* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
* rune-okta-rule-metadata
* update note field to include fleet integration info
* separate okta policy rule modification and deletion into two rules
* rename file to align with style of others
* fix syntax typo
* separate zone and policy deactivation, deletion, and modification actions into separate rules
* fix typo
* fix tpyo 🙃
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
* Create credential_access_okta_brute_force_or_password_spraying.toml
* Update maturity to production
* Update severity and risk score
* Aggregate by source.ip field
To ensure that investigate in timeline displays expected events
* Update false positive information
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Tweak false positive info
* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* Add okta rule for policy modification/delete
* Update rule name
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Add event.module value to query
* Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Add event.category and event.type values to query
* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
David French