security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,050 Commits 1 Branch 0 Tags
23ce41d8affbb060811b6282fdceb75b19f736d1
Commit Graph

1465 Commits

Author SHA1 Message Date
Isai 23ce41d8af [New Rule] AWS GetCallerIdentity API Called for the First Time (#3711) 
* [New Rule] AWS GetCallerIdentity API Called for the First Time

issue

* Apply suggestions from code review

name change, false positive additions, remove Setup, change new_terms window from 15d to 10d

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml

fixed missing closing quotes

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-31 17:55:06 -04:00
shashank-elastic 418a95205e Remove unwanted backticks (#3724) 2024-05-31 21:46:24 +05:30
James Valente 34294fbe6d Add exceptions to brute force threshold rule. (#3712) 
High volume, machine generated failures or MFA interruptions have been added to the rule.

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-30 10:12:36 +02:00
Gus Carlock 8b28a515c1 Update rule setup instructions for UEBA packages (#3652) 
* update detection-rules instructions for UEBA packages

---------

Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2024-05-28 14:21:46 -05:00
Terrance DeJesus d5c57463e1 [New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance (#3598) 
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'

* added investigation guide

* changed file name to match tactic

* changed reference

* updated tags

* updated investigation notes

* changed new terms value; adjusted rule name
 2024-05-28 11:23:17 -04:00
Terrance DeJesus 527f785a60 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-28 10:49:20 -04:00
Ruben Groenewoud 390629da4e [New Rule & Tunings] Linux Springtail Backdoor (#3692) 
* [New Rules and Tuning] Springtail backdoor

* consistency formatting

* update

* unit testing formatting change

* Update persistence_systemd_service_started.toml

* Update persistence_systemd_service_started.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
 2024-05-24 10:10:11 +02:00
Samirbous 603f3c313a Update impact_high_freq_file_renames_by_kernel.toml (#3707) 2024-05-23 17:59:58 +01:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Mika Ayenson 58ba0713fe [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3700) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-21 16:33:17 -05:00
Mika Ayenson ed0038ee1d Revert "[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591)" 
This reverts commit 137b74c3aa.
 2024-05-21 15:53:02 -05:00
Terrance DeJesus 137b74c3aa [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic
 2024-05-20 16:15:46 -04:00
Justin Ibarra ce21acef9c [Bug] Fix test_os_and_platform_in_query test and rules (#3695) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-05-20 08:43:30 -07:00
Jonhnathan d023ad66b1 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-20 09:50:57 -03:00
Samirbous ec27bf8545 Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#3691) 2024-05-17 21:30:16 -07:00
Samirbous f0b226c2b0 [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3677) 
* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-15 18:11:49 +01:00
Jonhnathan 0eef7f62ff [Rule Tuning] Windows Service Installed via an Unusual Client (#3671) 
* [Rule Tuning] Windows Service Installed via an Unusual Client

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-15 10:31:44 -03:00
Mika Ayenson f07a9e6fbc [FR] Add max_signal note, unit test, and rule tuning (#3669) 2024-05-14 11:15:12 -05:00
Terrance DeJesus 2375297879 [New Rule] Route53 Resolver Query Log Configuration Deleted (#3592) 
* new rule 'Route53 Resolver Query Log Configuration Deleted'

* added investigation guide

* adjusted investigation notes

* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-14 10:24:20 -04:00
Samirbous a1ef8c9fc0 [New] Unusual Execution via Microsoft Common Console File (#3663) 
* [New] Unusual Execution via Microsoft Common Console File

https://www.genians.co.kr/blog/threat_intelligence/facebook

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_initial_access_via_msc_file.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-05-14 15:07:26 +01:00
Samirbous 83462a3087 [New] Potential File Download via a Headless Browser (#3660) 
* [New] Potential File Download via a Headless Browser

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_common_webservices.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml
 2024-05-14 13:55:14 +01:00
Terrance DeJesus d505b95f3c [New Rule] AWS EC2 AMI Shared with Another Account (#3600) 
* new rule 'AWS EC2 AMI Shared with Another Account'

* linted; updated UUID

* added investigation guide

* updated description

* fixed spelling errors

* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* fixed spacing issue

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-14 01:56:26 -04:00
Terrance DeJesus 38e0f13e23 [New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role (#3586) 
* new rule 'First Occurrence of User Identity Sending  Requests to EC2 Instance'

* updated description and name

* added investigation guide; adjusted description

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated query logic

* fixed spacing issue

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-13 23:07:39 -04:00
Jonhnathan 6150f222b2 [New Rule] Alternate Data Stream Creation at Volume Root Directory (#3517) 
* [New Rule] Alternate Data Stream Creation at Volume Root Directory

