Rebase with upstream #5
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…#4995) * [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time Rule is executing as expected with no troubling alerts in telemetry. For tuning I've: - reduced the execution window - removed MD from description and FP as it's not supported in Kibana UI - edited some of the language of IG to speak about the exclusion of AssumedRoles - edited the highlighted fields for consistency across AWS rules * updated broken link updated broken reference link
…nager (#4992) This rule is evaluating the "new terms" against every individual role session, rather than against the Role itself. This is causing a massive volume of alerts - updated rule description and investigation guide - reduced execution window and interval - replaced new terms from `user.id` to combination of `cloud.account.id` and `user.name` to account for evaluation against Roles and in the event that separate AWS accounts under the same Org reuse IAM user names. This will only evaluate the Role instead of each individual role session, which should greatly improve performance.
…eb_service.toml (#5008)
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 * Update defense_evasion_amsi_bypass_dllhijack.toml * Update command_and_control_outlook_home_page.toml * Update command_and_control_outlook_home_page.toml * Update defense_evasion_amsi_bypass_dllhijack.toml * Update rules/windows/command_and_control_port_forwarding_added_registry.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 * Update defense_evasion_code_signing_policy_modification_registry.toml * Update defense_evasion_communication_apps_suspicious_child_process.toml * Update rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml * Update defense_evasion_communication_apps_suspicious_child_process.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_file_creation_mult_extension.toml * Update rules/windows/defense_evasion_file_creation_mult_extension.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 * Update rules/windows/defense_evasion_microsoft_defender_tampering.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 * Update defense_evasion_ms_office_suspicious_regmod.toml
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update defense_evasion_proxy_execution_via_msdt.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update defense_evasion_wdac_policy_by_unusual_process.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 * Update rules/windows/persistence_app_compat_shim.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * ++ --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Tuning] First Time AWS Cloudformation Stack Creation by User - corrected a creation_date error - Removed `CreateStackSet` API call as this only creates a blueprint for creating stack instances across multiple AWS accounts and regions but does not actually create the resources - Added `CreateStackInstances` API call which is used to create resources defined in the StackSet - removed user from rule name as this also triggers for roles - edited description and investigation guide - added Mitre technique * adding highlighted fields
…5007) Rule is executing as expected, however it is alerting on failed requests. Low alert telemetry. This tuning: - removed markdown and edited description to be more specific - reduced execution window for 1 min lookback - name change to add `AWS` consistent with all other rules - added references that reflect in the wild threats and persistence usage - increased risk_score and severity to medium accounting for usage as persistence mechanism in the wild - added Persistence tag and Mitre tactic, technique, subtechnique - added `event.outcome: success` criteria to query - edited investigation guide to be more accurate reflection of steps required for investigating alert, including appropriate response action - added highlighted fields ** Note: only IAMUser and Root user identities can call this actions so we can use `aws.cloudtrail.user_identity.arn` as the new terms field without worrying about Role vs Role + Session issue seen with other new_terms rules
* tuning rule 'Multi-Factor Authentication Disabled for User' * adjusted query logic * fixed query logic for optimization that passes unit tests; changed severity and risk back to medium
… 365 (#4994) * adding new rule 'Threat Intelligence Signal - Microsoft Defender for Office 365' * added mitre mapping * Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added note for max signals * linted * fixed unit test failure --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
…cess (#4997) * tuning rule 'Microsoft Entra ID Suspicious Session Reuse to Graph Access' * Update rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* adding toolshell attack chain rules for exploit and RCE * updated query * added references * fixed references; linted * Update rules/network/execution_potential_rce_via_toolshell.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/network/initial_access_potential_toolshell_exploit_attempt.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * changed to BBR; lowered severity; adjusted queries * Update rules_building_block/execution_potential_rce_via_toolshell.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/execution_potential_rce_via_toolshell.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * fixed from and interval failures * changed file name --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] M365 Portal Logins (Impossible & Atypical) Fixes #5009 * updated new terms value * fixed unit test failures * Update rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * adjusted rule name and file names * fixed field mispelling * fixed investigation guide --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
