dc05f1d8f3
[New Rule] Sus Network Activity from Unknown Executable ( #2856 )
...
* [New Rule] Sus Network Activity from Unknown Executable
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added endgame support, changed min stack comment
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-14 23:27:29 +02:00
b4a218ed1c
[New Rule] Shared Object Created ( #2848 )
...
* [New Rule] Shared Object Created or Changed
* Removed sub technique
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description slightly
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added T1574.006
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-13 22:51:07 +02:00
4f9f28c370
[New Rules] Cron Job / Systemd Service Creation ( #2847 )
...
* [New Rules] Cron Job/Systemd Service Creation
* Added execution to tags
* Added additional EndGame Support
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:44:44 +02:00
644d2f5b26
[New Rule] New Systemd Timer Created ( #2601 )
...
* [New Rule] New Systemd Timer Created
* improve query runtime performance
* added process.name entries for alert reduction
* attempt to fix gh unit testing failure
* added host.os.type==linux to fix unit test error
* Added OSQuery to investigation guides
* added additional process names
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new_terms rule to reduce FPs
* fixed query
* formatting fix
* Learnt another thing about KQL.. Formatting fix.
* unit test fix
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:15:47 +02:00
05aac4f371
[Security Content] Add Investigation Guides to Windows rules ( #2678 )
...
* [Security Content] Add Investigation Guides to Windows rules
* Update privilege_escalation_service_control_spawned_script_int.toml
* Update execution_reverse_shell_via_named_pipe.toml
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update execution_command_prompt_connecting_to_the_internet.toml
---------
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-05-26 10:25:41 -03:00
0d5e25e896
[Rule Tuning] Interactive Terminal Spawned via Python ( #2781 )
...
* [Rule Tuning] Interactive Terminal Spawned via Python
* Update execution_python_tty_shell.toml
* Update execution_python_tty_shell.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-05-26 10:19:35 -03:00
54c5c17aa3
[Rule Tuning & Addition] Potential Linux SSH Brute Force ( #2583 )
...
* [Rule tuning & Addition] SSH Bruteforce
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed rule_id change, added additional cidr match
* added host.os.type==linux
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Formatting style change
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Added related rules suggestion
* Added related rule suggestion
* added additional internal ip ranges
* added additional internal ip ranges
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-25 12:00:44 +02:00
9ebffb44ff
[New Rules] Ransomware Encryption & Note Creation ( #2652 )
...
* [New Rules] Ransomware Encryption & Note Creation
* changed description
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 11:30:00 +02:00
1293365a7f
Rule to detect Potential Linux Credential Dumping via Proc Filesystem ( #2751 )
2023-05-05 22:23:15 +05:30
26258f806a
[New Rules] Persistence through MOTD ( #2608 )
...
* [New Rules] Persistence through MOTD
* fixed unit error test by adding timestamp_override
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added host.os.type == "linux"
* removed ability to bypass chmod by using e.g. 700
* Added endgame support, changed query
* Changed query
* updated risk_score
* added OSQuery to investigation guides
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new terms rule for FP reduction
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 10:29:15 +02:00
1aea1ee9bb
[New rule] Sus File Creation in init.d for Persistence Detected ( #2653 )
...
* [New Rule] Init.d File and Service Creation
* Changed rule name
* [New Rule] Sus File Creation init.d Persistence
* Added Endgame compatibility
* added touch
* Added OSQuery to investigation guide
* added additional processes
* removed investigation guide to add in sep PR
* changed rule name
* removed investigation guide tag
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_init_d_file_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 09:54:42 +02:00
09719dd0c5
[Rule Tuning] Potential Shell via Web Server ( #2585 )
...
* tuned web shell logic, and converted to EQL
* Removed old, created new rule to bypass "type" bug
* Revert "Removed old, created new rule to bypass "type" bug"
This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.
* Revert "tuned web shell logic, and converted to EQL"
This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.
* Deprecated old rule, added new
* formatting fix
* removed endgame index
* Fixed changes captured as edited, not created
* Update rules/linux/persistence_shell_activity_through_web_server.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* fix conflict
* added host.os.type==linux for unit testing
* removed wildcards in process.args
* Update rules/linux/persistence_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed conflict by changing file name and changes
* Trying to resolve the GH conflict
* attempt to fix GH conflict #2
* Update persistence_shell_activity_by_web_server.toml
* Added endgame support
* Added OSQuery to investigation guide
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guide to add in future PR
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-05 09:47:49 +02:00
855ba16299
Linux Rule Tuning ( #2753 )
2023-05-02 19:12:13 +05:30
cd5bc2c44b
Update file path regex for /run ( #2749 )
2023-04-26 14:02:16 +05:30
0107e0fcaa
Detect Threat indicators for VMware ESXi servers ( #2708 )
2023-04-25 20:17:16 +05:30
2996c79ff4
Detect Mount Execution With Hidepid Parameter ( #2706 )
2023-04-22 08:00:30 +05:30
2705df81e2
Tune Shell evasion Rule to incorporate GTFOArgs shell evasion ( #2687 )
2023-04-20 18:35:18 +05:30
f7aa477536
Correct Event Action to include endgame event schema ( #2610 )
2023-04-20 17:28:01 +05:30
94baa89ea8
New Rule to identify defense evasion via PRoot ( #2625 )
2023-04-20 17:14:01 +05:30
0d1fca454a
New Rule: Suspicious Mining Process Creation Event ( #2531 )
...
