818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
4c44f98cd6
[Rule Tuning] LSASS Process Access via Windows API ( #3975 )
...
* [Rule Tuning] LSASS Process Access via Windows API
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
2024-08-14 11:42:18 -03:00
8dc0963ae6
[Rule Tuning] LSASS Process Access via Windows API ( #3824 )
...
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* fix merge
* newline
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-04 21:45:46 +01:00
7693d785aa
[Rule Tuning] LSASS Process Access via Windows API ( #3839 )
2024-06-27 12:22:13 -03:00
54d5b442cf
[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs ( #3825 )
...
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs
* .
* Update integration-schemas.json.gz
* Fix integration manifests
2024-06-26 11:06:27 -03:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
b47b91b9ec
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-01 20:45:12 -03:00
578936d37a
[Security Content] Add Windows Investigation Guides ( #3257 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
2023-12-19 12:38:28 -03:00
3d73427e29
[Rule Tuning] Windows DR Tuning - 3 ( #3212 )
...
* [Rule Tuning] Windows DR Tuning - 3
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_moving_registry_hive_via_smb.toml
2023-10-26 18:58:59 -03:00
f584fb6e31
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
2023-10-15 18:12:20 -03:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
22931d6afb
Update credential_access_lsass_openprocess_api.toml ( #3047 )
2023-08-28 16:22:08 +01:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
51d50b7d8a
[New Rule] Lsass Process Access - Generic ( #2613 )
...
* Create credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-04-03 14:34:30 +01:00
shashank-elastic