…5037) * [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths * ++ * Update defense_evasion_workfolders_control_execution.toml * Update privilege_escalation_uac_bypass_event_viewer.toml
* [New/Tuning] Windows Top Threats 2024/2025 1) MSHTA: - tuning to exclude FPs - new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events. 2) MSIEXEC: * Update defense_evasion_mshta_susp_child.toml * Update defense_evasion_script_via_html_app.toml * Update defense_evasion_mshta_susp_child.toml * Create defense_evasion_msiexec_remote_payload.toml * Update defense_evasion_msiexec_remote_payload.toml * ++ * Create execution_scripting_remote_webdav.toml * Create execution_windows_fakecaptcha_cmd_ps.toml * Create command_and_control_rmm_netsupport_susp_path.toml * Update command_and_control_rmm_netsupport_susp_path.toml * ++ * Update execution_jscript_fake_updates.toml * Create command_and_control_dns_susp_tld.toml * ++ * Create command_and_control_remcos_rat_iocs.toml * Update execution_windows_fakecaptcha_cmd_ps.toml * Update execution_scripts_archive_file.toml * Update defense_evasion_masquerading_renamed_autoit.toml * ++ * Create execution_nodejs_susp_patterns.toml * Update execution_nodejs_susp_patterns.toml * Update execution_windows_fakecaptcha_cmd_ps.toml * Fix unit test errors * Update defense_evasion_network_connection_from_windows_binary.toml * Add system index * Add tag * Update rules/windows/command_and_control_remcos_rat_iocs.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Remove duplicate * Update defense_evasion_msiexec_child_proc_netcon.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Create credential_access_browsers_unusual_parent.toml * Update credential_access_browsers_unusual_parent.toml * ++ * Update defense_evasion_masquerading_renamed_autoit.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_remcos_rat_iocs.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_mshta_susp_child.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_windows_phish_clickfix.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update discovery_host_public_ip_address_lookup.toml * Update execution_windows_phish_clickfix.toml * Update rules/windows/defense_evasion_script_via_html_app.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_browsers_unusual_parent.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_nodejs_susp_patterns.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update discovery_host_public_ip_address_lookup.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_script_via_html_app.toml --------- Co-authored-by: eric-forte-elastic <eric.forte@elastic.co> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* [New] Potential System Tampering via File Modification * Update impact_mod_critical_os_files.toml * Update rules/windows/impact_mod_critical_os_files.toml * Create defense_evasion_modify_ownership_os_files.toml * Update defense_evasion_modify_ownership_os_files.toml * Update defense_evasion_modify_ownership_os_files.toml * Update defense_evasion_modify_ownership_os_files.toml * Update defense_evasion_modify_ownership_os_files.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* updated rule logic * adjusted similar rule; added factor specification * updated investigation guide --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This rule is performing as expected and low noise in telemetry so no changes to query - added investigation fields - small edits to description and IG - added a reference from Unit42 showing real world threat case - reduced execution window
* [Rule Tunings] AWS DynamoDB new terms Rules ### AWS DynamoDB Scan by Unusual User - changed new terms field to use cloud.account.id and user.name combination to account for roles and users - reduced execution window - reduced history window - small edits to description, IG and highlighted fields ### AWS DynamoDB Table Exported to S3 - removed inaccurate setup notes - reduced history window - small edits to description and highlighted fields * Apply suggestions from code review
* [Rule Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source No query changes as this rule is alerting as expected, however I did change the new terms field to be a combination of an IP address and a particular bucket name. Rather than just alerting for the IP address itself. Perhaps an IP is seen retrieving a doc from a public bucket in the environment (expected behavior) but then it also accesses a file in a bucket meant to be private (unexpected behavior). With new terms only on the IP address we would miss the private bucket access. - added `tls.client.server_name` to new terms field (bucket name) - reduced execution window - removed duplicate IG - added setup note for turning on data events - small edits to description and highlighted fields * Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml * Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml * Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml * Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml
