* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update privilege_escalation_shadow_file_read.toml
description update, name update, query update, tags update, MITRE update
* Update privilege_escalation_shadow_file_read.toml
edited order of MITRE
* changed file name to match credential_access as primary tactic
changed file name to match credential_access as primary tactic
* excluded common executables, not related to "read", based on telemetry
excluded common executables, not related to "read", based on telemetry
* update cred access reference MITRE
* toml-lint file for final validation
* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml
revert name back to privilege_escalation...
* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml
* update update_date
* Changed primary tactic back to privilege_escalation to match rule name
Changed primary tactic back to privilege_escalation to match rule name
Mika Ayenson