-
75c7c09595
[New Rule] Suspicious Path Invocation from Command Line (#4338)
Ruben Groenewoud
2025-01-16 10:20:37 +01:00
-
9186c5e14a
[New BBR] Linux System Information Discovery via Getconf (#4337)
Ruben Groenewoud
2025-01-16 10:05:29 +01:00
-
5162067a51
[New Rule] Adding Coverage for
Unusual AWS S3 Object Encryption with SSE-C (#4377)
dev-v0.3.19
Terrance DeJesus
2025-01-15 14:11:58 -05:00
-
c04ae6d444
[New Rule] Adding Coverage for
SNS Topic Message Publish by Rare User (#4350)
Terrance DeJesus
2025-01-15 13:55:45 -05:00
-
97b3f43870
[New Rule] Adding Coverage for
AWS EC2 Deprecated AMI Discovery (#4328)
dev-v0.3.18
Terrance DeJesus
2025-01-15 11:53:18 -05:00
-
32f596629d
Provide Deprecate Warnings for Experimental ML commands (#4365)
dev-v0.3.17
shashank-elastic
2025-01-15 21:53:16 +05:30
-
f8312cc5b0
[Rule Tuning] Adjusting Verbiage for
AWS EC2 Instance Connect SSH Public Key Uploaded (#4334)
Terrance DeJesus
2025-01-15 11:12:53 -05:00
-
f97007f3a8
[New Rule] Adding Coverage for
AWS SQS Queue Purge (#4354)
Terrance DeJesus
2025-01-15 10:52:22 -05:00
-
447fce3b08
[Rule Tuning] Suspicious Communication App Child Process (#4369)
Jonhnathan
2025-01-15 12:13:10 -03:00
-
cc00963fc3
[Bug] [DaC] Actions Connector Defaults to None (#4376)
dev-v0.3.16
Eric Forte
2025-01-15 09:31:23 -05:00
-
74f11dbf7f
[Rule Tuning] Posh BBRs (#4372)
Jonhnathan
2025-01-15 11:00:21 -03:00
-
c912b78586
maintenance - remove hunting TOML files from repo version checks (#4374)
Terrance DeJesus
2025-01-14 14:45:53 -05:00
-
bcca0a2016
[New] Sensitive Audit Policy Sub-Category Disabled (#4373)
Samirbous
2025-01-14 15:13:45 +00:00
-
e822af47a4
[Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351)
dev-v0.3.15
Ruben Groenewoud
2025-01-13 16:53:09 +01:00
-
79b26085f5
[New Rule] Potential Process Name Stomping with Prctl (#4352)
Ruben Groenewoud
2025-01-13 16:35:40 +01:00
-
0e1edfecea
[Rule Tuning] Windows Misc BBR Tuning (#4368)
Jonhnathan
2025-01-13 12:03:40 -03:00
-
f52cfb3729
[Rule: Tuning] - Azure blob permission modification tagging - Correct tags (#4371)
James Valente
2025-01-13 08:40:34 -05:00
-
32a94dc7c7
updating token references (#4367)
Terrance DeJesus
2025-01-10 11:20:17 -05:00
-
65b95a1996
Update discovery_potential_syn_port_scan_detected.toml (#4366)
Samirbous
2025-01-10 15:29:29 +00:00
-
46637f38a4
maintenance repository config update pt 4 (#4364)
dev-v0.3.14
Terrance DeJesus
2025-01-09 18:05:55 -05:00
-
98cef59a5b
[Maintenance] Repository Config Update pt 3 (#4363)
Terrance DeJesus
2025-01-09 17:20:57 -05:00
-
4e588e8d90
updated package token (#4361)
Terrance DeJesus
2025-01-09 16:59:02 -05:00
-
ad180777cf
[Maintenance] Repository Config Update (#4359)
dev-v0.3.13
Terrance DeJesus
2025-01-09 16:35:18 -05:00
-
6b0b988d79
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10 (#4357)
Jonhnathan
2025-01-09 11:54:46 -03:00
-
7eeca006bc
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 (#4355)
Jonhnathan
2025-01-09 11:38:26 -03:00
-
e66bca73e0
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 (#4349)
Jonhnathan
2025-01-09 11:28:21 -03:00
-
cc889e3bf2
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4 (#4345)
Jonhnathan
2025-01-09 10:59:32 -03:00
-
0fc83fe815
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 (#4343)
Jonhnathan
2025-01-09 10:35:58 -03:00
-
d6ceb88558
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 6 (#4348)
Jonhnathan
2025-01-09 10:17:57 -03:00
-
f4a022c5d2
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 5 (#4346)
Jonhnathan
2025-01-09 09:44:40 -03:00
-
2af2e1f57b
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 (#4356)
Jonhnathan
2025-01-09 08:29:51 -03:00
-
4142868956
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 2 (#4333)
Jonhnathan
2025-01-08 15:23:19 -03:00
-
282f613ddf
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 (#4330)
Jonhnathan
2025-01-08 14:40:43 -03:00
