Terrance DeJesus

[New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses

1

# Pull Request *Issue link(s)*: * https://github.com/elastic/ia-trade-team/issues/585 ## Summary - What I changed Adds detection coverage for `AWS STS Temporary IAM Session Token Used from Multiple Addresses`. Identified via ByBit/SafeWallet...

[New Rule] Adding Coverage for `AWS S3 Static Site JavaScript File Uploaded`

1

# Pull Request *Issue link(s)*: * https://github.com/elastic/ia-trade-team/issues/585 ## Summary - What I changed Adds coverage for static JS file uploads to AWS S3 buckets. This is a signal for potential...

[New Rule] Adding Coverage for `AWS CLI with Kali Linux Fingerprint Identified`

1

# Pull Request *Issue link(s)*: * https://github.com/elastic/ia-trade-team/issues/585 ## Summary - What I changed Adds detection coverage for AWS CLI or SDK (Boto3) usage with Kali Linux fingerprint as well. Identifies...

[New Rule] Adding Coverage for `AWS IAM Virtual MFA Device Registration`

1

# Pull Request *Issue link(s)*: * https://github.com/elastic/ia-trade-team/issues/585 ## Summary - What I changed Adds detection coverage for AWS MFA device registration attempts with temporary credentials (user session tokens). Identifies attempts...

[New Rule] Adding Coverage for `AWS IAM or STS API Calls via Temporary Session Tokens`

1

# Pull Request *Issue link(s)*: * https://github.com/elastic/ia-trade-team/issues/585 ## Summary - What I changed Adds detection coverage for `AWS IAM or STS API Calls via Temporary Session Tokens`. Detects use of...

[FR] Add details and export options for dev package-stats command

4

**Is your feature request related to a problem? Please describe.** This feature request is not related to a problem, it is more of a small enhancement to current capabilities. Within...

## Related * https://github.com/elastic/detection-rules/pull/3316 ## Summary As discussed and shown in #3316, the use of `*` wildcards in certain field types fail semantic validation via the KQL parser library, but...

[FR] CI Job to Sync ES|QL Custom Fields with Prebuilt Filterlist for Telemetry

3

### Repository Feature Core Repo - (rule management, validation, testing, lib, cicd, etc.) ### Problem Description At the moment, when using ES|QL for writing detection rule queries, often we use...

[New Rule] Google Workspace Suspicious File Type Downloads from Drive Followed by Execution

1

## Summary Google released from research into Google Workspace being used for C2, specifically involving Drive where file types are Sheets, Golang and PE. Reference: https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf Tool: https://github.com/looCiprian/GC2-sheet With the...

[New Rule] Google Sheets C2 Detection Review (Voldemort)

2

### Description Review detection coverage for C2 via Google Sheets from recent "Voldemort" campaign. ### Target Ruleset windows ### Target Rule Type Event Correlation (EQL) ### Tested ECS Version _No...