detection-rules

detection-rules copied to clipboard

[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs

2

### Link to Rule https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml ### Rule Tuning Type None ### Description It seems that there is a typo in the query: The query includes the process executable `"?:\\Windows\\SyWOW64\\explorer.exe"` which...

beninsh

[Rule Tuning] Azure Entra Sign-in Brute Force against Microsoft 365 Accounts

2

### Link to Rule https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml ### Rule Tuning Type False Positives - Reducing benign events mistakenly identified as threats. ### Description We have found that non-interactive signins with expired or...

jvalente-salemstate

[enhancement] In esql validation, allow any order of metadata

4

# Pull Request *Issue link(s)*: #4575 ## Summary - What I changed Very simple fix to allow any order of esql metadata by adjusting the regex in the validation check....

frederikb96

[Bug] Package `v8.16.2` contains new rule versions without updates

15

**Related to:** https://github.com/elastic/kibana/pull/201825#pullrequestreview-2470373688 ## Summary In Kibana, I upgraded the package with prebuilt rules from `v8.16.2-beta.1` to `v8.16.2` and got 64 detection rules that can be upgraded via the Security...

banderror

[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce

4

Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes: - 70043 : Refresh token expired or no longer valid due to conditional access frequency checks - 70044 :...

jvalente-salemstate

[Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation

2

### Describe the Bug The CLI `python -m detection_rules kibana export-rules` doesnt work with a simple esql rule, where metadata is set according to [official documentation](https://www.elastic.co/guide/en/security/8.17/rules-ui-create.html#create-esql-rule). It always leads to:...

frederikb96

[FR] Include Timeline Templates export/import in the CLI such that they can be imported and exported together with rules like exceptions and action connectors

7

### Repository Feature None ### Problem Description Currently, timeline templates are referenced by id and name in the exported rule files. However, the tempalte itself is not exported/cannot be imported...

frederikb96

[FR] GitHub URL inside rule description that points to GitHub location

3

### Repository Feature None ### Problem Description Whenever I have an concern with a rule and need to discuss it with anyone it's best to have the GitHub rule link...

CyberneticNomad-v808

[Meta] Explore Detection Opportunities on Active Directory Object Ownership and Privilege Assignment

3

## Parent Epic https://github.com/elastic/ia-trade-team/issues/276 ## Summary Explore how attackers abuse object ownership issues for privilege escalation, lateral movement, and persistence. - [ ] Read the whitepaper and decide on scenarios...

w0rk3r

### Describe the Bug ## Summary Creating a new terms rule via the CLI will currently not prompt the user to supply the new_terms field(s) preventing the user from being...

eric-forte-elastic