* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
* [New Rule] Access to Browsers Credential Files
* removed Thunderbird from list
out of browsers context, may go into a different rule with other mail clients
* adjusted Safari cookies path
to include for folder access, file access is covered by Cookies.binarycookies check
* excluded a noisy arg
* Update credential_access_access_to_browser_credentials_procargs.toml
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* relinted
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Mika Ayenson