Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rule docs for 8.3 rule changes #2083

Merged
merged 3 commits into from
Jun 22, 2022
Merged

Add rule docs for 8.3 rule changes #2083

merged 3 commits into from
Jun 22, 2022

Conversation

terrancedejesus
Copy link
Contributor

@terrancedejesus terrancedejesus commented Jun 20, 2022
edited
Loading

Security Doc updates for rule changes in 8.3.

🚨 Security content review from the following PRs have made their way into these security docs for this release so the rules listed below should not need much review if any at all.

PRs:

Rule Names:

  • Clearing Windows Console History
  • Clearing Windows Event Log
  • Windows Event Logs Cleared
  • Disable Windows Event and Security Logs Using Built-in Tools
  • Enable Host Network Discovery via Netsh
  • Windows Firewall Disabled via PowerShell
  • Execution of File Written or Modified by Microsoft Office
  • Execution of File Written or Modified by PDF Reader
  • Potential Lateral Tool Transfer via SMB Share (Renamed from: "Lateral Tool Transfer")
  • Account configured with never Expiring Password
  • Exporting Exchange Mailbox via PowerShell
  • Suspicious Process from Conhost
  • Windows Defender Disabled via Registry Modification
  • Disabling Windows Defender Security Settings via PowerShell
  • Microsoft Windows Defender Tampering
  • Suspicious .NET Reflection via PowerShell
  • PowerShell Suspicious Payload Encoded and Compressed
  • Suspicious PDF Reader Child Process
  • Suspicious PowerShell Engine ImageLoad
  • Conhost Spawned By Suspicious Parent Process
  • Enumeration of Administrator Accounts
  • Account Discovery Command via SYSTEM Account (Also renames the file to match the new title)
  • File and Directory Discovery
  • Windows Network Enumeration
  • Peripheral Device Discovery
  • External IP Lookup from Non-Browser Process
  • Enumeration of Privileged Local Groups Membership
  • Remote System Discovery Commands
  • Security Software Discovery using WMIC
  • Whoami Process Activity

@terrancedejesus terrancedejesus self-assigned this Jun 20, 2022
@terrancedejesus terrancedejesus added v8.3.0 Team: Detections/Response Detections and Response Feature: Prebuilt rules trade-artifacts Issues related to TRADE artifact building and releasing labels Jun 20, 2022
w0rk3r
w0rk3r approved these changes Jun 20, 2022
View reviewed changes
Copy link
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@terrancedejesus terrancedejesus linked an issue Jun 20, 2022 that may be closed by this pull request
[BUG] Key Error in version.create_documentation #2082
Closed
@jmikell821 jmikell821 merged commit 6edadae into main Jun 22, 2022
mergify bot pushed a commit that referenced this pull request Jun 22, 2022
@terrancedejesus @mergify
Add rule docs for 8.3 rule changes (#2083)
111e655 
* updating pre-existing pre-built detection rule security docs with newly generated

* updating generate file dictionary reference

Co-authored-by: Janeen Mikell-Straughn <[email protected]>
(cherry picked from commit 6edadae)
@mergify mergify bot mentioned this pull request Jun 22, 2022
Merged
jmikell821 pushed a commit that referenced this pull request Jun 22, 2022
@mergify @terrancedejesus
Add rule docs for 8.3 rule changes (#2083) (#2104)
5eaadb5 
* updating pre-existing pre-built detection rule security docs with newly generated

* updating generate file dictionary reference

Co-authored-by: Janeen Mikell-Straughn <[email protected]>
(cherry picked from commit 6edadae)

Co-authored-by: Terrance DeJesus <[email protected]>
@terrancedejesus terrancedejesus deleted the rule-updates-for-8.3.0 branch September 18, 2023 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w0rk3r w0rk3r w0rk3r approved these changes

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@nastasha-solomon nastasha-solomon Awaiting requested review from nastasha-solomon

@joepeeples joepeeples Awaiting requested review from joepeeples

@jmikell821 jmikell821 Awaiting requested review from jmikell821

@benironside benironside Awaiting requested review from benironside

Assignees

@terrancedejesus terrancedejesus

Labels
Feature: Prebuilt rules Team: Detections/Response Detections and Response trade-artifacts Issues related to TRADE artifact building and releasing v8.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Key Error in version.create_documentation
3 participants
@terrancedejesus @w0rk3r @jmikell821