116a7de890
[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package ( #3119 )
...
* Adding Lateral Movement Detection rules
* added tags; adjusted tests; updated manifests and schemas
* added default value to build_integrations_schema
* combined analytic and non-dataset packages for related integrations
* adjusted machine learning definitions
* adjusted machine learning definitions
* removed splat for machine learning list due to 3.8 constraints
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 747ee7d593
2023-09-27 18:59:55 +00:00
7cb4c5216d
[New Rule] [BBR] File with Suspicious Extension Downloaded ( #3139 )
...
* [New Rule] [BBR] File with Suspicious Extension Downloaded
* Update defense_evasion_download_susp_extension.toml
(cherry picked from commit f77bec8552
2023-09-27 15:43:02 +00:00
07d80c2b70
[New RTA] Privesc via OverlayFS ( #3003 )
...
* [New RTA] Privesc via OverlayFS
* Update rta/overlayfs_privesc.py
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 6f7e419f1e
2023-09-27 08:51:15 +00:00
c27b0e26bd
update transform test to fail on missing transform ( #3085 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f6b6bee5c2
2023-09-21 19:28:31 +00:00
80f16bb7ac
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3108 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit de2b97a492
2023-09-18 15:20:10 +00:00
18fb966776
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit b291317ea6
2023-09-18 07:56:50 +00:00
f4ce48063c
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9146e0965d
2023-09-14 22:05:59 +00:00
09feb8b94f
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 904e37b732
2023-09-14 21:25:40 +00:00
0bc9b126f6
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ccfc931fbd
2023-09-13 16:56:38 +00:00
ab3a15861c
[Security Content] Add missing osquery transforms ( #3088 )
...
* [Security Content] Add missing osquery transforms
* Revertable unit test
* .
* Revert "Revertable unit test"
This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 4034436f06
2023-09-13 11:12:36 +00:00
711e0f3ab7
[New Rule] New BBR Rules - Part 2 ( #3029 )
...
* [New Rule] New BBR Rules - Part 2
* Update discovery_generic_account_groups.toml
* Update discovery_generic_account_groups.toml
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/execution_downloaded_shortcut_files.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/defense_evasion_unusual_process_extension.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update defense_evasion_unusual_process_extension.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ddb1f75352
2023-09-13 00:54:52 +00:00
4b2112f4a0
[New Rule] New BBR Rules - Part 3 ( #3034 )
...
* [New Rule] New BBR Rules - Part 3
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit af99186992
2023-09-13 00:34:12 +00:00
fa494e4c46
[New Rule] Potential UDP Reverse Shell ( #2906 )
...
* [New Rule] Potential UDP Reverse Shell Detected
* Title change
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* updated non-ecs-schema to update unmapped fields
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Removed netcat, added destination ip list
* Update execution_shell_via_udp_cli_utility_linux.toml
* Added precautionary exclusions
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
* replaced schema files
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f8f3576971
2023-09-07 15:18:55 +00:00
63b817353a
[New Rule] Potential Meterpreter Reverse Shell ( #3007 )
...
* [New Rule] Potential Meterpreter Reverse Shell
* Update execution_shell_via_meterpreter_linux.toml
* Update execution_shell_via_meterpreter_linux.toml
* Update rules/linux/execution_shell_via_meterpreter_linux.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 15e71ec2e8
2023-09-07 15:10:01 +00:00
49c7a9317e
[FR] Add support for samples in eql 0.9.18 ( #3000 )
...
(cherry picked from commit 20de1d8d1d
2023-09-07 14:07:20 +00:00
2e74d50950
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3079 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 87af5b43ba
2023-09-06 17:26:57 +00:00
e9b1ebae3f
[New Rule] New BBR Rules - Part 5 ( #3052 )
...
* [New Rule] New BBR Rules - Part 5
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Tag work
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 3614f42b00
2023-09-05 21:42:38 +00:00
521ecdc6c4
[New Rule] New BBR Rules - Part 1 ( #3026 )
...
