f5c992b6de
[Security Content] Add Investigation Guides - 2 - 8.5 ( #2314 )
...
* [Security Content] Add Investigation Guides - 2 - 8.5
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
* Merge branch 'main' into investigation_guides_8.5_2
* Revert "Merge branch 'main' into investigation_guides_8.5_2"
This reverts commit fb3c3f0245301d49229534d8776478c32f6c190e.
* Apply suggested changes from review
* Update discovery_security_software_grep.toml
* Apply suggestions from review
* Apply suggestions from review
2022-09-26 12:59:39 -03:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
04ea1a72c7
[Rule Tuning] Security Software Discovery via Grep ( #994 )
...
* [Rule Tuning] Security Software Discovery via Grep
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:46:26 +01:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
645a0cd67b
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules ( #945 )
...
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
6029783721
[New Rule] Security Software Discovery using Grep ( #743 )
...
* [New Rule] Security Software Discovery using Grep
* fixed index
* Update discovery_security_software_grep.toml
* Update discovery_security_software_grep.toml
* conv to kql and added few AVs
* added more AV procs
* Update rules/macos/discovery_security_software_grep.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* moved to cross-platform
* Update discovery_security_software_grep.toml
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-26 19:57:26 +01:00
Jonhnathan