8909a95486
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3880 )
...
(cherry picked from commit 6a28881b5f
2024-07-09 13:46:32 +00:00
e027efeb53
[Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 ( #3806 )
...
* Add "by host.id" argument to the sequence command in the rule query.
* Update collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 5048bc26bd
2024-07-03 14:42:12 +00:00
0b808211f6
[New Rule] Entra ID Device Code Auth with Broker Client ( #3819 )
...
* new rule 'Entra ID Device Code Auth with Broker Client'
* updated azure integration, non-ecs updated, rule date updated
* updates tags
* updated query to add Azure activity logs
* merging in main
* updated azure manifest and schemas
* updated azure manifest and schemas
* updated index map for summary and changelog
* removed string imports
* reverting packaging.py updates
* adjusted query
* adjusted query to be more optimized
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 99a4d629c9
2024-07-01 14:34:42 +00:00
28f67e3ace
Generate Better Index Keys ( #3826 )
...
* Generate Better Index Keys
* More Robust index mapping
* Remove unused import
* Remove unused import
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 949ceccc0f
2024-06-28 17:51:17 +00:00
a1b34e0211
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3845 )
...
(cherry picked from commit aef9fe8ec4
2024-06-28 12:22:41 +00:00
2133e1f1a3
[FR] Limit historical rules to the latest 2 ( #3842 )
...
(cherry picked from commit 357204e1c5
2024-06-28 11:45:17 +00:00
8bab0df7bf
[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs ( #3825 )
...
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs
* .
* Update integration-schemas.json.gz
* Fix integration manifests
Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml
(selectively cherry picked from commit 54d5b442cf
2024-06-26 14:09:43 +00:00
30f5784613
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3821 )
...
(cherry picked from commit 6f43d1f535
2024-06-25 12:31:41 +00:00
495539b697
[FR] Loosen Filters Schema Validation ( #3753 )
...
(cherry picked from commit 259efaf716
2024-06-18 21:00:33 +00:00
37ea64baf4
[New Rule] Rapid7 Threat Command CVEs Correlation ( #3718 )
...
* new rule 'Rapid7 Threat Command CVEs Correlation'
* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated threat index and tags
* changed 'indicator match' to 'threat match' for tags
* removed timeline
* updating integrations to match main
* re-adding rapid7 threat command integration manifest and schema
* reverting changes; removing timeline
* changed max signals to 10000
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 020ca4be24
2024-06-12 22:04:56 +00:00
24d79f230e
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3778 )
...
(cherry picked from commit e3a72c6c47
2024-06-11 15:30:13 +00:00
d26951d94e
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ec223a4a05
2024-06-11 11:06:39 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
5839b408ca
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3716 )
...
(cherry picked from commit 259bab7a5a
2024-05-29 14:21:29 +00:00
2691273c93
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 527f785a60
2024-05-28 14:52:40 +00:00
39782b4295
[FR] Update utility path computation to use pathlib ( #3699 )
...
* update
* Updated to pathlib
* Linting
* Add string cast where needed
* Add additional string conversion as needed
* Str conversions to support eql lib
* Attack typo
* Typo in test script
* Updated for more pathlib
* Linting
* Update to convert string to path object
* Fix typo
(cherry picked from commit f43fbfba0d
2024-05-23 21:39:55 +00:00
f27479ee12
Package Manifest changes to add capabilities ( #3706 )
...
Removed changes from:
- detection_rules/etc/packages.yaml
(selectively cherry picked from commit f73022b900
2024-05-23 20:49:50 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
0ab70f13a4
[Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs ( #3627 )
...
* [Rule Tuning] Add Initial SentinelOne Compatibility
* updated definitions.py; updated tags; fixed unit tests
* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks
* updating manifests and integrations
* fixing flake errors
* min_stack
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d023ad66b1
2024-05-20 12:59:37 +00:00
6e25eabf71
[FR] Add --force flag to update-lock-versions ( #3693 )
...
* Add --force flag to update-lock-versions
* Add type hinting
(cherry picked from commit 707ca32ab1
2024-05-18 00:33:11 +00:00
06ef471c39
[FR] Normalize yml ext to yaml ( #3675 )
2024-05-15 17:08:01 -05:00
2d96f10725
[FR] Normalize yml ext to yaml ( #3675 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 79f575b33c
2024-05-15 20:27:01 +00:00
ed48d9fd57
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 ( #3676 )
...
(cherry picked from commit f3585da503
2024-05-15 11:41:56 +00:00
891da3623d
Prepare For Next Elastic Stack 8.15 ( #3670 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 50a8b52cd5
2024-05-14 19:10:09 +00:00
33e44b29fc
[FR] Bundle KQL & Kibana libs into base dependencies ( #3662 )
...