* [New Rule] New BBR Rules - Part 1
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/lateral_movement_at.toml
* Update rules_building_block/collection_outlook_email_archive.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 8049c96281
2023-09-05 21:14:06 +00:00
56e54e714c
[New Rule] Potential Masquerading as Business App Installer ( #3068 )
...
(cherry picked from commit 26c97dc241
2023-09-05 21:04:26 +00:00
7780167504
Added unit test ( #3038 )
...
* Added unit test
* removed print from unit test
* fixed linting
* Updated to put validation in init
* Updated for cleanliness
* removed Literal import
(cherry picked from commit 34ebcec679
2023-09-05 19:32:50 +00:00
063386829c
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 4233fef238
2023-09-05 18:28:40 +00:00
4bb0cdc3f3
[Rule Tuning] Small Linux DR Tuning ( #3074 )
...
* [Rule tuning] Adressing community issue
* Changed title
* Changed IG title
(cherry picked from commit 6115a68aba
2023-09-05 12:26:47 +00:00
bdda925921
label bbr rules ( #3067 )
...
(cherry picked from commit 811d1b7727
2023-08-31 22:06:24 +00:00
06e3367683
[New Rule] Sus User Privilege Enumeration via id ( #3049 )
...
(cherry picked from commit 3c64b454fb
2023-08-31 16:21:40 +00:00
6c074f21d8
[New Rule][BBR] WRITEDAC Access on Active Directory Object ( #3015 )
...
* [New Rule] WRITEDAC Access on Active Directory Object
* Update defense_evasion_write_dac_access.toml
* Fix Setup Instructions
* Update defense_evasion_write_dac_access.toml
* Update rules_building_block/defense_evasion_write_dac_access.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit fdd45148b8
2023-08-31 16:04:58 +00:00
3926384446
[New Rules] GDB Secret Dumping ( #3060 )
...
* [New Rules] GDB Secret Dumping
* Added references to BBR
* Update rules/linux/credential_access_gdb_init_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit f7d8d4752a
2023-08-31 15:47:30 +00:00
5c0ff8765b
[New Rule] File Creation, Exec and Self-Deletion ( #3045 )
...
* [New Rule] File Creation, Exec and Self-Deletion
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit b6ed215958
2023-08-31 15:38:03 +00:00
ba6952c242
[Rule Tuning] 3 tunings to reduce FPs ( #3058 )
...
* [Rule Tuning] 2 tunings to reduce FPs back to 0
* Added one more tune for community issue #3041
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
(cherry picked from commit 3588600d57
2023-08-31 15:22:59 +00:00
fb2fbf3589
[New Rule] Potential Disabling of AppArmor ( #3046 )
...
* [New Rule] Potential Disabling of AppArmor
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 2eaaf27f1e
2023-08-31 15:12:41 +00:00
7b5897bad4
[New BBR] Suspicious which Enumeration ( #3059 )
...
(cherry picked from commit 04d1c3cd5b
2023-08-31 12:01:57 +00:00
ed6d73bba9
[New Rule] Binary Copied and/or Moved to Suspicious Directory ( #3048 )
...
* [New Rule] Binary Copied and/or Moved to sus dir
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit d838a3352f
2023-08-31 11:52:20 +00:00
5857a47cd4
[New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 ( #3057 )
...
* [New Rule] Sudo PE via CVE-2019-14287
* Added Elastic Defend Data Source tag
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a5b5d513af
2023-08-31 11:17:02 +00:00
dee3a5f61c
[New Rule] Suspicious Communication App Child Process ( #2998 )
...
* [New Rule] Suspicious Communication App Child Process
* Update defense_evasion_communication_apps_suspicious_child_process.toml
* Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit c89b722a34
2023-08-31 10:38:57 +00:00
53ac388228
[New Rules] sus program compilation activity ( #3043 )
...
(cherry picked from commit a395f54054
2023-08-31 07:37:01 +00:00
ae1f704845
[New Rule] Potential Masquerading as VLC DLL ( #3006 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a7a22a0917
2023-08-30 20:51:39 +00:00
1da5bca492
[New Rules] Linux Tunneling and Port Forwarding ( #3028 )
...
