-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRL_1700 ES Macros #278
CRL_1700 ES Macros #278
Conversation
…s to use this new macro, removing ES dependecy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
baselines/discover_dns_records was not updated correctly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/dns_evilginx_subdomains.yml needs to be fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/dns_record_changed.yml needs to be updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/dyn_dns_web_traffic.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/no_win_updates_in_timeframe.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
investigations/first_occurrence_mac_address.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/ec2_instance_started_with_previously_unseen_ami.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/large_icmp_outbound.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/cloud_compute_instance_created_by_previously_unseen_user.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
detections/new_aws_console_login_by_user.yml
updated as per dorsey's feedback, fixed some other files too. updated searches for naming consistency as well, while i was at it |
@trogdorsey : Can you perhaps review this? want to make sure i didnt miss anything |
@patel-bhavin @trogdorsey : Should the macro security_content_ctime not be independent from ctime (not use ctime)? Otherwise, ES needs to be installed to run our searches. In my opinion we need to put the content of ctime in the macro and not a reference to ctime. |
@patel-bhavin I found an issue with the comment macro (which is used for empty pre and post filter). If you want to run the search in any app besides search, the searches will fail because the comment macro is shared only inside the search app. We should ship with a config which makes the comment macro global accessible. |
|
@P4T12ICK : removed the comment macro all together after chatting with @d1vious |
security_content_ctime
replacing the ctime macro across all contentsecurity_content_summariesonly
replacing the summariesonly macro across all content