f40a383b7e
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules ( #5352 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-12-05 12:26:56 -06:00
634de61d6d
[FR] ES|QL remote validation support newline split indices ( #5356 )
...
* Updated regex pattern for multiline
* Add line split unit test
2025-12-03 11:50:51 -05:00
29d4aeb37a
[Bug] [DAC] Auto Gen Schema Fails on Certain Subqueries ( #5256 )
...
* Add alignment checking for sub-queries
* Allow field to be over written with original field
* Update rule prompt to allow for int 0 values
* Support custom schema index overwrite
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-11-12 11:21:53 -05:00
c7246313f7
feat: ESQL query validation against Elastic cluster ( #4955 )
...
* Add remote ESQL validation
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-10-15 15:17:07 -04:00
80c01cf665
[Bug] Annotated Fields Ignored ( #5125 )
...
* Add Note for stop gap
2025-09-17 17:34:42 -04:00
3c1de72f6b
[FR] Add support for 5 group_by fields in threshold rules (>=9.2) ( #5040 )
2025-09-04 09:24:36 -05:00
1dc3926203
[New Rules] External Promotion Alerts ( #4903 )
2025-07-31 11:00:50 -05:00
1fb60d6475
fix: type hinting fixes and additional code checks ( #4790 )
...
* first pass
* Adding a dedicated code checking workflow
* Type fixes
* linting config and python version bump
* Type hints
* Drop incorrect config option
* More fixes
* Style fixes
* CI adjustments
* Pyproject fixes
* CI & pyproject fixes
* Proper version bump
* Tests formatting
* Resolve cirtular dependency
* Test fixes
* Make sure the tests are formatted correctly
* Check tweaks
* Bumping python version in CI images
* Pin marshmallow do 3.x because 4.x is not supported
* License fix
* Convert path to str
* Making myself a codeowner
* Missing kwargs param
* Adding a missing kwargs to `set_score`
* Update .github/CODEOWNERS
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Dropping unnecessary raise
* Dropping skipped test
* Drop unnecessary var
* Drop unused commented-out func
* Disable typehinting for the whole func
* Update linting command
* Invalid type hist on the input param
* Incorrect field type
* Incorrect value used fix
* Stricter values check
* Simpler function call
* Type condition fix
* TOML formatter fix
* Simpligy output conditions
* Formatting
* Use proper types instead of aliases
* MITRE attack fixes
* Using pathlib.Path for an argument
* Use proper method to update a set from a dict
* First round of `ruff` fixes
* More fixes
* More fixes
* Hack against cyclic dependency
* Ignore `PLC0415`
* Remove unused markers
* Cleanup
* Fixing the incorrect condition
* Update .github/CODEOWNERS
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Set explicit default values for optional fields
* Update the guidelines
* Adding None Defaults
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2025-07-01 08:20:55 -05:00
364d9dd3bc
[New Rule] Threat Intel Email Indicator Match ( #4598 )
...
* [New Rule] Threat Intel Email Indicator Match
* Update threat_intel_indicator_match_email.toml
* Update pyproject.toml
* Adds IG
* Update rules/threat_intel/threat_intel_indicator_match_email.toml
* Update rules/threat_intel/threat_intel_indicator_match_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/threat_intel/threat_intel_indicator_match_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-04-22 12:15:36 -03:00
5ccb7ed4af
Min stack rules from 4516 ( #4549 )
2025-03-19 20:27:30 -04:00
5b3dc4a4a7
Revert "Add new ML detection rules for Privileged Access Detection ( #4516 )" ( #4548 )
...
This reverts commit 2ff8d1bb56
2025-03-19 20:08:08 -04:00
2ff8d1bb56
Add new ML detection rules for Privileged Access Detection ( #4516 )
...
Add detection-rules for privileged access detection integration
2025-03-19 11:02:28 -04:00
81292aee8a
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 ( #4220 )
...
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1
* Update Integrations unit tests
* Update test_all_rules.py
2024-11-04 11:32:22 -03:00
275c7288a3
Add testcase to check for related_integrations based on index ( #4096 )
2024-10-22 00:17:30 +05:30
5e0fb4a63e
[Tuning] Add logs-panw.panos index to Network rules ( #4089 )
...
* [Tuning] Add logs-panw.panos index to Network rules
https://github.com/elastic/detection-rules/issues/3998
This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.
* add tag and integration
* Update command_and_control_fin7_c2_behavior.toml
* Build Manifest and Schema for panw integration
* Update definitions.py
* Update definitions.py
* Fix definitions declaration
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-09-19 08:01:44 +01:00
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
47d7a3acaa
[DaC] Beta Release ( #3889 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2024-08-06 18:07:12 -04:00
54d5b442cf
[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs ( #3825 )
...
