Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

Mono Color

• 9926071b0d [New Rule] - Execution via Hidden Shell (#154) Samirbous 2020-09-22 13:56:19 +02:00
• 79e7f17130 [New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150) Samirbous 2020-09-22 13:54:51 +02:00
• 822453b32c [New Rule] - Suspicious PsExec Execution (#134) Samirbous 2020-09-22 13:52:01 +02:00
• 9590bc3f68 [New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132) Samirbous 2020-09-22 13:48:54 +02:00
• cdbd3c0640 [Rule Tuning] - Tuning of 3 Existing Windows Rules (#123) Samirbous 2020-09-22 13:47:22 +02:00
• 6a1e97cd06 [Rule Tuning] Update AWS rules to account for Agent index (#256) Brent Murphy 2020-09-21 09:04:50 -04:00
• 453553f685 Change the way we get environment variables (#280) Ross Wolf 2020-09-16 10:23:22 -06:00
• 9d22970e21 Add EQL rules and schema validation (#297) Ross Wolf 2020-09-16 08:36:48 -06:00
• 4041fc8bde update-okta-rules-for-ingest-manager-compatibility (#295) David French 2020-09-15 15:42:38 -06:00
• 140091e7b8 [New Rule] Azure Storage Account Key Regenerated (#188) Brent Murphy 2020-09-04 14:08:48 -04:00
• 040f56ff0c [New Rule] Azure Network Watcher Deletion (#232) Brent Murphy 2020-09-04 12:18:18 -04:00
• 21431101b7 [New Rule] Azure External Guest User Invitation (#231) Brent Murphy 2020-09-04 12:11:13 -04:00
• 0fc78b3c3b [New Rule] Azure Key Vault Modified (#230) Brent Murphy 2020-09-04 11:30:01 -04:00
• 70cc7fd112 [Rule Tuning] AWS Root Login Without MFA (#229) Brent Murphy 2020-09-04 10:57:51 -04:00
• e49b69af10 [New Rule] Azure Blob Container Access Level Modification (#192) Brent Murphy 2020-09-04 10:48:21 -04:00
• 6d3955bd8a [New Rule] High Number of Okta User Password Reset or Unlock Attempts (#187) David French 2020-09-04 08:38:06 -06:00
• 230b59dfc9 rule-tuning-user-added-as-owner-for-azure-service-principal (#258) David French 2020-09-04 08:36:20 -06:00
• bcd698add2 [New Rule] Azure Event Hub Deletion (#170) Brent Murphy 2020-09-04 10:23:43 -04:00
• a49d102de3 [New Rule] Azure Event Hub Authorization Rule Created or Updated (#173) Brent Murphy 2020-09-04 09:32:30 -04:00
• 0ac7f3d672 [New Rule] Azure Firewall Policy Deletion (#169) Brent Murphy 2020-09-04 09:28:58 -04:00
• 9025a7d183 [New Rule] Azure Diagnostic Settings Deletion (#157) Brent Murphy 2020-09-04 09:20:13 -04:00
• b4a15960cb [New Rule] Azure Command Execution on Virtual Machine (#155) Brent Murphy 2020-09-03 17:09:40 -04:00
• 6b04105936 [New Rule] Azure Resource Group Deletion (#158) Brent Murphy 2020-09-03 17:06:43 -04:00
• 1f555c289f [New Rule] Azure Privileged Identity Management Role Modified (#238) David French 2020-09-03 15:02:14 -06:00
• 89db7384a0 [New Rule] Azure Automation Runbook Deleted (#235) David French 2020-09-03 13:09:40 -06:00
• 225aba61c9 [New Rule] Multi-Factor Authentication Disabled for an Azure User (#195) David French 2020-09-03 12:42:27 -06:00
• 43204391b6 [New Rule] User Added as Owner for Azure Service Principal (#194) David French 2020-09-03 12:21:44 -06:00
• 43f657ac4e [New Rule] User Added as Owner for Azure Application (#191) David French 2020-09-03 12:15:33 -06:00
• 75474387a8 [New Rule] Attempts to Brute Force an Okta User Account (#186) David French 2020-09-03 11:23:56 -06:00
• 4c431d2408 [New Rule] Azure Automation Webhook Created (#179) David French 2020-09-03 11:20:50 -06:00