AWS SNS is a pub/sub style service where users can subscribe to a topic and receive messages published to that topic. Below is a screenshot of the different protocols a user could subscribe with and the various endpoints that could be associated with those protocols. AWS SNS Email Subscription by Rare User --> AWS SNS Rare Protocol Subscription by User (not a new rule) - changed the scope of the rule to capture the first time a user/role subscribes to a topic via a particular protocol (ie. email, http, lambda, mobile). Subscribing to an SNS topic via email is a rather normal behavior and it would be normal for each user to subscribe this way "for the first time" making this rule not as valuable as it was intended to be. - reduced execution window - added real-world threat references - added additional MITRE technique and Impact tag - small edits to IG and Description - edited highlighted fields AWS SNS Topic Message Publish by Rare User - added AWS to name for consistency -changed new terms fields to use a combination of cloud.account.id and user.name against the topic itself `aws.cloudtrail.resources.arn`. So that instead of simply evaluating the first time a user/role publishes a message to ANY topic, this rule now looks for the first time a user/role publishes a message to a particular topic. We want to make this distinction to capture the case where an identity responsible for publishing to a particular topic A suddenly starts publishing to another topic B, which indicates behavior that should be verified. - reduced new terms window - added setup notes as Data events are necessary for capturing the `Publish` API call - reduced execution window - added real-world threat references - added additional MITRE technique and Impact tag - small edits to IG and Description - edited highlighted fields AWS SNS Topic Created by Rare User - removed the `AssumedRole` and `*-i*` parameters from the query as this narrowed the query to only alert on behavior from EC2 instance roles. We ideally want to evaluate this behavior for all users and roles. - reduced execution window - added real-world threat references - added additional MITRE technique and Impact tag - small edits to IG and Description - edited highlighted fields
* [Tuning] AWS Access Token Used from Multiple Addresses Tuning was triggered by a community member - fixes wildcard and `Pulumi` typos to exclude common IaC tools - adds exclusion for ``source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"` to exclude the noisy multi-IP traffic coming from Amazon-02 networks performing high-throughput data-plane operations. I didn't exclude this network completely because this network can also indicate user-triggered events that are worth keeping in the alert. - added additional high noise service providers that may be more indicative of console browsing - added a field for pairing source.ip & network - added highlighted fields * Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml * Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
* [Rule Tuning] Remote Execution via File Shares * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml * Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [Rule Tuning] PowerShell Rules * Update defense_evasion_posh_defender_tampering.toml * [Rule Tuning] Connection to Commonly Abused Web Services * Revert "[Rule Tuning] Connection to Commonly Abused Web Services" This reverts commit 74dcea0.
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
* [Rule Tuning] Windows High Severity - 1 * Update command_and_control_headless_browser.toml * Update defense_evasion_execution_suspicious_explorer_winword.toml * Update command_and_control_outlook_home_page.toml
* [Rule Tuning] Windows High Severity - 2 * [Rule Tuning] Windows High Severity - 3 * Revert "[Rule Tuning] Windows High Severity - 3" This reverts commit 32c8348.
* [Rule Tuning] Windows High Severity - 3 * Update execution_pdf_written_file.toml * Update execution_pdf_written_file.toml * Update execution_pdf_written_file.toml
* [Rule Tuning] Fix process.pe.original_file_name Conditions * --
* [Rule Tuning] Windows High Severity - 4 * Update initial_access_execution_from_inetcache.toml
* [Rule Tuning] Windows High Severity - 4 * Update privilege_escalation_windows_service_via_unusual_client.toml
* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms * ++ * ++ * Update credential_access_dcsync_replication_rights.toml * Update persistence_webshell_detection.toml * ++ * Update persistence_webshell_detection.toml
* Add headers to public call
* Add Note for stop gap
) * [New] Device Registration via OAuth Code Authentication * Update credential_access_antra_id_device_reg_via_oauth_redirection.toml * Create persistence_identity_protect_alert_followed_by_device_reg.toml * Update credential_access_antra_id_device_reg_via_oauth_redirection.toml * Create initial_access_multi_azure_identity_protection_alerts.toml * changed from KQL to EQL * updated rules; query logic changes; investigation guides; schema * updating patch version * Update pyproject.toml * ++ * Update non-ecs-schema.json * Update rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update persistence_identity_protect_alert_followed_by_device_reg.toml * Update persistence_identity_protect_alert_followed_by_device_reg.toml * Update persistence_identity_protect_alert_followed_by_device_reg.toml --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New Rule] Curl or Wget Spawned via Node.js * Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml
…5135) * [Rule Tuning] Mark some field optional for 3rd party compatibility * bump
* Update execution_suspicious_powershell_imgload.toml * Update execution_suspicious_powershell_imgload.toml
…istrator (#5107) * updating Azure AD Global Administrator Role Assigned * removed logic changes as it only effects outside of PIM. Adding a different rule for these * slight change to query * tuning rule Microsoft Entra ID Elevated Access to User Access Administrator * revert changes * Added operation name to query logic
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.