fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
2c07e88c07
[Rule Tuning] Fix double bumps caused by Windows Integration Update ( #4156 )
2024-10-15 23:57:44 +05:30
7c78e4081f
[Rule Tuning] min_stack New Rules that use the S1 Integration ( #4079 )
...
* [Rule Tuning] min_stack New Rules that use the S1 Integration
* Update execution_windows_powershell_susp_args.toml
* Update execution_initial_access_foxmail_exploit.toml
2024-09-16 11:02:46 -03:00
56fc2beb46
[New] Suspicious PowerShell Execution via Windows Scripts ( #4060 )
...
* [New] Suspicious PowerShell Execution via Windows Scripts
this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.
* Update execution_powershell_susp_args_via_winscript.toml
* Create defense_evasion_script_via_html_app.toml
* ++
* Update defense_evasion_script_via_html_app.toml
* Update execution_powershell_susp_args_via_winscript.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-15 19:51:21 +01:00
Mika Ayenson