-
47571956a7
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4347)
dev-v0.3.12
github-actions[bot]
2025-01-07 22:54:34 +05:30
-
2edc062b53
Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4344)
dev-v0.3.11
github-actions[bot]
2025-01-07 22:13:30 +05:30
-
a2b280a6fd
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
dev-v0.3.10
Ruben Groenewoud
2025-01-07 14:29:17 +01:00
-
d16f56b4e2
[New Rule] SSH via Backdoored System User (#4336)
Ruben Groenewoud
2025-01-07 13:20:36 +01:00
-
2530c4d376
[New Rule] Pluggable Authentication Module Source Download (#4301)
Ruben Groenewoud
2025-01-07 13:04:05 +01:00
-
1a189a5749
[Python] Ignore Hunting Doc Changes for Version Code Checks (#4331)
Terrance DeJesus
2025-01-07 06:54:27 -05:00
-
318ab3ffa0
Enhance Readability of KQL validation check failures (#4329)
dev-v0.3.9
shashank-elastic
2025-01-06 22:18:05 +05:30
-
52db5e0361
Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. (#4332)
dev-v0.3.8
shashank-elastic
2025-01-06 21:48:11 +05:30
-
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created (#4327)
dev-v0.3.7
Samirbous
2025-01-06 12:40:26 +00:00
-
feaeabf60c
[New Rule] Dynamic Linker (ld.so) Creation (#4306)
Ruben Groenewoud
2025-01-03 17:06:38 +01:00
-
fea5c90ed9
[New Rule] Kernel Object File Creation (#4325)
Ruben Groenewoud
2025-01-03 16:49:59 +01:00
-
466097c31e
[Rule Tuning] Potential Persistence via File Modification (#4310)
Ruben Groenewoud
2025-01-03 16:19:58 +01:00
-
53ca51b20c
[New Rule] Simple HTTP Web Server Connection (#4309)
Ruben Groenewoud
2025-01-03 16:06:28 +01:00
-
e26e4e40b4
[New Rule] Simple HTTP Web Server Creation (#4308)
Ruben Groenewoud
2025-01-03 15:54:25 +01:00
-
0273997581
[New Rule] Loadable Kernel Module Configuration File Creation (#4307)
Ruben Groenewoud
2025-01-03 15:33:31 +01:00
-
7e775a6c95
[New Rule] Unusual Preload Environment Variable Process Execution (#4305)
Ruben Groenewoud
2025-01-03 15:23:41 +01:00
-
9424a57207
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#4304)
Ruben Groenewoud
2025-01-03 15:05:05 +01:00
-
c9c8e3501e
[New Rule] Unusual SSHD Child Process (#4303)
Ruben Groenewoud
2025-01-03 14:50:43 +01:00
-
c7fe940206
[New Rule] Pluggable Authentication Module Creation in Unusual Directory (#4302)
Ruben Groenewoud
2025-01-03 14:35:08 +01:00
-
5384191934
[New Rule] PAM Version Discovery (#4300)
Ruben Groenewoud
2025-01-03 14:25:38 +01:00
-
aca416a779
[Rule Tuning] Windows misc Rule Tuning (#4298)
Jonhnathan
2025-01-02 07:44:01 -03:00
-
c99cf9279d
[Tuning] Uncommon Registry Persistence Change (#4286)
rad9800
2024-12-25 22:06:58 +00:00
-
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events (#3533)
Terrance DeJesus
2024-12-19 13:24:23 -05:00
-
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324)
Terrance DeJesus
2024-12-19 13:03:50 -05:00
-
2ff2965cb9
Enhance Readability of validation check failures (#4299)
dev-v0.3.6
shashank-elastic
2024-12-13 19:03:47 +05:30
-
28ffebbf5c
[New Hunt] Adding Hunting Query for
AWS IAM Unusual AWS Access Key Usage for User (#4280)
dev-v0.3.5
Terrance DeJesus
2024-12-12 14:56:20 -05:00
-
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' (#4297)
Terrance DeJesus
2024-12-12 11:00:02 -05:00
-
3fa3349216
Update versioning support for 8.17 (#4296)
dev-v0.3.4
shashank-elastic
2024-12-10 23:43:04 +05:30
-
691126cd3d
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4295)
dev-v0.3.3
github-actions[bot]
2024-12-10 21:43:29 +05:30
-
f0291b440a
Minstack endpoint rules with process.group.id fields (#4294)
shashank-elastic
2024-12-10 21:03:32 +05:30
-
e6012b1db6
Removing ESQL query format error (#4292)
Terrance DeJesus
2024-12-10 09:27:37 -05:00
-
febdafa1f4
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291)
dev-v0.3.2
github-actions[bot]
2024-12-09 21:38:33 +05:30
-
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290)
Terrance DeJesus
