
* fixed investigation guide unit test failure
* bump patch
2025-02-20 10:29:04 -05:00
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
f52cfb3729
[Rule: Tuning] - Azure blob permission modification tagging - Correct tags ( #4371 )
...
* Remove `Data Source: Elastic Defend` tag
* Update metadata
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-13 10:40:34 -03:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application ( #4283 )
...
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
2024-12-06 17:27:38 -05:00
f36845318e
[New] First Time Seen User Auth via DeviceCode Protocol ( #4153 )
...
* Create credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update credential_access_first_time_seen_device_code_auth.toml
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update credential_access_first_time_seen_device_code_auth.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-11-11 13:04:18 +00:00
06319b7a13
[Rule Tuning] Add KEEP Command to all ES|QL Rules ( #4146 )
...
* updating ES|QL rules to include KEEP command
* fixed some ES|QL rules with typos; added validation for KEEP command
* fixed ES|QL errors from missing fields
* fixed flake errors
* updated date
* added best practices to hunt docs
2024-10-09 21:08:38 -04:00
8d27b6069b
[Rule Tuning] M365/Azure Brute-Forcing New Rule and Tuning; Deprecate Similar Rule ( #4057 )
...
* deprecated rule; tuned for single source inclusion
* adjusted query comments
* added min-stack
* updated date
* added Azure-based rule for brute forcing
* added reference to o365spray
* fixed tag
* adjusted query comment
* added rule for repeat source
* adjusted query to use count distinct
* added intervals; adjusted lookback window according to time truncation
2024-09-10 11:26:40 -04:00
99a4d629c9
[New Rule] Entra ID Device Code Auth with Broker Client ( #3819 )
...
* new rule 'Entra ID Device Code Auth with Broker Client'
* updated azure integration, non-ecs updated, rule date updated
* updates tags
* updated query to add Azure activity logs
* merging in main
* updated azure manifest and schemas
* updated azure manifest and schemas
* updated index map for summary and changelog
* removed string imports
* reverting packaging.py updates
* adjusted query
* adjusted query to be more optimized
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-01 10:31:26 -04:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
7673ba484d
Fix minstack version for 0365 in azure integration rules ( #3612 )
2024-04-22 19:17:49 +05:30
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
8703c65f87
[Tuning] Azure Network Packet Capture Detected ( #2888 )
2023-06-28 16:32:56 +02:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
Terrance DeJesus