* Update defense_evasion_root_dir_ads_creation.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-13 08:35:12 -03:00
Colson Wilhoit 1fb58e1b61 [Tuning] MacOS Comprehensive Detection Rule Tuning (#3435) 
* Update to use new data source

* Exclude FPs

* Update logic

* Exclude FPs

* Update to match ER logic

* Exclude FP

* Update to match endpoint rule and reduce FPs

* Update logic to reduce FPs

* Update logic to reduce FPs

* Exclude FPs

* Update logic to remove FPs

* Update logic to reduce FPs

* Update logic and min stack version to reduce FPs

* Exclude FP

* Remove FPs

* Update logic and min stack to reduce FPs

* Exclude FPs

* Update logic and min stack to exclude FPs

* Update logic and min stack to exclude FPs

* Update logic to be more efficient

* Update logic

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/credential_access_credentials_keychains.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Fix

* Fix

* Fix

* Update min stack comments

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Remove field

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-11 12:52:18 -05:00
Jonhnathan 11dca27974 [New Rule] Potential Widespread Malware Infection (#3656) 
* [New Rule] Potential Widespread Malware Infection

* Update potential_widespread_malware_infection.toml

* .

* Update execution_potential_widespread_malware_infection.toml

* Update rules/cross-platform/execution_potential_widespread_malware_infection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/execution_potential_widespread_malware_infection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-10 13:51:04 -03:00
Jonhnathan 6cc39a538f [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-09 18:41:56 -07:00
terrancedejesus 69595a5f69 updated query logic 2024-05-09 18:31:50 -07:00
Jonhnathan f85d7482fd [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-09 13:00:41 -03:00
Samirbous 7a61070e08 [Tuning] Component Object Model Hijacking (#3655) 
* [Tuning] Component Object Model Hijacking

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-08 17:44:35 +01:00
Samirbous 4a2e2764cd [New] Ransomware over SMB (#3638) 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml
 2024-05-07 06:38:14 +01:00
Mika Ayenson 4396a91b40 [New Rule] Unusual High Confidence Misconduct Blocks Detected (#3647) 2024-05-06 07:32:02 -05:00
Mika Ayenson 51268581a8 [Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User (#3646) 2024-05-04 08:20:20 -05:00
Justin Ibarra 613457b97f [New Rules] AWS Bedrock Guardrails Violations (#3641) 
* [New Rules] AWS Bedrock Guardrails Violations
---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-05-03 20:55:27 -06:00
Mika Ayenson 2ffb0e7fe2 [New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes (#3644) 2024-05-03 18:01:53 -05:00
Justin Ibarra 54ff270c62 [New Rule] AWS S3 Bucket Enumeration or Brute Force (#3635) 
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-01 15:00:33 -06:00
Ruben Groenewoud e29994c338 [New Rule] Shell Configuration Modification (#3629) 
* [New Rule] Shell Configuration Modification

* description update

* uuid update

* query update

* query update

* Update rules/linux/persistence_shell_configuration_modification.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-04-30 13:41:13 +02:00
Ruben Groenewoud 115c3a6dfd [Rule Tuning] Linux DRs (#3628) 2024-04-30 13:26:09 +02:00
Samirbous 8f6de1c235 [New] Potential privilege escalation via CVE-2022-38028 (#3616) 
* [New] Potential privilege escalation via CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-29 15:10:27 +01:00
shashank-elastic 7673ba484d Fix minstack version for 0365 in azure integration rules (#3612) 2024-04-22 19:17:49 +05:30
Terrance DeJesus 69d42ecc71 updating performance note (#3608) 2024-04-18 16:36:07 -04:00
Terrance DeJesus 25dafb68f1 [Rule Tuning] Reverting To Previous Version (#3607) 2024-04-18 15:19:27 -04:00
Terrance DeJesus 91e69ac322 [Rule Tuning] Tuning Account Password Reset Remotely (#3478) 
* tuning 'Account Password Reset Remotely'

* adjusted note

* fixing description

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated note about performance; toml lint

* bumping min-stack to resolve version lock

* reverting query to main

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-04-18 12:49:32 -04:00
Jonhnathan 6ae0902a38 [New Rule] Potential Windows Session Hijacking via CcmExec (#3602) 
* [New Rule] Potential Windows Session Hijacking via CcmExec

* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-04-18 12:57:35 -03:00
Jonhnathan 5004ff115c [Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-16 13:26:42 -03:00
Terrance DeJesus 74312797bf adjust aws rule index patterns and tags (#3595) 2024-04-16 10:08:57 -04:00
Jonhnathan c2d1586270 [Rule Tuning] Windows BBR Promotion (#3577) 
* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-16 09:28:17 -03:00
Samirbous 919a438257 Update defense_evasion_untrusted_driver_loaded.toml (#3596) 
excluding `errorCode_endpoint:*` status (noisy)
 2024-04-15 14:52:39 +01:00