security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,358 Commits 1 Branch 0 Tags
58ba72d5bfc580bef3e2077030f41b667fa44bcd
Commit Graph

1358 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus 58ba72d5bf patch fix for 2503 update addressing separate bugs (#2528) 2023-02-07 16:09:17 -05:00
Terrance DeJesus 4054eb43d1 patch fix for 2503 (#2527) 2023-02-07 15:40:51 -05:00
Terrance DeJesus fb2b4529c5 [FR] Adapt PyPi semver Library and Remove Custom (#2503) 
* removed custom semver and replaced with pypi

* updated beats.py version references

* updated bump-versions CLI command to use semver and change logic

* updated schemas __init__, test_version_lock and unstage incompatible rules CLI

* updated test_stack_schema_map in TestVersions unittest

* updated test_all_rules unit testing Version() references

* updated stack_compat.py for get_restricted_field references)

* updated version_lock.py Version() references

* updated docs.py Version() reference for parse_registry

* updated devtools.py Version() reference for trim-version-lock

* updated mixins.py Version() reference in validate_field_compatibility

* adjusted schemas.__init__ Version() reference in get_stack_schemas

* adjusted ecs.py Version() references

* adjusted integrations.py Version() references

* adjusted rule.py Version() references

* sorted imports

* replaced custom semver with pypi semver in unit test files

* addressed unit test and flake errors

* changed semver strings casted to version_lock.py

* fixed sorting in integrations.py

* updated bump-pkgs-versions CLI command

* adjusted semantic version in unstage-incompatible-rules command

* adjusted semver import to VersionInfo

* added semver 3 and adjusted import names

* added option_minor_and_patch parameter where version is major.minor

* updated bump-pkg-versions to always save to packages.yml

* removed leftover split call & updated find latest compatible version command

* updated integrations.py, version_lock.py and schemas.__init__.py

* changed fstring reference in downgrade function

* reverted formatting changes for detection_rules __init__.py

* added newline to detection_rules __init__.py

* adjusted finding latest_release for attack package logic

* adjusted unstage-incompatible-rules command logic comparing versions

* removing changes from misc.py related to auto-formatting

* adding newline to misc.py

* fixed bug in downgrade function calling decorators

* added semantic version validation on migrate decorator function

* added expected type returned from find_latest_integration_version in integrations.py

* add comment about stripped versions for version lock file

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-02-07 14:26:29 -05:00
eric-forte-elastic 9ce8faebea Updated ECS mappings from keyword to wildcard (#2518) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-02-07 09:43:19 -05:00
Nic 54b2f7582e Update defense_evasion_unusual_ads_file_creation.toml (#2522) 2023-02-07 09:40:42 -03:00
Mika Ayenson 51b7df8613 Check integrations cross major versions for older release support (#2520) 2023-02-02 18:17:02 -05:00
Mika Ayenson e6ba0055fb Resolve backport checks on 2470 by checking Version min_stack (#2519) 2023-02-02 17:29:30 -05:00
Mika Ayenson 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) 2023-02-02 16:22:44 -05:00
Samirbous cd2307ba7d [New Rule] FirstTimeSeen User Performing DCSync (#2433) 
* Create credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-02-02 15:44:31 +00:00
Jonhnathan 4bfcbeab36 [Rule Tuning] Unusual Network Activity from a Windows System Binary (#2509) 
* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml
 2023-02-01 13:19:28 -03:00
Isai 748bdbf8b1 [New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508) 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 10:27:42 -05:00
Samirbous c6125004c1 [New Rules] WSL Related Rules (#2463) 
* Create defense_evasion_wsl_registry_modification.toml

* Create defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_child_process.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Create defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_kalilinux.toml
 2023-02-01 15:10:28 +00:00
Samirbous 7fe08e7856 Update persistence_service_windows_service_winlog.toml (#2516) 2023-02-01 14:34:30 +00:00
Ruben Groenewoud be5cd23a64 [New Rules] Code Signing Policy Modification (#2510) 
* [New Rules] Code Signing Policy Modification

* Fixed description & tags

* cleaned the query syntax

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 15:30:15 +01:00
Jonhnathan 5a31cb250d [Rule Tuning] Unusual File Modification by dns.exe (#2505) 2023-02-01 11:10:05 -03:00
Jonhnathan 8c2cbae5a8 [New Rule] Potential PowerShell HackTool Script by Function Names (#2474) 
* [New Rule] Potential PowerShell HackTool Script by Function Names

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml
 2023-01-31 17:21:36 -03:00
Jonhnathan 8e02c60ef6 [Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486) 2023-01-31 16:56:19 -03:00
Jonhnathan 99f177a5ae [Rule Tuning] Potential Credential Access via DCSync (#2501) 2023-01-31 16:50:39 -03:00
Jonhnathan 8519fad243 [Rule Tuning] Potential Remote Credential Access via Registry (#2511) 
* [Rule Tuning] Potential Remote Credential Access via Registry

* Remove WEF index
 2023-01-31 15:09:32 -03:00
Isai d636f2d465 [Rule Tuning] T1069 and T1087 - admin wildcard (#2484) 
Tuned both rules:relax the conditions by adding a wildcard to admin
 2023-01-30 22:01:52 -05:00
Jonhnathan 5575400ee9 [Security Content] Add Investigation Guides for ML rules (#2405) 
* [Security Content] Add Investigation Guides for ML rules

* .