2024-12-09 10:28:33 -05:00
-
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS (#4277)
Terrance DeJesus
2024-12-09 08:55:20 -05:00
-
2c848c5111
Prep for Release 8.18 (#4288)
dev-v0.3.1
shashank-elastic
2024-12-09 18:25:13 +05:30
-
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283)
Isai
2024-12-06 17:27:38 -05:00
-
d3c05a08cc
Add all historical versions for v8.17.0 and above packages (#4279)
dev-v0.3.0
shashank-elastic
2024-12-03 23:36:32 +05:30
-
801efb3d93
Protections for AWS Bedrock (#4270)
shashank-elastic
2024-12-03 21:56:39 +05:30
-
53cfeb76e3
Add event dataset for missing rule in Github integration (#4278)
shashank-elastic
2024-12-03 20:32:55 +05:30
-
86cc61c233
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274)
dev-v0.2.1
github-actions[bot]
2024-11-27 09:34:54 -05:00
-
5ab7565923
Minstack versions for Okta and Github Integration (#4273)
shashank-elastic
2024-11-27 18:39:41 +05:30
-
4e28895e66
[Rule Tuning] Kernel Module Removal (#4269)
Ruben Groenewoud
2024-11-25 21:13:44 +01:00
-
2d79494068
new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271)
Terrance DeJesus
2024-11-25 10:28:43 -05:00
-
04e1fc1436
Account for CCS '::' index pattern (#4258)
dev-v0.2.0
shashank-elastic
2024-11-13 11:17:08 +05:30
-
ebb3675ea0
Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267)
dev-v0.1.7
github-actions[bot]
2024-11-11 22:29:22 +05:30
-
4a7f83e432
Version Lock File Reconcile Ref: #4266
terrancedejesus
2024-11-11 10:48:43 -05:00
-
f36845318e
[New] First Time Seen User Auth via DeviceCode Protocol (#4153)
Samirbous
2024-11-11 13:04:18 +00:00
-
b66d0e0a0d
[New] Remote Desktop File Opened from Suspicious Path (#4251)
Samirbous
2024-11-11 12:38:48 +00:00
-
ef453d8f4d
[Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261)
dev-v0.1.6
Terrance DeJesus
2024-11-08 23:11:18 -05:00
-
33d832d4e4
[Rule Tuning] Tuning
Process Termination followed by Deletion (#4173)
Terrance DeJesus
2024-11-08 14:38:17 -05:00
-
56e61a6321
[New Rule] Potential Hex Payload Execution (#4241)
Ruben Groenewoud
2024-11-08 19:15:17 +01:00
-
54bb319f7b
[New Rule] Memory Swap Modification (#4239)
Ruben Groenewoud
2024-11-08 19:06:55 +01:00
-
3207ca37e4
[New Rule] Unusual Interactive Shell Launched from System User (#4238)
Ruben Groenewoud
2024-11-08 18:24:30 +01:00
-
267a6b6fa6
[New Rule] Web Server Spawned via Python (#4236)
Ruben Groenewoud
2024-11-08 18:16:19 +01:00
-
83f31e1640
[New Rule] Directory Creation in /bin directory (#4227)
Ruben Groenewoud
2024-11-08 18:07:06 +01:00
-
6040b6aee4
[New Rule] Hidden Directory Creation via Unusual Parent (#4226)
Ruben Groenewoud
2024-11-08 17:58:13 +01:00
-
43148a72f4
[New Rule] Security File Access via Common Utilities (#4243)
Ruben Groenewoud
2024-11-08 17:41:33 +01:00
-
f89e245e29
[New Rule] Potential Data Splitting Detected (#4235)
Ruben Groenewoud
2024-11-08 17:32:59 +01:00
-
3e268282d1
[New Rule] Private Key Searching Activity (#4242)
Ruben Groenewoud
2024-11-08 17:13:55 +01:00
-
40118186fb
[New Rule] IPv4/IPv6 Forwarding Activity (#4240)
Ruben Groenewoud
2024-11-08 17:06:07 +01:00
-
993c60decb
[New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237)
Ruben Groenewoud
2024-11-08 16:51:18 +01:00
-
ee10be70b9
Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265)
dev-v0.1.5
github-actions[bot]
2024-11-08 20:27:04 +05:30
-
c2e0a9315c
Fix extra new line in ATT&CK-coverage.md (#4263)
dev-v0.1.4
shashank-elastic
2024-11-08 20:13:21 +05:30
-
d2502c7394
Prep for Release 8.17 (#4256)
dev-v0.1.3
shashank-elastic
2024-11-07 23:53:04 +05:30
-
2ca746c4b4
[FR] Reset package version and push tag via ci (#4260)
dev-v0.1.2
Mika Ayenson
2024-11-07 12:11:00 -06:00
-
48a051e3f1
[FR] Fetch history for versioning workflow (#4259)
Mika Ayenson
2024-11-07 11:57:33 -06:00
-
c615df680f
[FR] Update the release versioning process and workflow (#4257)
Mika Ayenson
2024-11-07 11:31:54 -06:00