* Removed iodine rule due to new tunneling rule
* [New Rules] Linux Tunneling and Port Forwarding
* added ash
* Fixed description styling
* Changed rule name
* Update command_and_control_linux_suspicious_proxychains_activity.toml
* Added deprecation note & name change
* Changed deprecation status
* Removed deprecation date
* Fixed unit testing
* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 32abdb95f7
2023-08-30 20:17:43 +00:00
4a4588c856
Tune rule for new DLL written to Windows Servicing ( #3062 )
...
(cherry picked from commit 41a7a36817
2023-08-30 16:57:00 +00:00
d45b693e20
[New Rule] Suspicious WMI Event Subscription Created ( #1860 )
...
* Suspicious WMI Event Subscription Initial rule
* Use EQL sequence
* Update non-ecs-schema
* Update persistence_sysmon_wmi_event_subscription.toml
* update description
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* update query too look for even code 21 only
* update to case sensitive compare
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6d7df50d78
2023-08-29 19:48:03 +00:00
374ac8ad1c
[New Rule] Unusual Process For MSSQL Service Accounts ( #3040 )
...
* [New Rule] Unusual Process For MSSQL Service Accounts
* Update initial_access_unusual_process_sql_accounts.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update collection_archive_data_zip_imageload.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 7004c99ef5
2023-08-29 12:16:12 +00:00
154ee50051
[New Rule] New BBR Rules - Part 4 ( #3035 )
...
* [New Rule] New BBR Rules - Part 4
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0e337e2c36
2023-08-29 11:55:07 +00:00
520a670568
[New Rule] Potential Masquerading as Browser Process ( #2995 )
...
* [New Rule] Potential Masquerading as Browser Process
* Update rules_building_block/defense_evasion_masquerading_browsers.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_masquerading_browsers.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9f213cc9f7
2023-08-28 16:34:26 +00:00
d0d092a036
Update credential_access_lsass_openprocess_api.toml ( #3047 )
...
(cherry picked from commit 22931d6afb
2023-08-28 15:28:09 +00:00
112e2f2864
[New Rule] Potential Masquerading as Windows System32 DLL ( #3021 )
...
* [New Rule] Potential Masquerading as Windows System32 DLL
* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Restrict logic
* Update defense_evasion_masquerading_windows_dll.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7496c5cb68
2023-08-28 11:37:53 +00:00
f00a14c3af
[New Rule] Network-Level Authentication (NLA) Disabled ( #3039 )
...
* [New Rule] Network-Level Authentication (NLA) Disabled
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit ffa60f2d03
2023-08-28 11:11:26 +00:00
c067542e13
[Rule Tuning] High Number of Process and/or Service Terminations ( #2940 )
...
(cherry picked from commit de32287889
2023-08-25 22:25:19 +00:00
8aad7d7d02
BBR Rules Addition ( #3027 )
...
(cherry picked from commit d21ed24e4f
2023-08-25 13:45:51 +00:00
ed2daecb25
[Rule Tuning] Several rule tunings ( #3024 )
...
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a1716bd673
2023-08-25 12:09:16 +00:00
939800bb03
[Rule Tuning] Threat Intel Hash Indicator Match ( #3031 )
...
* Remove impash matches due to rate of false positives
* Update rules/cross-platform/threat_intel_indicator_match_hash.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 17d0e5cda8
2023-08-25 09:27:11 +00:00
a16735676f
[Rule Tuning] Windows BBR Rules ( #3018 )
...
* [Rule Tuning] Windows BBR Rules
* Update discovery_generic_process_discovery.toml
(cherry picked from commit 17f6537e44
2023-08-25 08:26:51 +00:00
38aca58b17
[Rule Tuning] Compression DLL Loaded by Unusual Process ( #3017 )
...
(cherry picked from commit 460919a9d7
2023-08-25 08:14:13 +00:00
Apoorva Joshi