* New Rule: Suspicious Mining Process Creation Event
* added host.os.type==linux
* trying to fix unit testing
* Revert "trying to fix unit testing"
This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.
* unit testing fix attempt
* Revert "unit testing fix attempt"
This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.
* added endgame support
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-21 16:35:25 +01:00
eab30d7456
[Rule Tuning] Namespace Manipulation Using Unshare ( #2599 )
...
* [Rule Tuning] Namespace Manipulation Using Unshare
* reverted updated_date change
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-20 07:36:47 -03:00
672211500c
[Rule Fix] Privileged SSH Brute Force Detected ( #2595 )
2023-03-14 15:42:58 -04:00
f52a744259
[New Rule] RC Script Creation ( #2607 )
...
* [New Rule] RC Script Creation
* fixed unit testing error
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.os.type==linux
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-14 15:03:41 -04:00
1a5bc7e924
[Rule Tuning] Abnormal PID or Lock File Created ( #2600 )
2023-03-14 14:37:00 -04:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
5f83433ecb
New Rule to identify potential linux credential dumping ( #2604 )
2023-03-01 21:00:02 +05:30
539cd945a9
New Rule to identify iptables or firewall disabling. ( #2591 )
2023-03-01 17:14:45 +05:30
66359012c3
[Rule Tuning] Potential Shadow File Read via CLI ( #2594 )
2023-02-28 18:26:38 +01:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
8e02c60ef6
[Rule Tuning] Enclose Rule Conditions within Parenthesis ( #2486 )
2023-01-31 16:56:19 -03:00
e737b4eb7c
[Tuning] added T1021.006 and T1563.001 ( #2497 )
...
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update credential_access_potential_linux_ssh_bruteforce_root.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
2023-01-27 19:51:22 +00:00
77c8665f11
[Rule Tuning] Add endgame support for Linux Rules ( #2436 )
...
* [Rule Tuning] Add endgame support for Linux Rules
* [Rule Tuning] Add endgame support for Linux Rules
* .
* Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
896a25bc0f
Refactor file path name ( #2452 )
2023-01-05 22:10:55 +05:30
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
ae4e59ec7d
[FR] Update ATT&CK Package to v12.1 ( #2422 )
...
* initial update to v12.1 attack package
* added additional click echo output
* addressed flake errors
* updated rules with refreshed att&ck data
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-16 12:04:20 -05:00
1637f2dc79
[Rule Tuning] Shadow File Read via Command Line Utilities ( #2403 )
...
* Update privilege_escalation_shadow_file_read.toml
description update, name update, query update, tags update, MITRE update
* Update privilege_escalation_shadow_file_read.toml
edited order of MITRE
* changed file name to match credential_access as primary tactic
changed file name to match credential_access as primary tactic
* excluded common executables, not related to "read", based on telemetry
excluded common executables, not related to "read", based on telemetry
* update cred access reference MITRE
* toml-lint file for final validation
* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml
revert name back to privilege_escalation...
* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml
* update update_date
* Changed primary tactic back to privilege_escalation to match rule name
Changed primary tactic back to privilege_escalation to match rule name
2022-11-21 11:25:39 -05:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
8766a23ad6
Rule Tuning as part of 8.6 ( #2398 )
2022-11-17 22:55:39 +05:30
64dd305867
adding new rule File Transfer or Listener Established via Netcat ( #2395 )
2022-11-15 09:37:35 -05:00
cc03899a2c
[New Rule] Reverse Shell Created via Named Pipe ( #2396 )
...
* adding new rule Reverse Shell Created via Named Pipe
* added event.type start to first sequence
2022-11-15 09:27:44 -05:00
4997f95300
[Rule Tuning] Link Elastic Security Labs content to compatible rules ( #2388 )
...
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
8478d959f4
[Rule Tuning] System Log File Deletion ( #2362 )
...
* [Rule Tuning] Indicator Removal on Host
-adding subtechnique
-adding additional log files (boot.log, kern.log)
* Update defense_evasion_log_files_deleted.toml
update subtechnique name after failed test
2022-10-18 09:11:27 -04:00
bd46e892f1
add "Windows Azure Linux Agent"'s pid file to list ( #2328 )
...
* add "Windows Azure Linux Agent"'s pid file to list
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux
this tool is default installed on azure linux hosts, can resolve my problem as an exception and have but the tool is common enough in cloud environments that it deserves inclusion.
* Update execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-10-13 16:53:35 -03:00
9861958833
[Security Content] Add missing "has_guide" tag ( #2349 )
...
* Add missing "has_guide" tag
* bump updated_date
2022-10-11 06:30:19 -07:00
f5c992b6de
[Security Content] Add Investigation Guides - 2 - 8.5 ( #2314 )
...
* [Security Content] Add Investigation Guides - 2 - 8.5
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
* Merge branch 'main' into investigation_guides_8.5_2
* Revert "Merge branch 'main' into investigation_guides_8.5_2"
This reverts commit fb3c3f0245301d49229534d8776478c32f6c190e.
* Apply suggested changes from review
* Update discovery_security_software_grep.toml
* Apply suggestions from review
* Apply suggestions from review
2022-09-26 12:59:39 -03:00
b00de3e445
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test ( #2321 )
...
* added unit test for duplicate rule names
* adjusted macos file name and updated date values
* removed unit test and added assertion error in rule loader
* addressed flake errors
* addressed flake errors
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
2022-09-26 10:04:38 -04:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
Ruben Groenewoud