sigma-rules

Author	SHA1	Message	Date
Jonhnathan	91c00fd442	[Security Content] Add Investigation Guides - Cloud - 3 (#2132 ) * [Security Content] Add Investigation Guides - Cloud - 3 * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml * update dates * Apply suggestions from review Co-authored-by: Joe Peeples <joe.peeples@elastic.co>	2022-07-27 15:40:09 -03:00
Terrance DeJesus	e8c39d19a7	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 14:30:34 -04:00
Jonhnathan	7ddae4b493	[Security Content] Add Investigation Guides - Cloud - 2 (#2124 ) * [Security Content] Add Investigation Guides - Cloud - 2 * Replace config/setup * Applies suggestions from review * Update credential_access_aws_iam_assume_role_brute_force.toml * Apply suggestions from code review * Update credential_access_aws_iam_assume_role_brute_force.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-07-22 14:32:42 -03:00
Jonhnathan	d854b943e5	[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104 ) * [Security Content] Add Investigation Guides to Cloud Rules - AWS * Apply suggestion from review * Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from review * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * . * Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-07-20 12:28:58 -03:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Pete Hampton	34655374c1	[New Rule] AWS Redshift Cluster Creation (#1921 ) * Add rule for Redshift data warehouse creation. * Add fp block. * Add AWS integration metadata. * Add timestamp override. * Add note. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update description for redshift instance creation. Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-04-28 14:43:26 -04:00
Jonhnathan	20d2e92cfe	Review & Fix Invalid References (#1936 )	2022-04-26 17:57:15 -03:00
Isai	9640ecb3fe	[Rule Tuning] AWS RDS Instance/Cluster Deletion (#1916 ) * add RDS instance deletion to aws rule I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection. * Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-10 15:33:33 -04:00
Isai	5073ef8be7	[Rule Tuning] AWS Security Group Configuration Change Detection (#1915 ) * Update persistence_ec2_security_group_configuration_change_detection Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'. * update to improve rule coverage I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters. * Revert "update to improve rule coverage" This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.	2022-04-07 14:47:09 -04:00
Stijn Holzhauer	2ed97d2e8c	[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion (#1833 ) * Adding event.provider * Removing new line * Updating updated_date field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-22 20:36:53 -03:00
Jonhnathan	1c50f35aed	[Security Content] Update rules based on docs review (#1803 ) * Adds suggestions from security-docs * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-03-01 21:39:30 -03:00
Justin Ibarra	72c64de3f5	[Rule tuning] Update rules based on docs review (#1663 ) * [Rule tuning] Update rule verbiage based on docs review * fix typos Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * revert TI rule changes since it was deprecated Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-28 10:41:22 -09:00
Justin Ibarra	14c46f50b9	[Rule Tuning] updates from documentation review for 7.16 (#1645 )	2021-12-07 15:42:58 -09:00
Justin Ibarra	ab17dfcc28	[Bug] Tighten definitions validation patterns (#1396 ) * [Bug] Anchor validation patterns * Deprecate rule with invalid rule_id and duplicate as new one Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-10-26 10:26:20 -05:00
Jonhnathan	4524c175c8	Add missing Integration field (#1537 ) * Add missing Integration field * Bump updated_date * Add test for integration<->path * Fix rule folder * bump updated date in rule Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2021-10-26 12:05:12 -03:00
Austin Songer	89553d84a9	[New Rule] AWS Route Table Created (#1257 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_created.toml * Update persistence_route_table_created.toml * Update rules/persistence_route_table_created.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update persistence_route_table_created.toml * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_created.toml * Update * Update Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-26 10:25:53 -03:00
Austin Songer	3ab67d1562	[New Rule] AWS EventBridge Rule Disabled or Deleted (#1572 ) * Create aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update aws_eventbridge_rule_disabled_or_deleted.toml * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update aws_eventbridge_rule_disabled_or_deleted.toml * Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-18 15:36:21 -03:00
Austin Songer	2c39bb962f	[New Rule] AWS EFS File System or Mount Deleted (#1462 ) * AWS EFS File System or Mount Deleted * Update impact_efs_filesystem_or_mount_deleted.toml * Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml * Update impact_efs_filesystem_or_mount_deleted.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:23:07 -03:00
Austin Songer	702524b1f7	[New Rule] AWS Suspicious SAML Activity (#1498 ) * Create privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Update privilege_escalation_aws_suspicious_saml_activity.toml * Add trailing / Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:11:15 -03:00
Austin Songer	dc980effb0	[New Rule] AWS RDS Snapshot Restored (#1312 ) * Create exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml * Delete exfiltration_rds_snapshot_restored.toml * Create exfiltration_rds_snapshot_restored.toml * Update * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:05:00 -03:00
Austin Songer	90504915ad	[New Rule] AWS Route53 hosted zone associated with a VPC (#1365 ) * Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml * Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:59:33 -03:00
Austin Songer	d7eab5bbf3	[New Rule] AWS STS AssumeRole Usage (#1214 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:56:10 -03:00
Austin Songer	82e72a956b	[New Rule] AWS Route Table Modified or Deleted (#1258 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 15:16:48 -03:00
Austin Songer	9508002bb3	[New Rule] AWS ElastiCache Security Group Created (#1363 ) * Create persistence_elasticache_security_group_creation.toml * Update * Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Re-add rule.threat * Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * remove extra space from query Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 14:00:29 -03:00
Austin Songer	0a3c44e8db	[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514 )	2021-10-04 13:31:31 -08:00
Austin Songer	f41714642c	[New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364 ) * Create impact_aws_elasticache_security_group_modified_or_deleted.toml * Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Update * Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-04 15:38:37 -03:00
Jonhnathan	5e4a7e67df	[Rule Tuning] Small update on rule descriptions (#1508 )	2021-09-30 12:54:15 -08:00
Austin Songer	93b8038d7d	[New Rule] AWS STS GetSessionToken Abuse (#1213 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_getsessiontoken_abuse.toml * Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update * Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-22 16:28:02 -03:00
Justin Ibarra	8e3b1d28c4	[Rule Tuning] Fix typos in rule metadata (#1494 ) Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-21 16:31:00 -03:00
dstepanic17	9ff3873ee7	[rule-tuning] Adding more context with triage/investigation (#1481 ) * [rule-tuning] Adding more context with triage/investigation * Adding mimikatz rule * Fixed updated date on mimikatz rule * Adding Defender update * Adding scheduled task * Adding AdFind * Adding rare process * Adding cloudtrail country * Adding cloudtrail spike * Adding threat intel * Fixed minor spelling/syntax * Fixed minor spelling/syntax p2 * Update rules/cross-platform/threat_intel_module_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_rare_process_by_host_windows.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Removed MITRE link, added Microsoft * Update ml_cloudtrail_error_message_spike.toml * Update ml_cloudtrail_rare_method_by_country.toml * Update ml_rare_process_by_host_windows.toml * Update credential_access_mimikatz_powershell_module.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update discovery_adfind_command_activity.toml * Update lateral_movement_dns_server_overflow.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-15 20:07:21 -05:00
Austin Songer	3b29498907	[Rule Tuning] AWS Security Group Configuration Change Detection (#1426 ) * move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration	2021-08-14 20:34:13 -08:00
Justin Ibarra	f8f643041a	[Rule tuning] Revise rule description and other text (#1398 )	2021-08-03 13:07:47 -08:00
Ross Wolf	1882f4456c	[Fleet] Track integrations in folder and metadata (#1372 ) * Track integrations in folder and metadata * Remove duplicate entry * Update note and tests	2021-07-21 15:24:56 -06:00

33 Commits