From 11d0ba92b02896d9752032bb7b2dbee897e136fe Mon Sep 17 00:00:00 2001 From: Mathieu Bellon Date: Tue, 17 Oct 2023 15:39:19 +0200 Subject: [PATCH 1/6] Vade Cloud: remove Beta --- _shared_content/automate/library/vade-cloud.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/_shared_content/automate/library/vade-cloud.md b/_shared_content/automate/library/vade-cloud.md index cda055b842..ab49a26f75 100644 --- a/_shared_content/automate/library/vade-cloud.md +++ b/_shared_content/automate/library/vade-cloud.md @@ -2,8 +2,6 @@ ![Vade Cloud](/assets/playbooks/library/vade-cloud.png){ align=right width=150 } - - ## Configuration | Name | Type | Description | @@ -14,7 +12,7 @@ ## Triggers -### [BETA] Fetch new logs from Vade Cloud +### Fetch new logs from Vade Cloud Get last logs from the Vade Cloud platform From 86b6a5bc62c0613a70173b945965387ce88d79c1 Mon Sep 17 00:00:00 2001 From: Mathieu Bellon Date: Tue, 17 Oct 2023 15:44:27 +0200 Subject: [PATCH 2/6] Rename Crowdstrike Telemetry From Crowdstrike Telemetry to CrowdStrike Falcon Telemetry --- ...owdstrike_telemetry.md => crowdstrike_falcon_telemetry.md} | 4 ++-- mkdocs.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) rename docs/xdr/features/collect/integrations/endpoint/{crowdstrike_telemetry.md => crowdstrike_falcon_telemetry.md} (93%) diff --git a/docs/xdr/features/collect/integrations/endpoint/crowdstrike_telemetry.md b/docs/xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md similarity index 93% rename from docs/xdr/features/collect/integrations/endpoint/crowdstrike_telemetry.md rename to docs/xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md index 24b274aac8..9b60e8a94e 100644 --- a/docs/xdr/features/collect/integrations/endpoint/crowdstrike_telemetry.md +++ b/docs/xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md @@ -1,5 +1,5 @@ uuid: 10999b99-9a8d-4b92-9fbd-01e3fac01cd5 -name: CrowdStrike Telemetry +name: CrowdStrike Falcon Telemetry type: intake ## Overview @@ -34,7 +34,7 @@ To set up the integration: ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `CrowdStrike Telemetry`. Copy the intake key. +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `CrowdStrike Falcon Telemetry`. Copy the intake key. ### Pull events diff --git a/mkdocs.yml b/mkdocs.yml index 8b5a488ae6..7fbb2df290 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -151,7 +151,7 @@ nav: - Auditbeat Linux: xdr/features/collect/integrations/endpoint/auditbeat_linux.md - Winlogbeat: xdr/features/collect/integrations/endpoint/winlogbeat.md - CrowdStrike Falcon: xdr/features/collect/integrations/endpoint/crowdstrike_falcon.md - - CrowdStrike Telemetry: xdr/features/collect/integrations/endpoint/crowdstrike_telemetry.md + - CrowdStrike Falcon Telemetry: xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md - Cybereason MalOp: xdr/features/collect/integrations/endpoint/cybereason_malop.md - Cybereason MalOp activity: xdr/features/collect/integrations/endpoint/cybereason_malop_activity.md - Darktrace Threat Visualizer: xdr/features/collect/integrations/endpoint/darktrace_threat_visualizer.md From e21dcca3cc3d34fcc3bbde48ae2d62b9f236d100 Mon Sep 17 00:00:00 2001 From: Mathieu Bellon Date: Tue, 17 Oct 2023 15:57:02 +0200 Subject: [PATCH 3/6] AWS Guardduty: Remove beta label --- .../collect/integrations/cloud_and_saas/aws/aws_guardduty.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/xdr/features/collect/integrations/cloud_and_saas/aws/aws_guardduty.md b/docs/xdr/features/collect/integrations/cloud_and_saas/aws/aws_guardduty.md index 1c9c84788e..dfff372abe 100644 --- a/docs/xdr/features/collect/integrations/cloud_and_saas/aws/aws_guardduty.md +++ b/docs/xdr/features/collect/integrations/cloud_and_saas/aws/aws_guardduty.md @@ -5,9 +5,6 @@ type: intake ## Overview AWS GuardDuty is a service that detects potential security issues within your network. -!!! warning - Important note - This format is currently in beta. We highly value your feedback to improve its performance. - {!_shared_content/operations_center/detection/generated/suggested_rules_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md!} From 59ad17c5e6f67ca245b20f108efe56fa8c56dec2 Mon Sep 17 00:00:00 2001 From: Mathieu Bellon Date: Tue, 17 Oct 2023 16:04:15 +0200 Subject: [PATCH 4/6] Rename Citrix to Citrix Netscaler / ADC --- ...b-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json | 2 +- ...ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md | 4 ++-- .../network/{citrix_adc.md => citrix_netscaler_adc.md} | 7 ++----- mkdocs.yml | 2 +- 4 files changed, 6 insertions(+), 9 deletions(-) rename docs/xdr/features/collect/integrations/network/{citrix_adc.md => citrix_netscaler_adc.md} (86%) diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json index 56abd65ea6..bf94cd884e 100644 --- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Citrix NetScaler / ADC [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md index 0d62f17903..ab7397c527 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md @@ -1,8 +1,8 @@ ## Related Built-in Rules -The following Sekoia.io built-in rules match the intake **Citrix NetScaler / ADC [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake. +The following Sekoia.io built-in rules match the intake **Citrix NetScaler / ADC**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake. -[SEKOIA.IO x Citrix NetScaler / ADC [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json){ .md-button } +[SEKOIA.IO x Citrix NetScaler / ADC on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json){ .md-button } ??? abstract "CVE-2018-11776 Apache Struts2" Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. diff --git a/docs/xdr/features/collect/integrations/network/citrix_adc.md b/docs/xdr/features/collect/integrations/network/citrix_netscaler_adc.md similarity index 86% rename from docs/xdr/features/collect/integrations/network/citrix_adc.md rename to docs/xdr/features/collect/integrations/network/citrix_netscaler_adc.md index 8e699d51a0..aaa02de321 100644 --- a/docs/xdr/features/collect/integrations/network/citrix_adc.md +++ b/docs/xdr/features/collect/integrations/network/citrix_netscaler_adc.md @@ -1,13 +1,10 @@ uuid: 02a74ceb-a9b0-467c-97d1-588319e39d71 -name: Citrix ADC +name: Citrix NetScaler / ADC type: intake ## Overview -Citrix ADC (formely Citrix NetScaler) is a delivery controller and load-balancing tool that offers enhanced security and application performance. - -!!! warning - Important note - This format is currently in beta. We highly value your feedback to improve its performance. +Citrix NetScaler / ADC (formely Citrix NetScaler) is a delivery controller and load-balancing tool that offers enhanced security and application performance. {!_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md!} diff --git a/mkdocs.yml b/mkdocs.yml index 7fbb2df290..5b77d60c3c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -188,7 +188,7 @@ nav: - Cisco Identity Services Engine (ISE): xdr/features/collect/integrations/network/cisco/cisco_identity_services_engine_ise.md - Cisco NX-OS: xdr/features/collect/integrations/network/cisco/cisco_nx_os.md - Cisco Meraki MX: xdr/features/collect/integrations/network/cisco/cisco_meraki_mx.md - - Citrix ADC: xdr/features/collect/integrations/network/citrix_adc.md + - Citrix Netscaler / ADC: xdr/features/collect/integrations/network/citrix_netscaler_adc.md - Gatewatcher AionIQ: xdr/features/collect/integrations/network/gatewatcher_aioniq.md - F5 BIG-IP: xdr/features/collect/integrations/network/f5-big-ip.md - Forcepoint Secure Web Gateway: xdr/features/collect/integrations/network/forcepoint_web_gateway.md From dc57cfcb0d11c9b7895868527f525bef615f1aec Mon Sep 17 00:00:00 2001 From: Mathieu Bellon Date: Tue, 17 Oct 2023 16:05:37 +0200 Subject: [PATCH 5/6] Salesforce: remove Beta --- _shared_content/automate/library/salesforce.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_shared_content/automate/library/salesforce.md b/_shared_content/automate/library/salesforce.md index f763c0a007..f0e5aea5da 100644 --- a/_shared_content/automate/library/salesforce.md +++ b/_shared_content/automate/library/salesforce.md @@ -14,7 +14,7 @@ Salesforce provides users comprehensive tools to manage customer data, automate ## Triggers -### [BETA] Collect Salesforce events +### Collect Salesforce events Trigger playbook to get Salesforce information From 0d4c39930ec2aa35739a69671054ecf6b5701722 Mon Sep 17 00:00:00 2001 From: Mathieu Bellon Date: Tue, 17 Oct 2023 16:06:11 +0200 Subject: [PATCH 6/6] Varonis Data Security: Remove Beta label --- .../collect/integrations/network/varonis_data_security.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/xdr/features/collect/integrations/network/varonis_data_security.md b/docs/xdr/features/collect/integrations/network/varonis_data_security.md index bbf7c7cf20..33a8c2eed9 100644 --- a/docs/xdr/features/collect/integrations/network/varonis_data_security.md +++ b/docs/xdr/features/collect/integrations/network/varonis_data_security.md @@ -6,10 +6,6 @@ type: intake Varonis offers solutions to track and protect data. - -!!! warning - Important note - This format is currently in beta. We highly value your feedback to improve its performance. - {!_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md!}