(cherry picked from commit 78837549e8
2024-05-13 19:36:55 +00:00
e45c7db95e
[Bug] Update Rule Formatter ( #3668 )
...
* Update Rule Formatter
* Only apply fix to Note
(cherry picked from commit 094ef22604
2024-05-13 19:07:19 +00:00
947e8fd965
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3650 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Bumping status checks
* undo bump
---------
Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
(cherry picked from commit 84437bac03
2024-05-06 16:52:30 +00:00
2bd230ff60
[Bug] Query validation failing to capture InSet edge case with ip field types ( #3572 )
...
* Move test case to separate file
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a4a0bc6a7e
2024-05-06 12:07:00 +00:00
b75a9f902b
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
...
(cherry picked from commit 2ffb0e7fe2
2024-05-03 23:08:58 +00:00
c97395d606
[Bug] Fix missing indexes on navigator build ( #3636 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 2668f5f762
2024-05-01 21:58:13 +00:00
b83887e73d
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 54ff270c62
2024-05-01 21:08:19 +00:00
809279b62b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3630 )
...
(cherry picked from commit ca78f550fd
2024-04-30 12:43:58 +00:00
09a7e2e81b
Refresh Kibana module with API updates ( #3466 )
...
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit c567d3731a
2024-04-26 17:20:37 +00:00
dfd261590b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3615 )
...
(cherry picked from commit 374f21fbc4
2024-04-23 12:36:46 +00:00
608a0ff0c2
[Rule Tuning] Windows BBR Rule Tuning - 1 ( #3579 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 1
* Update non-ecs-schema.json
* Update rules_building_block/command_and_control_certutil_network_connection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/collection_common_compressed_archived_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_dll_hijack.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d0dfa479bb
2024-04-08 13:46:29 +00:00
a2cb089d12
updated to v14.0 mitre ATT&CK ( #3289 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
(cherry picked from commit 0cb42983c1
2024-04-05 18:38:20 +00:00
dee8c947de
Update default ( #3574 )
...
(cherry picked from commit fbb6df506e
2024-04-05 00:35:15 +00:00
72ba0b16a9
[Bug] KQL fails validation on uppercase keywords ( #3568 )
...
* add todo
* Add a normalize_kql_keywords function to utils
* update rule loader to normalize and warn
* optimized loading
* fix linting
* Moved conversion to kql module.
* Updated unit test
* Refactor KQL parser to normalize keywords via flag
* Fix logic typo
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update lib/kql/kql/__init__.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated to fix unit tests and remove warnings
* linting typo
* Added comments
* remove unused imports
* Update kql.parse default
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1566c29bae
2024-04-04 22:10:57 +00:00
645fa593a1
[Bug] New Terms Rule Import Failing ( #3569 )
...
* initial patch
* Update definitions to allow for brackets in name
* Update to prompt for required fields.
* Update detection_rules/cli_utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit fa75876322
2024-04-04 21:45:02 +00:00
5a28e1ecac
[Bug] Add explicit format preserver ( #3566 )
...
(cherry picked from commit c35652c8c8
2024-04-04 20:58:27 +00:00
ec275e8d99
[Bug] Threshold Rule Importing Failures ( #3560 )
...
* remove threshold specific req
* fix test event override
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a9cc323d09
2024-04-03 18:23:39 +00:00
fe9217892f
Deprecate Releasing to a patch kibana version workflow ( #3552 )
...
(cherry picked from commit 3fbffa24ed
2024-04-03 03:12:07 +00:00
112ae41cd3
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3567 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 8d5bd3b0f6
2024-04-02 18:37:42 +00:00
7838042839
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml
(selectively cherry picked from commit 67ca13c1ce
2024-04-01 20:53:09 +00:00
e74f7a4d6b
[FR] Add support for investigation_fields ( #3550 )
...
(cherry picked from commit bb907a4d76
2024-04-01 16:59:59 +00:00
69d2f4b607
Fix create PR in release workflow ( #3528 )
...
(cherry picked from commit 8b215eac41
2024-04-01 15:54:59 +00:00
e7416a6a68
[FR] Add required-fields option to import-rules ( #3546 )
...
(cherry picked from commit b6a7e7ebda
2024-03-28 23:37:15 +00:00
6bf3a82f51
Update sort parameter ( #3531 )
...
(cherry picked from commit 3503786154
2024-03-25 15:54:13 +00:00
dda6a33f70
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3526 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit eaf4658620
2024-03-21 15:09:40 +00:00
edf52a578c
[FR] Update Python Dependency Versions ( #3515 )
...
(cherry picked from commit 5c3523954e
2024-03-19 19:15:12 +00:00
github-actions[bot]