Files

T

Terrance DeJesus 141b00ec41 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Removed changes from:
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

(selectively cherry picked from commit e8c39d19a7)

2022-07-22 18:31:42 +00:00

_deprecated

2058 add setup field to metadata (#2061 )

2022-07-19 09:36:52 -04:00

apm

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

cross-platform

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

integrations

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

linux

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

macos

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

network

2058 add setup field to metadata (#2061 )

2022-07-18 21:25:32 +00:00

promotions

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

windows

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 )

2022-07-22 18:31:42 +00:00

README.md

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka