Monthly Schema Updates

[shashank-elastic]

Pull Request

Issue link(s): Part of the release - https://github.com/elastic/ia-trade-team/issues/686

Summary - What I changed

• Updated Latest Beats Schema
• Updated Latest ECS Schema
• Updated Latest API Schema
• Updating rules with latest ATT&CK data

❯ python -m detection_rules dev attack update-rules
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

'Potential DLL Side-Loading via Trusted Microsoft Programs' requires update - technique ID change for tactic 'Defense Evasion'
'Potential DLL Side-Loading via Microsoft Antimalware Service Executable' requires update - technique ID change for tactic 'Defense Evasion'
'Unsigned DLL Side-Loading from a Suspicious Folder' requires update - technique ID change for tactic 'Defense Evasion'
'Suspicious DLL Loaded for Persistence or Privilege Escalation' requires update - technique ID change for tactic 'Privilege Escalation'
'UAC Bypass Attempt via Privileged IFileOperation COM Interface' requires update - technique ID change for tactic 'Defense Evasion'
'Unsigned DLL Loaded by a Trusted Process' requires update - technique ID change for tactic 'Defense Evasion'
'Potential Masquerading as System32 DLL' requires update - technique ID change for tactic 'Defense Evasion'

• Updated Latest Integrations Schemas and Manifests

python -m detection_rules dev integrations build-schemas
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Building integration schemas...
processing google_workspace
processing endpoint
processing aws_bedrock
processing crowdstrike
processing beaconing
processing ded
processing fim
processing apm
processing github
processing problemchild
processing cyberarkpas
processing ti_rapid7_threat_command
processing system
processing windows
processing jamf_protect
processing sentinel_one_cloud_funnel
processing lmd
processing panw
processing o365
processing aws
processing gcp
processing azure
processing auditd_manager
processing dga
processing kubernetes
processing okta
processing m365_defender
processing cloud_defend
processing network_traffic
processing pad
processing sysmon_linux
processing elastic_security
processing google_secops
processing microsoft_sentinel
processing splunk
processing sentinel_one
final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-schemas.json.gz
Time taken to generate schemas: 1.44 minutes

• Update Investigation Guides for Missing Rules

How To Test

• Unit Test to Pass

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[tradebot-elastic]

⛔️ Test failed

Results

• ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
• ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
• ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
• ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
• ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
• ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ M365 Threat Intelligence Signal (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
• ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
• ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
• ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ M365 Threat Intelligence Signal (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
• ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
• ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
• ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ M365 Threat Intelligence Signal (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
• ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
• ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
• ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ M365 Threat Intelligence Signal (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
• ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[shashank-elastic]

During the Merge of the PR no rules were missing

❯  python missing_guides.py                            
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
All rules have the Investigation Guide