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs
* .
* Update integration-schemas.json.gz
* Fix integration manifests
2024-06-26 11:06:27 -03:00
020ca4be24
[New Rule] Rapid7 Threat Command CVEs Correlation ( #3718 )
...
* new rule 'Rapid7 Threat Command CVEs Correlation'
* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated threat index and tags
* changed 'indicator match' to 'threat match' for tags
* removed timeline
* updating integrations to match main
* re-adding rapid7 threat command integration manifest and schema
* reverting changes; removing timeline
* changed max signals to 10000
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-12 18:01:44 -04:00
d023ad66b1
[Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs ( #3627 )
...
* [Rule Tuning] Add Initial SentinelOne Compatibility
* updated definitions.py; updated tags; fixed unit tests
* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks
* updating manifests and integrations
* fixing flake errors
* min_stack
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-05-20 09:50:57 -03:00
2ffb0e7fe2
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
2024-05-03 18:01:53 -05:00
fa75876322
[Bug] New Terms Rule Import Failing ( #3569 )
...
* initial patch
* Update definitions to allow for brackets in name
* Update to prompt for required fields.
* Update detection_rules/cli_utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-04 17:37:13 -04:00
67ca13c1ce
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-01 17:44:50 -03:00
a637bcec38
[FR] NON_DATASET_PACKAGE list & Data Source tag for Auditd_manager ( #3430 )
...
* [FR] Add Auditd_Manager to NON_DATASET_PACKAGE
* Changed alphabetical order
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-02-19 09:37:02 +01:00
c3ca01ebcc
[FR] Add support for Threshold Alert Suppression ( #3433 )
2024-02-12 09:55:46 -06:00
7514c0a206
[FR] Add Support for ES|QL Rule Type and Remote Validation ( #3281 )
...
* add suuport for esql type
* add unit tests
* set clients in RemoteConnector from auth methods
* thread remote rules; add engine test
* Add versions to remote validation results
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 12:46:28 -07:00
aeb1f91320
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 11:54:40 -07:00
bc39c20eaf
FR] Add Core Support for ES|QL Rule Type ( #3292 )
2023-11-28 13:03:09 -06:00
93ad4b0959
Add UEBA Tag ( #3277 )
2023-11-20 13:51:13 -06:00
d0b0216362
[FR] Support missing events ( #3153 )
2023-10-31 16:20:52 -05:00
a808130390
Cleanup saved_query references ( #3205 )
2023-10-26 18:07:33 -05:00
3ab57fb8a7
[FR] Adding Support for missing_field_strategy Field in Alert Suppression ( #3201 )
...
* adding missing field strategy option to alert suppression
* fixed linting errors
* added validate methods for alertsuppression dataclass
* fixed linting errors
* replaced old variable with new variable
* removing test rule
* adding post_load to queryruledata
* changed post_load to validates_schema
* updated unit testing for alert suppression
* fixed linting errors
* changed validates method name to validates_exceptions
* removed min compat for fields
2023-10-19 18:16:54 -04:00
7f8a9849c4
[New Rule] File Compressed or Archived into Common Format ( #3173 )
...
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-11 11:34:34 -07:00
747ee7d593
[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package ( #3119 )
...
* Adding Lateral Movement Detection rules
* added tags; adjusted tests; updated manifests and schemas
* added default value to build_integrations_schema
* combined analytic and non-dataset packages for related integrations
* adjusted machine learning definitions
* adjusted machine learning definitions
* removed splat for machine learning list due to 3.8 constraints
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-09-27 14:53:38 -04:00
20de1d8d1d
[FR] Add support for samples in eql 0.9.18 ( #3000 )
2023-09-07 09:01:28 -05:00
3f9e7aced1
[Bug] Strip Non-Public Fields Prior to Uploading Rules ( #2986 )
2023-08-02 12:38:48 -05:00
2ff4584456
load unsupported rule type from schema ( #2893 )
2023-06-29 15:32:32 -04:00
cec41b4072
[FR Build a limited compatible rule ndjson for older stacks ( #2885 )
2023-06-29 10:18:24 -04:00
a7e605a0e5
[Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 ( #2889 )
...
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823
* Add exception to unit test
* fixed linting
* proper linting fix
* updated to add to definitions.py
* fix linting
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2023-06-28 15:55:43 -03:00
48cf95c8eb
[Rule Tuning] Change Network Rules to Use Network Packet Capture Integration ( #2665 )
...