• 98f216404a [New Rule] Azure Automation Runbook Created or Modified (#178) David French 2020-09-03 11:16:42 -06:00
• 85e799b378 [New Rule] Azure Automation Account Created (#177) David French 2020-09-03 11:08:38 -06:00
• 6e931959bb Update pythonpackage.yml (#242) Justin Ibarra 2020-09-02 12:59:33 -08:00
• b8e0c379c5 Update packages.yml Justin Ibarra 2020-09-02 14:10:46 -05:00
• 6b7ea7e66c Fix kibana-diff command (#198) Justin Ibarra 2020-09-02 09:19:17 -08:00
• 464d5e645a Fix kibana-upload and remove cumbersome dataclasses (#216) Ross Wolf 2020-09-01 05:47:27 -06:00
• aec3ec31b9 Merge branch '7.9' into main dev7.10-abc-v0.1.0 dev7.10-ML-DGA-v0.1.0.zip dev7.10-ML-DGA-v0.1.0 ML-experimental-detections-20201029-1 brokensound77 2020-08-27 15:54:44 -08:00
• 779a3a5b0d Build all branches Ross Wolf 2020-08-27 17:35:13 -06:00
• 4ffdc46ba7 Lock rule versions (#207) Justin Ibarra 2020-08-27 14:47:29 -08:00
• 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) Justin Ibarra 2020-08-27 08:54:49 -08:00
• d955ad275e Add help wanted label to contrib (#219) Andrew Pease 2020-08-27 11:05:20 -05:00
• 5310ec722a Fix NOTICE.txt typo Ross Wolf 2020-08-24 08:06:58 -06:00
• be08536880 Increase lookback for endpoint rules (#200) Justin Ibarra 2020-08-21 12:23:43 -05:00
• 1fccc39699 Change verbiage around Elastic license Ross Wolf 2020-08-19 11:47:10 -06:00
• 28c869fb5f Expand documentation on CLI and workflows (#130) Justin Ibarra 2020-08-18 14:27:51 -05:00
• 9b70383898 Refresh ecs master and add beats v7.8.1 schemas (#156) Justin Ibarra 2020-08-17 12:33:20 -05:00
• 08e500e44e Merge locked versions from 7.9 Ross Wolf 2020-08-04 13:35:25 -06:00
• 69a5b7e409 Lock versions for 7.9 release Ross Wolf 2020-08-04 13:35:14 -06:00
• cb1c401e27 Merge branch '7.9' into main Ross Wolf 2020-08-03 15:20:36 -06:00
• 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) Brent Murphy 2020-08-03 17:15:15 -04:00
• a99b7c96fe Merge branch '7.9' into main Ross Wolf 2020-08-03 14:03:15 -06:00
• 7efe33e01d [Rule Tuning] Update Index Pattern for Detection Engine Rules (#101) Brent Murphy 2020-08-03 15:46:57 -04:00
• 83e33e70bb Rename slack channel Ross Wolf 2020-07-30 19:44:02 -06:00
• 0455307577 Downgrade rule version before uploading to Kibana (#97) Ross Wolf 2020-07-28 11:03:47 -06:00
• 3c4a383947 Add list_id to exceptions_list and remove endgame:* from external alerts (#98) Yara Tercero 2020-07-28 09:30:48 -04:00
• 8f5ddbb121 Add better CLI support for handling Kibana exported rules (#83) Justin Ibarra 2020-07-27 23:31:19 -05:00
• d15da0ada1 Add versioned schemas with a downgrade path (#84) Ross Wolf 2020-07-23 13:39:35 -04:00
• 978a8d9df8 [Bug] Set threshold.field to empty string instead of null (#87) Ross Wolf 2020-07-22 19:31:09 -04:00
• 4ba23ad6cd Merge branch '7.9' into main Ross Wolf 2020-07-22 14:39:18 -06:00
• 4b17cb37f0 Update External Alerts rule index to match default securitySolution:defaultIndex value (#86) Garrett Spong 2020-07-22 14:37:19 -06:00
• 5f867dbb72 Add KQL -> DSL conversion (#81) Ross Wolf 2020-07-22 13:05:45 -04:00
• b5213e66b2 [Rule Tuning} Correct Promotion Rule Descriptions (#85) Brent Murphy 2020-07-22 12:36:18 -04:00
• b4d8985105 [Rule Tuning] Update terms in promotion rules (#72) Brent Murphy 2020-07-21 14:28:30 -04:00
• e08ff6c55d [Rule Tuning] Update Cloud rules with note field (#79) Brent Murphy 2020-07-21 12:27:42 -04:00
