30cded7a2d
[New Rule] Lateral Movement via Startup Folder ( #663 )
...
* [New Rule] Lateral Movement via Startup Folder
* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* ecs_version
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-02 21:22:43 +01:00
3deff0eeb8
[New Rule] Remote Execution via File Shares ( #455 )
...
* [New Rule] Remote Execution via File Shares
* removed timeline_id
* fixed tags
* added extension to reduce response time
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* ecs_version
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-02 21:20:13 +01:00
e03f775789
[New Rule] Lateral Executable Transfer Over SMB ( #517 )
...
* [New Rule] Lateral Executable Transfer Over SMB
* adjusted maxspan, address and extensions
* changed rule name
* Update rules/windows/lateral_movement_executable_tool_transfer_smb.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* eql syntax
* ecs_version
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-12-02 21:03:31 +01:00
e6645a8be9
[Rule Tuning] Clearing or Disabling Windows Event Logs ( #393 )
...
* [Rule Tuning] Clearing or Disabling Windows Event Logs
* added tags
* Update defense_evasion_clearing_windows_event_logs.toml
* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* updated the rule update date
* linted
* fixing unit test error
* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* ecs_version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
2020-12-02 20:35:35 +01:00
db2d17ccb2
[New Rule] Credential Acquisition via Registry Hive Dumping ( #607 )
...
* [New Rule] Credential Acquisition via Registry Hive Dumping
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* fixed MITRE technique details
* fixed TID
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update credential_access_dump_registry_hives.toml
* as per Justin suggestion case insensitivity is not issue 7.11
* Update credential_access_dump_registry_hives.toml
* new MITRE mapping errors
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_dump_registry_hives.toml
* added :
* changed process.args:(a, b) to process.args: a or process.args:b
while testing on 7.10 process.args : (a , b) generate an error
* adjusted query as per JLB and RW suggestion
* eql syntax
* Update rules/windows/credential_access_dump_registry_hives.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* ecs_version
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-02 20:31:22 +01:00
f23881f1b8
[New Rule] Microsoft 365 Exchange DLP Policy Removed ( #600 )
...
* [New Rule] O365 Exchange DLP Policy Removed
* rebrand to m365
* update description
2020-12-02 14:18:11 -05:00
427012ed32
[New Rule] Microsoft 365 Exchange Management Group Role Assignment ( #599 )
...
* [New Rule] O365 Exchange Management Role Assignment
* Update persistence_o365_exchange_management_role_assignment.toml
* rebrand to m365
2020-12-02 14:11:33 -05:00
ec4cd98ce8
[Rule Tuning] Rebrand Office 365 to Microsoft 365 ( #669 )
2020-12-02 14:04:48 -05:00
366e5002e1
[FR] Add experimental ML DGA CLI support ( #361 )
...
* Add DGA model commands
* Add upload/delete ML job command
* Add DGA release management commands
* Add Manifest handling
* Add GithubClient object
2020-12-01 22:25:33 -09:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
ee82ada716
[Rule Tuning] Update IP Address Ranges in Multiple Rules ( #576 )
...
* add additional IP ranges and format for readability
* remove superfluous "or" operators
2020-12-01 13:38:47 -07:00
dc9c63d043
[New Rule] Unusual Svchost ChildProc - ChildLess Services ( #370 )
...
* [New Rule] Unusual Svchost ChildProc - ChildLess Services
* changed tags
* changed rule filename
* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-01 20:30:03 +01:00
61fe8a59ff
[New Rule] WebServer Access Logs Deleted ( #457 )
...
* [New Rule] WebServer Access Logs Deleted
* removed timeline_id
* added drive letter for better perf
* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update defense_evasion_deleting_websvr_access_logs.toml
* changed severity from low to medium
* fixed duplicate text in description
* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-01 10:48:55 +01:00
0fe12d2528
[New Rule] Suspicious Explorer Child Process ( #430 )
...
* [New Rule] Suspicious Explorer Child Process
* Update execution_via_explorer_suspicious_child_parent_args.toml
* removed timeline_id
* fixed typo
* adjusted args for better performance
* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* relinted
* relinted
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-01 00:00:40 +01:00
710f4bda10
Add file.extension to SxS .local rule
2020-11-30 15:26:28 -07:00
2465a70dac
[New Rule] Execution via local SxS Shared Module ( #424 )
...