* updated indexes and updated dates
* added network_traffic integration tag to rules
* reverting changes to resolve conflicts
* metadata changes; indexes changed; schemas and manifest updated
* updated default telnet port connection rule
* updating integration manifests
* adjusted rules; updated integrations; deduplicate packages
2023-06-26 17:35:49 -04:00
d829b145ef
[Bug] Fix Tag Navigator Generation ( #2875 )
...
* bug fix for tag navigator generation
* addressing flake errors
* added unit test to ensure prefix exists
* updated unit test case sensitivity
* moved expected tags to definitions.py
* removed expected prefixes
* revert downloadable updates JSON file
2023-06-23 10:44:55 -04:00
6449cecd08
[FR] Add support for building block rules (BBR) ( #2822 )
...
* added test bbr
* initial implementation
* Added Unit test and exempted bbr from integrations
* fixed linting
* Add schema validation to building block rules
* add separate error messages
* fixed linting
* Add testing bbr validation
* fixed linting
* Add default values
* fixed linting
* added defaults
* fixed linting
* cleaned up test rule
* removed .gitkeep
* read .gitkeep
* Switch to using validates_schema
* addressing some linting
* fixed linting
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* add env variable check
* fix skip function
* updated name
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Add bbr validation unit test
* Clean up comments
* fix linting
* Move convert time to utils
* Moved to rules_building_block
* Add check for only bbr in bbr dir
* fix linting
* additional linting fix
* Changed to bbr rule loader
* fixed bbr default
* Updated error messages and README
* fixed more linting
* Updating root level README
* Fixed convert_time_span calls
* fixed typo in unit test logic and updated txt
* fixed error message
* updated comment for clarity
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated validation methods for clarity
* fix doctring location
* Fixed typo
* updated error messages.
* removed excess whitespace
* Add per rule bypass
* Add single rule bypass
* Split unit tests
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-20 09:00:30 -04:00
792da36fb9
[Bug] Add Cloud Defend to definitions.NON_DATASET_PACKAGES ( #2764 )
...
* updating code to include cloud defend package
* updated integration manifests and schemas
2023-04-28 11:23:48 -04:00
7e28b8fc50
[FR] Support Rule Alert Suppression in Rule Schema ( #2660 )
...
* adding initial solution for alert suppression support in rule schema
* reverting rule changes
* fixing flake errors
* reverting rule changes
* adding unit tests
* addressing flake errors
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* adjusting rule.py after commits
* adjusted test_group_field_in_schemas to check integrations
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* nested AlertSuppressDuration class under mapping class
* adjusted dataclass naming
* added unit test to ensure rule is KQL
* fixing flake errors
* added docstrings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-03-27 15:37:35 -04:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
0acbe1d832
[New Rule] Multiple Alerts Involving a User ( #2401 )
...
* [New Rule] Multiple Alerts Involving a User
* Update definitions.py
* update query
* Update multiple_alerts_involving_user.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-01-03 12:25:40 -03:00
7e459dd585
[FR] Add support for New Terms Fields and Window Start History ( #2360 )
...
* adding support new_terms_fields and window_start_history
* adjusted rule.py to address flake errors
* added assertion error if history_window_start does not exist
* removed sample rule
* removed self.rule_id from DataValidator
* added new_terms to RuleType
* changed new terms to its own class in rule.py
* removed nonexisting function call in DataValidator class
* adjusted new_terms field value in dataclass
* changed literal type for history_window_start; view-rule working
* removing test TOML rule
* addressed flake errors for missing newlines
* added validation option and adjusted object referencing
* adjusted validation method call in post_validation
* addressed flake errors for multiple spaces
* added transform method to NewTermsRuleData class
* added validation for min stack version and new terms array length restraints
* added validation for unique new terms array
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* removed historywindowstart definition and adjusted subclass
* removed test rule from commit
* adjusted if/else for data transform method check
* adjusted stack-schema-map; validation method name
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added assertion for history_window_start field value
* added variables for feature min stack and extended field min stack
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors for continuation line with same indent
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-05 14:07:33 -05:00
a7caa4baf3
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host ( #2399 )
...
* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update definitions.py
* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-11-18 17:38:27 -03:00
744f56d98e
[Bug] resolves bug in Rule version methods ( #2021 )
...
* [Bug] resolves bug in Rule version methods
* comment out unused code with notes
2022-06-07 15:40:46 -08:00
22679e16d2
Add delta command to determine changes to endpoint rules between tags ( #1943 )
...
* update git tag loader to be compatible with lock validation
* add diff command
* default to query for missing rules
2022-05-03 12:30:11 -08:00
Mika Ayenson, PhD