[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs #2761
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
w0rk3r added Rule: Tuning w0rk3r requested review from Mikaayenson, brokensound77 and terrancedejesus as code owners w0rk3r changed the title 
terrancedejesus added a commit that referenced this pull request May 3, 2023
terrancedejesus approved these changes May 3, 2023
There was a problem hiding this comment.
Looks good, great work! 🔥
Can we add this one to these changes: #2685
terrancedejesus added a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
protectionsmachine pushed a commit that referenced this pull request May 3, 2023
…2685) * adding initial rule * changed new terms to host.id * removed windows integration tag * removed windows integration tag * changed rule to be process started related * rule linted * updating description * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml * added process.name.caseless to non-ecs.json * removed host type related to #2761 * added host.os.type --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit d5350ae)
Samirbous approved these changes May 3, 2023
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/windows/credential_access_bruteforce_admin_account.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml - rules/windows/credential_access_dcsync_newterm_subjectuser.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_ldap_attributes.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vault_winlog.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/execution_posh_hacktool_functions.toml - rules/windows/lateral_movement_remote_service_installed_winlog.toml - rules/windows/lateral_movement_remote_task_creation_winlog.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_scheduled_task_creation_winlog.toml - rules/windows/persistence_scheduled_task_updated.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_service_windows_service_winlog.toml - rules/windows/persistence_temp_scheduled_task.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/privilege_escalation_create_process_as_different_user.toml - rules/windows/privilege_escalation_credroaming_ldap.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/windows/credential_access_bruteforce_admin_account.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml - rules/windows/credential_access_dcsync_newterm_subjectuser.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_ldap_attributes.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vault_winlog.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/execution_posh_hacktool_functions.toml - rules/windows/lateral_movement_remote_service_installed_winlog.toml - rules/windows/lateral_movement_remote_task_creation_winlog.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_scheduled_task_creation_winlog.toml - rules/windows/persistence_scheduled_task_updated.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_service_windows_service_winlog.toml - rules/windows/persistence_temp_scheduled_task.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/privilege_escalation_create_process_as_different_user.toml - rules/windows/privilege_escalation_credroaming_ldap.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/windows/credential_access_bruteforce_admin_account.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml - rules/windows/credential_access_dcsync_newterm_subjectuser.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_ldap_attributes.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vault_winlog.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/execution_posh_hacktool_functions.toml - rules/windows/lateral_movement_remote_service_installed_winlog.toml - rules/windows/lateral_movement_remote_task_creation_winlog.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_scheduled_task_creation_winlog.toml - rules/windows/persistence_scheduled_task_updated.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_service_windows_service_winlog.toml - rules/windows/persistence_temp_scheduled_task.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/privilege_escalation_create_process_as_different_user.toml - rules/windows/privilege_escalation_credroaming_ldap.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/windows/credential_access_bruteforce_admin_account.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml - rules/windows/credential_access_dcsync_newterm_subjectuser.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_ldap_attributes.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vault_winlog.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/execution_posh_hacktool_functions.toml - rules/windows/lateral_movement_remote_service_installed_winlog.toml - rules/windows/lateral_movement_remote_task_creation_winlog.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_scheduled_task_creation_winlog.toml - rules/windows/persistence_scheduled_task_updated.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_service_windows_service_winlog.toml - rules/windows/persistence_temp_scheduled_task.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/privilege_escalation_create_process_as_different_user.toml - rules/windows/privilege_escalation_credroaming_ldap.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (selectively cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit d017156)
protectionsmachine pushed a commit that referenced this pull request May 15, 2023
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit d017156)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Issues
Related to https://github.com/elastic/sdh-security-team/issues/595
Summary
With the change to enforce
host.os.typein all Windows rules in #2593 we ended up making some rules incompatible with Windows Forwarded Logs, this PR suggests an exception in the validation workflow and modifies the rules that would be interesting to work with the Windows Forwarded Logs (non-process related).