* [New Rule] Execution via local SxS Shared Module
* Update execution_shared_modules_local_sxs_dll.toml
* Update execution_shared_modules_local_sxs_dll.toml
* added tags
* added drive letter for less performance impact
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-11-30 23:24:44 +01:00
7138b01001
[New Rule] Potential Command and Control via IEXPLORE ( #645 )
...
* [New Rule] Potential Command and Control via IEXPLORE
* Update command_and_control_iexplore_via_com.toml
* Update command_and_control_iexplore_via_com.toml
* Update rules/windows/command_and_control_iexplore_via_com.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/command_and_control_iexplore_via_com.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/command_and_control_iexplore_via_com.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/command_and_control_iexplore_via_com.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-30 21:13:30 +01:00
14ef24e9dd
[New Rule] Command shell activity started via rundll32 ( #391 )
...
* [New Rule] Command shell activity started via rundll32
* added tag
* adjusted parent args for performance
avoid leading wildcard
* filtered a common FP
* Update execution_command_shell_via_rundll32.toml
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-11-30 21:02:57 +01:00
52183d78a2
[New Rule] Persistence via Microsoft Outlook VBA ( #611 )
...
* [New Rule] Persistence via Microsoft Outlook VBA
* added FPs note and deleted excluded outlook.exe
* Update rules/windows/persistence_ms_outlook_vba_template.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-30 20:57:36 +01:00
ba0cc7a055
[New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager ( #422 )
...
* [New Rule] UAC Bypass via Elevated COM Interface - ClipUp
* linted
* Update privilege_escalation_uac_bypass_com_clipup.toml
* added tags
* changed rule name
* adjusted rule for more performance
* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-30 20:26:07 +01:00
d0ba03230a
[Rule Tuning] Unusual File Modification by dns.exe ( #472 )
2020-11-30 08:22:27 -09:00
310f480027
[New Rule] O365 Exchange Safe Attachment Rule Disabled ( #593 )
...
* [New Rule] O365 Exchange Safe Attachment Rule Disabled
* update description
2020-11-30 12:06:42 -05:00
ba52c3d426
[New Rule] O365 Exchange Transport Rule Modification ( #592 )
...
* [New Rule] O365 Exchange Transport Rule Modification
* Update exfiltration_o365_exchange_transport_rule_mod.toml
* update description
2020-11-30 11:57:48 -05:00
3751095897
[New Rule] O365 Exchange Malware Filter Rule Modification ( #590 )
...
* [New Rule] O365 Exchange Malware Filter Rule Modification
* update description
2020-11-30 11:46:58 -05:00
a5960851c0
[New Rule] O365 Exchange Malware Filter Policy Deletion ( #589 )
...
* [New Rule] O365 Exchange Malware Filter Policy Deletion
* update description
2020-11-30 11:39:25 -05:00
bd6be63d88
[New Rule] O365 Exchange Anti-Phish Rule Modification ( #586 )
...
* [New Rule] O365 Exchange Anti-Phish Rule Modification
* bump severity
2020-11-30 11:25:20 -05:00
76ec49f764
[New Rule] O365 Exchange Anti-Phish Policy Deletion ( #585 )
...
* [New Rule] O365 Exchange Anti-Phish Policy Deletion
* bump severity
2020-11-30 11:19:17 -05:00
6b280fe7ed
[New Rule] O365 Exchange Transport Rule Creation ( #579 )
...
* [New Rule] O365 Exchange Transport Rule Creation
* bump severity
* Update exfiltration_o365_exchange_transport_rule_creation.toml
2020-11-30 11:09:30 -05:00
b21d32acf4
[New Rule] O365 Exchange Safe Link Policy Disabled ( #577 )
...
* Create initial_access_o365_exchange_safelinks_disabled.toml
* Update initial_access_o365_exchange_safelinks_disabled.toml
* linting
* update description
* update tags
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-30 10:52:33 -05:00
33e731416d
Add badges to README.md ( #596 )
2020-11-30 06:14:08 -08:00
8f8e310377
Bump EQL dependency to 0.9.6 ( #625 )
2020-11-24 12:37:31 -07:00
625b0ec771
[New-Rule] Suspicious WMI Image Load from MS Office ( #551 )
...
