Releases: elastic/detection-rules
Releases · elastic/detection-rules
dev-v0.2.0
Changes
- Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267) @github-actions
- [New] First Time Seen User Auth via DeviceCode Protocol (#4153) @Samirbous
- [New] Remote Desktop File Opened from Suspicious Path (#4251) @Samirbous
- [Rule Tuning] Tuning
Process Termination followed by Deletion(#4173) @terrancedejesus - [New Rule] Potential Hex Payload Execution (#4241) @Aegrah
- [New Rule] Memory Swap Modification (#4239) @Aegrah
- [New Rule] Unusual Interactive Shell Launched from System User (#4238) @Aegrah
- [New Rule] Web Server Spawned via Python (#4236) @Aegrah
- [New Rule] Directory Creation in /bin directory (#4227) @Aegrah
- [New Rule] Hidden Directory Creation via Unusual Parent (#4226) @Aegrah
- [New Rule] Security File Access via Common Utilities (#4243) @Aegrah
- [New Rule] Potential Data Splitting Detected (#4235) @Aegrah
- [New Rule] Private Key Searching Activity (#4242) @Aegrah
- [New Rule] IPv4/IPv6 Forwarding Activity (#4240) @Aegrah
- [New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237) @Aegrah
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 (#4233) @w0rk3r
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) @w0rk3r
- [Tuning] Suspicious Lsass Process Access (#4188) @Samirbous
- Add investigation guide for Amazon Bedrock Rules (#4247) @shashank-elastic
- [New Rule] Adding Coverage for
AWS Discovery API Calls via CLI from a Single Resource(#4246) @terrancedejesus - [Rule Tuning] Tuning
AWS STS Temporary Credentials via AssumeRole(#4228) @terrancedejesus - [New Rule] Adding Coverage for
AWS SSM Command Document Created by Rare User(#4229) @terrancedejesus - [New Rule] Adding Coverage for
AWS IAM Create User via Assumed Role on EC2 Instance(#4244) @terrancedejesus - [New Rule] Adding Coverage for
AWS SNS Email Subscription by Rare User(#4224) @terrancedejesus - [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9 (#4234) @w0rk3r
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6 (#4231) @w0rk3r
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 (#4230) @w0rk3r
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 (#4225) @w0rk3r
- [New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210) @imays11
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222) @w0rk3r
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 (#4221) @w0rk3r
🚀 Features
- Account for CCS '::' index pattern (#4258) @shashank-elastic
- Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265) @github-actions
- Prep for Release 8.17 (#4256) @shashank-elastic
- [FR] Reset package version and push tag via ci (#4260) @Mikaayenson
- [FR] Update the release versioning process and workflow (#4257) @Mikaayenson
- [FR] Update release-drafter.yml (#4252) @Mikaayenson
- [FR] Add Versioning Processes to DR (#4223) @Mikaayenson
🐛 Bug Fixes
- Fix extra new line in ATT&CK-coverage.md (#4263) @shashank-elastic
- [FR] Fetch history for versioning workflow (#4259) @Mikaayenson
- [Testing] Update release-drafter.yml (#4254) @Mikaayenson
- [FR] DRAFT Release Workflow on PR Merge (#4253) @Mikaayenson
🛠 Internal Changes
- Account for CCS '::' index pattern (#4258) @shashank-elastic
- [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) @terrancedejesus
- Fix extra new line in ATT&CK-coverage.md (#4263) @shashank-elastic
- Prep for Release 8.17 (#4256) @shashank-elastic
- [FR] DRAFT Release Workflow on PR Merge (#4253) @Mikaayenson
- [New Rule] Adding Coverage for
AWS IAM Customer-Managed Policy Attached to Role by Rare User(#4245) @terrancedejesus - [Rule Tuning] Add Investigation Guides to AWS Rules (#4249) @terrancedejesus
- [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 (#4220) @w0rk3r
🔍 Hunting Updates
- [New Rule] Adding Coverage for
AWS IAM Customer-Managed Policy Attached to Role by Rare User(#4245) @terrancedejesus
Contributors
Mikaayenson, w0rk3r, and 5 other contributors
Assets 2
dev-v0.1.0
What's Changed
- Adding initial release to detection-rules dev to capture changelog history
Full Changelog: ML-UserRiskScore-20220812-2...v0.1.0-dev
ML-UserRiskScore-20220812-2
Note on installation
As of Elastic Stack version 8.4, we no longer recommend installing Host Risk Score using this release bundle. Please follow the official documentation for steps to install Host Risk Score based on your Stack version.
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 8.3.
Changelog
- [Bug fix] Introducing placeholders for space in the dashboards file.
ML-UserRiskScore-20220628-1
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 8.3.
Changelog
- This is the first version of the user risk score app which calculates a normalized risk score for user names using the risk scores in the available alerts
ML-HostRiskScore-20220404-5
Note on installation
As of Elastic Stack version 8.3, we no longer recommend installing User Risk Score using this release bundle. Please follow the official documentation for steps to install User Risk Score based on your Stack version.
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 8.1.
Changelog
- Adding multipliers to boost the host risk score based on certain properties
- Adding some explainability about the host risk score
ML-Beaconing-20211216-1
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 7.16.
Changelog
This is the first release for our experimental Network Beaconing framework. It consists of the following:
- Scripts, ingest pipelines and transforms to monitor network event data and flag beaconing-like activity
dashboards.ndjsoncontains all the assets required for three dashboards- "Network Beaconing", which is the main dashboard to monitor beaconing activity, "Beaconing Drilldown" to drilldown into relevant event logs and some statistics related to the beaconing activity, and finally, "Hosts Affected Over Time By Process Name" to monitor the reach of beaconing processes across hosts in your environment, in the past two weeks.