• 16fb306254 Add command to upload to kibana (#58) Ross Wolf 2020-07-20 17:58:28 -04:00
• aaef4b99f4 [New Rule] Okta Brute Force or Password Spraying Attack (#66) David French 2020-07-20 12:44:59 -06:00
• 4784342723 [New Rule] AWS IAM Brute Force of Assume Role Policy (#67) David French 2020-07-20 12:43:26 -06:00
• 47cb03314a Fix KQL sorting Ross Wolf 2020-07-15 08:26:45 -06:00
• 1bf60551ff Update lateral_movement_dns_server_overflow.toml Justin Ibarra 2020-07-17 15:52:04 -05:00
• 1cfb8f92bb Windows DNS server vulnerability (CVE-2020-1350) rules (#69) Justin Ibarra 2020-07-17 14:32:52 -05:00
• 89d6498c42 Add webinar link Ross Wolf 2020-07-17 09:31:57 -06:00
• 7647699e2b Add support for threshold rules (#65) Justin Ibarra 2020-07-16 19:06:34 -05:00
• f1b669e59d Loosen yaml requirement (#62) Ross Wolf 2020-07-15 09:00:32 -06:00
• 916917a619 Update rule.py Justin Ibarra 2020-07-15 09:40:07 -05:00
• db4f50d4b8 Improve the validation and testing time (#61) Ross Wolf 2020-07-15 08:05:55 -06:00
• 13ceed5410 Add Global Endpoint Exception List to Elastic Endpoint rule (#60) Garrett Spong 2020-07-14 21:26:29 -06:00
• f75b126ec4 Update terminology in ML job rules Devon Kerr 2020-07-14 23:21:46 -04:00
• f24666bf12 [New Rule] Add Cloudtrail ML Rules Craig Chamberlain 2020-07-14 12:54:06 -04:00
• 680a04da8f Fix terminology and doc links (#54) Ben Skelker 2020-07-13 21:47:42 +03:00
• e96eabaa2e Generate linted .ts in package (#49) Ross Wolf 2020-07-09 17:33:28 -06:00
• c28795c25e [New Rule] Elastic Endpoint and External Alerts (#42) Garrett Spong 2020-07-09 15:24:36 -06:00
• a0b50152b3 Fix new rule template Ross Wolf 2020-07-09 10:59:52 -06:00
• 8a561b3817 Add kibana-push command (#38) Ross Wolf 2020-07-08 18:02:12 -06:00
• 119c98f05f Package kibana index file with release rules (#40) Justin Ibarra 2020-07-08 18:58:00 -05:00
• 4fe3aaff1a Add test for duplicate file names (#34) Ross Wolf 2020-07-08 14:00:28 -06:00
• e0f2e8b4a9 Add dataset and index to network rules (#15) Andrew Pease 2020-07-08 14:19:35 -05:00
• 676be30199 [New rule] AWS Secrets Manager and System Manager Samirbous 2020-07-08 20:37:47 +02:00
• 29a92f8976 Package notice file with release (#32) Justin Ibarra 2020-07-08 13:17:42 -05:00
• c577426510 Update Lookback Interval for AWS Rules Seth Goodwin 2020-07-08 05:56:17 -07:00
• 316be47e27 Rename AWS to aws Ross Wolf 2020-07-08 08:43:30 -06:00
• 3ee7aa3822 Add vscode directory to gitignore (#26) Derek Ditch 2020-07-07 16:56:50 -05:00
• 94974c3895 Detect DeleteRule events with AWS WAF Deletion Craig Chamberlain 2020-07-07 16:29:32 -04:00
• ee82874c24 [New Rule] AWS Config Service Tampering Craig Chamberlain 2020-07-07 16:06:57 -04:00
• 95908c22a4 Improve ECS compatibility for endpoint rules Justin Ibarra 2020-07-07 13:43:33 -05:00
• cae5fee025 [New Rule] Add AWS Password Recovery Requested seth-goodwin 2020-07-07 09:37:17 -07:00
• 8052a1ea1f [New Rule] Add rule for AWS UpdateAssumeRolePolicy Seth Goodwin 2020-07-07 09:35:15 -07:00
• a2a0b2bf0c [New Rule] AWS EC2 Snapshot Activity Craig Chamberlain 2020-07-07 12:47:01 -04:00
• c1a1cf6854 [New Rule] AWS Root Login Without MFA Seth Goodwin 2020-07-07 08:26:51 -07:00
• a98eca06d0 Add event.module value to Okta rules (#19) David French 2020-07-06 14:26:18 -06:00
• 0ba6d187ba Add note on preferred logic order when writing queries (#13) Ross Wolf 2020-07-02 14:15:48 -06:00