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Place the guide in the correct rule

* Update guides to address IG refactor, and address sugestions

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-01-30 13:12:45 -03:00
Jonhnathan 54f65abdb0 [Rule Tuning] Potential Shadow Credentials added to AD Object (#2498) 2023-01-30 09:14:23 -03:00
Ruben Groenewoud b8adffa469 [New Rule] System Service Discovery through built-in Windows Utilities (#2491) 
* [New Rule] System Service Discovery through built-in Windows Utilities

* added pe.original_file_name to net.exe

* fixed query style mistake

* fixed detection logic mistake

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-29 19:15:17 +01:00
Samirbous c5ce910d3a Create defense_evasion_timestomp_sysmon.toml (#2476) 2023-01-27 21:32:03 +00:00
Samirbous b8dcc6ab4b [New Rules] C2 via BITS and CertReq (#2466) 
* Create command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Create command_and_control_ingress_transfer_bits.toml

* Update non-ecs-schema.json

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_ingress_transfer_bits.toml

* Update rules/windows/command_and_control_certreq_postdata.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-27 20:17:36 +00:00
Samirbous e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml
 2023-01-27 19:51:22 +00:00
Samirbous a1df310e56 [New Rule] T1553.006 - Untrusted Driver Loaded (#2499) 
* Create defense_evasion_untrusted_driver_loaded.toml

* Update defense_evasion_untrusted_driver_loaded.toml
 2023-01-27 19:46:35 +00:00
Samirbous 2372602c4e [New Rules] Amsi Bypass (#2473) 
* Create defense_evasion_amsi_bypass_powershell.toml

* Create defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml
 2023-01-26 06:03:53 +00:00
Samirbous 1c6e5a3448 [New Rule] Suspicious Inter-Process Communication via Outlook (#2458) 
* Create collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:44:32 +00:00
Samirbous 1a5e64ce13 [New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477) 
* Create persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

* Update persistence_service_dll_unsigned.toml

* Update rules/windows/persistence_service_dll_unsigned.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update persistence_service_dll_unsigned.toml

* Update persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:11:38 +00:00
Samirbous bcd8ef15ba [New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409) 
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update non-ecs-schema.json

* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 13:23:20 +00:00
Samirbous 8427c8cd22 Create credential_access_suspicious_lsass_access_generic.toml (#2487) 2023-01-25 09:43:35 +00:00
Terrance DeJesus 3b2d1af051 new guided onboarding rule (#2492) 2023-01-24 11:26:28 -05:00
Jonhnathan f804c29f6d [New Rule] PowerShell Script with Encryption/Decryption Capabilities (#2489) 
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities

* Update defense_evasion_posh_encryption.toml
 2023-01-24 12:26:11 -03:00
Ruben Groenewoud 644a094503 Group Policy Object Discovery through gpresult.exe (#2483) 
* [New  Rule] Group Policy Discovery Through gpresult.exe

* Fixed typo

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-24 12:10:57 +01:00
Jonhnathan fc30b5881f [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities (#2465) 
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities

* Bump sev

* Update rules/windows/collection_posh_clipboard_capture.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-24 07:58:48 -03:00
Jonhnathan 92ae27600f [New Rule] PowerShell Mailbox Collection Script (#2461) 2023-01-24 07:54:55 -03:00
Jonhnathan 0aa87d7f4a [Rule Tuning] Unusual Process For a Linux Host (#2445) 
* [Rule Tuning] Unusual Process For a Linux Host

* .
 2023-01-23 21:03:29 -03:00
Jonhnathan 77c8665f11 [Rule Tuning] Add endgame support for Linux Rules (#2436) 
* [Rule Tuning] Add endgame support for Linux Rules

* [Rule Tuning] Add endgame support for Linux Rules

* .

* Update persistence_insmod_kernel_module_load.toml
 2023-01-23 20:53:15 -03:00
Jonhnathan 7cde7901e3 [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions (#2478) 
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions

* Update discovery_posh_suspicious_api_functions.toml
 2023-01-23 20:35:43 -03:00
Jonhnathan 729ecf8b58 [New Rule] PowerShell Invoke-NinjaCopy script (#2488) 
* [New Rule] PowerShell Invoke-NinjaCopy script

* Update credential_access_posh_invoke_ninjacopy.toml

* Update credential_access_posh_invoke_ninjacopy.toml
 2023-01-23 20:00:57 -03:00
Ruben Groenewoud e3ff45e20c [New Rule] System Time Discovery (#2475) 
* [New Rule] System Time Discovery

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-18 13:01:57 +01:00
Terrance DeJesus e5d81e77f7 [New Rule] Add Google Workspace Alert Center Promotional Rule (#2471) 
* Add Google Workspace Alert Center Promotional Rule

* added severity mapping overrides
 2023-01-17 12:09:13 -05:00
github-actions[bot] d81bc25d09 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2468) 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6

* added newline in version lock file to trigger checks

* removed trailing newline from version lock file

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-01-13 15:20:23 -05:00
Terrance DeJesus b61da98f97 [Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 (#2467) 
* Bumping min-stack version for Google Workspace to 8.4

* changed 'updated_date' values
 2023-01-13 13:29:28 -05:00
Jonhnathan 0e535e5931 [Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-12 12:10:59 -03:00
Samirbous cb88ad715c [New Rule] Exchange Mailbox via PowerShell (#2459) 
* Create collection_mailbox_export_winlog.toml

* Update collection_mailbox_export_winlog.toml

* Update collection_mailbox_export_winlog.toml

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-11 16:45:20 +00:00
Samirbous 8afda66487 [Rule Tuning] Suspicious WerFault Child Process (#2437) 
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
 2023-01-11 16:41:57 +00:00
Samirbous 9121a25b02 Update collection_email_powershell_exchange_mailbox.toml (#2457) 2023-01-11 16:29:01 +00:00
github-actions[bot] 6acc0f9b11 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2455) 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6

* added newline in version lock file to trigger checks

* removed trailing newline from version lock file

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-10 09:50:41 -05:00