* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
* [New Rule] Suspicious Execution via File Overwrite
* Update defense_evasion_overwrite_followed_by_execution.toml
* Update defense_evasion_overwrite_followed_by_execution.toml
* removed timeline_id
* fixed logic and also added references URL
* tuned logic to exclude potential FPs
not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.
* adjusted a bit desc and name
* changed rule file name
* adjusted executable.path for performance
avoiding leading wildcard, users can customize rule if they have different drive letters
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* relinted
* lint
* ecs_version
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* relinted
* deleted ecs_version
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* changed rule name as per ross sugges
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Justin Ibarra