[Rule Tuning] Agent Spoofing - Multiple Hosts Using Same Agent #3790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events.
Samirbous
approved these changes
Jun 24, 2024
Aegrah
approved these changes
Jun 25, 2024
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 25, 2024
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 0726ce4)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 25, 2024
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 0726ce4)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 25, 2024
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 0726ce4)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 25, 2024
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 0726ce4)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 25, 2024
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 0726ce4)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 25, 2024
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 0726ce4)
jvalente-salemstate
deleted the
agent-spoofing-multiple-hosts-tune-forwarded
branch
imays11
added a commit
that referenced
this pull request
Jun 25, 2024
commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794)
imays11
added a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id (cherry picked from commit a8ce53f)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id (cherry picked from commit a8ce53f)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id (cherry picked from commit a8ce53f)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id (cherry picked from commit a8ce53f)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id (cherry picked from commit a8ce53f)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 28, 2024
* [New BBR] AWS RDS DB Snapshot Created ... * Squashed commit of the following: commit 6746a42 Author: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue Jun 25 16:14:28 2024 +0200 [New Rules] Yum Plugin Creation / Discovery (#3820) * [New Rules] Yum Plugin Creation / Discovery * Update discovery_yum_plugin_detection.toml * Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml commit 632e169 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue Jun 25 09:35:36 2024 -0400 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> commit 6f43d1f Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Jun 25 17:58:37 2024 +0530 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) commit 0726ce4 Author: James Valente <65730960+jvalente-salemstate@users.noreply.github.com> Date: Tue Jun 25 07:22:07 2024 -0400 Tune rule to exclude forwarded events. (#3790) Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> commit 2708a89 Author: Isai <59296946+imays11@users.noreply.github.com> Date: Tue Jun 25 00:11:48 2024 -0400 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) * [New Rule] AWS IAM User Created Access Keys for Another User ... * updated min_stack and removed index field * reversed tactic order * added AWS documentation as reference * Apply suggestions from code review updated_date, query format change, removed keep from query commit da8f3e4 Author: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri Jun 21 13:11:23 2024 -0400 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments commit a131e02 Author: Mika Ayenson <Mika.ayenson@elastic.co> Date: Fri Jun 21 11:05:57 2024 -0500 Revert "Test case to check updated_date (#3764)" This reverts commit 7621a54. commit 7621a54 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:43:32 2024 +0530 Test case to check updated_date (#3764) commit 675cad2 Author: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri Jun 21 18:29:39 2024 +0530 Incorrect Integration Index Check (#3794) * fix technique id (cherry picked from commit a8ce53f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds an exception for events tagged as "forwarded". These events don't contain information about the host running the agent, such as
host.idorhost.name. Certain integrations, including entity analytics, ingested EDR (eg M365 Defender) logs, and vulnerability management may populate these fields with details about the host or device in that event.An alert is triggered on each run after these events are ingested. Excluding forwarded events will reduce false positives.
Issues
Closes #3613
Summary
The rule's query has been tuned to exclude forwarded events.
Contributor checklist