* image-load-wmi-ms-office
* Update rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Resolved linting after suggestion
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-20 08:34:02 -06:00
517ee0dc03
image-load-sched-task-ms-office ( #566 )
2020-11-20 07:28:16 -06:00
1ebdcc8248
[New Rule] Suspicious RDP ActiveX Client Loaded ( #588 )
...
* [New Rule] Suspicious RDP ActiveX Client Loaded
* added exec from mounted device and UNC
* removed unecessary exclusion
* Update rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
2020-11-20 10:43:12 +01:00
9d2a74ea1b
[New Rule] Connection to Commonly Abused Web Services ( #476 )
...
* [New Rule] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
* Update rules/windows/command_and_control_common_webservices.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* added notabug.org as suggested by Daniel
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2020-11-18 23:38:09 +01:00
161ea402fe
[New Rule] Kerberos Traffic from Unusual Process ( #448 )
...
* [New Rule] Kerberos Traffic from Unusual Process
* removed timeline_id
* adjusted args for better perf
* added potential rare FPs
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-18 22:07:49 +01:00
3e7be55a24
[New Rule] UAC Bypass via Windows Firewall Snap-in Hijack ( #376 )
...
* [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack
* Delete workspace.xml
* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-18 20:36:59 +01:00
75ed0f8f92
[New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface ( #383 )
...
* [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface
* added tags
* Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml
* adjusted args to avoid leading wildcard
* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* replaced wildcard with In
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-11-18 20:34:10 +01:00
14270a5614
[New Rule] Persistence via MS Office Addins ( #381 )
...
* [New Rule] Persistence via MS Office Addins
* Update persistence_ms_office_addins_file.toml
* Update persistence_ms_office_addins_file.toml
* Update persistence_ms_office_addins_file.toml
* Update persistence_ms_office_addins_file.toml
* fixed extension and relaxed file.path
* updated references
* changed leading wildcard for perf
* Update rules/windows/persistence_ms_office_addins_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_ms_office_addins_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-18 20:27:01 +01:00
8f6eba8986
Tune metadata in Okta rules to align with the style of other rules ( #491 )
...
* rune-okta-rule-metadata
* update note field to include fleet integration info
* separate okta policy rule modification and deletion into two rules
* rename file to align with style of others
* fix syntax typo
* separate zone and policy deactivation, deletion, and modification actions into separate rules
* fix typo
* fix tpyo 🙃
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
2020-11-18 09:59:11 -07:00
a05f160159
[New Rule] Application Added to Google Workspace Domain ( #564 )
...
* Create application_added_to_google_workspace_domain.toml
* Update rules/google-workspace/application_added_to_google_workspace_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/google-workspace/application_added_to_google_workspace_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-18 09:23:15 -07:00
dd8c276e42
Create google_workspace_mfa_enforcement_disabled.toml ( #563 )
2020-11-18 09:20:31 -07:00
4425bbf436
Create domain_added_to_google_workspace_trusted_domains.toml ( #562 )
2020-11-18 09:17:48 -07:00
56bc91cc70
Create google_workspace_admin_role_deletion.toml ( #561 )
2020-11-18 09:15:53 -07:00
10d4e5d8c9
[New Rule] Google Workspace Role Modified ( #556 )
...
* Create persistence_google_workspace_role_modified.toml
* fix tpyo 🙃
2020-11-18 09:13:44 -07:00
acf8102607
Create persistence_google_workspace_custom_admin_role_created.toml ( #555 )
2020-11-18 09:10:50 -07:00
72fee8d16f
Create persistence_google_workspace_admin_role_assigned_to_user.toml ( #554 )
2020-11-18 09:07:39 -07:00
78b8d5c761
new-rule-mfa-disabled-for-google-workspace-organization ( #553 )
2020-11-18 09:05:07 -07:00
6aca322cfd
[New Rule] Google Workspace Password Policy Modified ( #552 )
...
* new-rule-google-workspace-policy-modified
* lint rule
2020-11-18 09:02:59 -07:00
f11e9f8302
[New Rule] Administrator Role Assigned to Okta User ( #489 )
...
* Create persistence_administrator_role_assigned_to_okta_user.toml
* set maturity to production
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Reorder references to put the most relevant at the top
* tweak rule name
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-18 08:59:23 -07:00
Samirbous