ML-HostRiskScore-20220215-4
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 8.0.
Changelog
- Updating the alerts alias to reflect changes made in 8.0
ML-experimental-detections-20211130-7
changelog
detections added
Beaconing
- ML jobs:
- beaconing_rare_process
Registry of experimental detections
Experimental detections
expand to view
- rules and dashboards can be imported via Kibana
- jobs and datafeeds can be imported using the CLI or Kibana devtools
Refer to the experimental-maching-learning docs for more details
| detection ID | type | relative path |
|---|---|---|
| beaconing_rare_process | anomaly_detection | beaconing/anomaly_detection/beaconing_rare_process.json |
| beaconing_rare_process | datafeed | beaconing/datafeed/beaconing_rare_process.json |
| 47b1a804-4f65-40b0-a7ef-fdac3c00b00c | rule | url_spoof/rule/url_spoof_ml_predicted_malicious_url.ndjson |
| problem_child_high_sum_by_parent | anomaly_detection | problem_child/anomaly_detection/problem_child_high_sum_by_parent.json |
| problem_child_high_sum_by_user | anomaly_detection | problem_child/anomaly_detection/problem_child_high_sum_by_user.json |
| problem_child_rare_process_by_parent | anomaly_detection | problem_child/anomaly_detection/problem_child_rare_process_by_parent.json |
| problem_child_rare_process_by_user | anomaly_detection | problem_child/anomaly_detection/problem_child_rare_process_by_user.json |
| problem_child_high_sum_by_host | anomaly_detection | problem_child/anomaly_detection/problem_child_high_sum_by_host.json |
| problem_child_rare_process_by_host | anomaly_detection | problem_child/anomaly_detection/problem_child_rare_process_by_host.json |
| problem_child_high_sum_by_parent | datafeed | problem_child/datafeed/problem_child_high_sum_by_parent.json |
| problem_child_high_sum_by_user | datafeed | problem_child/datafeed/problem_child_high_sum_by_user.json |
| problem_child_rare_process_by_parent | datafeed | problem_child/datafeed/problem_child_rare_process_by_parent.json |
| problem_child_rare_process_by_user | datafeed | problem_child/datafeed/problem_child_rare_process_by_user.json |
| problem_child_high_sum_by_host | datafeed | problem_child/datafeed/problem_child_high_sum_by_host.json |
| problem_child_rare_process_by_host | datafeed | problem_child/datafeed/problem_child_rare_process_by_host.json |
| 9a2e372a-cbeb-4ad6-a288-017ef086324c | rule | problem_child/rule/problem_child_ml_high_probability_suspicious_windows_event.ndjson |
| a5cb4cd7-ba05-47e8-a815-f95c21719ded | rule | problem_child/rule/problem_child_ml_rare_suspicious_process_by_user.ndjson |
| 9b98d945-2cce-45e5-aa84-4b021af0e153 | rule | problem_child/rule/problem_child_ml_suspicious_process_cluster_by_parent.ndjson |
| ff590871-371b-468f-8cd8-2876b54c53bd | rule | problem_child/rule/problem_child_ml_suspicious_process_cluster_by_user.ndjson |
| ae7c2f69-0c51-4b02-ad54-d3d75023da8b | rule | problem_child/rule/problem_child_ml_rare_suspicious_process_by_parent.ndjson |
| 34184d4e-ef61-477b-8d76-5c93448c29bf | rule | problem_child/rule/problem_child_ml_predicted_suspicious_windows_event.ndjson |
| 415d6863-7676-401f-aa8d-62f59a28e849 | rule | problem_child/rule/problem_child_ml_rare_suspicious_process_by_host.ndjson |
| 86d57ec4-ace5-4456-8145-02e6f0cdd71a | rule | problem_child/rule/problem_child_ml_suspicious_process_cluster_by_host.ndjson |
| dga_high_sum_probability | anomaly_detection | dga/anomaly_detection/dga_high_sum_probability.json |
| dga_high_sum_probability | datafeed | dga/datafeed/dga_high_sum_probability.json |
| 997ec71d-bddc-4513-b6f1-193f601fd420 | rule | dga/rule/dga_command_and_control_high_sum_scores.ndjson |
| 170b35d4-d944-4264-a8ca-3118ae2e1534 | rule | dga/rule/dga_command_and_control_ml_sunburst_domain.ndjson |
| 64116bb2-0f2c-4cf6-9df4-9973452b4d4b | rule | dga/rule/dga_command_and_control_ml_predicted_domain.ndjson |
| a020dadb-3da2-4252-91e9-b0fc148823e2 | rule | dga/rule/dga_command_and_control_ml_probable_domain.ndjson |
| None | dashboard | dga/dashboard/dga_dashboard.ndjson |
ML-HostRiskScore-20211007-3
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 7.16.
Changelog
- Updating all the necessary artifacts to account for space awareness, mainly the transforms and dashboard blob.
ML-HostRiskScore-20210826-2
For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning
Tested and compatible with Elastic Stack version 7.15.
Changelog
ml_hostriskscore_pivot_transformnow incorporates time decay i.e. older alerts have lesser impact on the risk than more recent alerts- Two new scripts, namely
ml_hostriskscore_map_scriptandml_hostriskscore_reduce_scriptto support changes inml_hostriskscore_pivot_transform - Changes to the
ml_hostriskscore_levels_scriptandml_hostriskscore_ingest_pipelineto account for changes to theml_hostriskscore_pivot_transform - Dashboards updated to 7.13.4: Running 2 versions behind the latest (7.15.0) to give users time to upgrade