* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
* [New Rule] Suspicious Execution via File Overwrite
* Update defense_evasion_overwrite_followed_by_execution.toml
* Update defense_evasion_overwrite_followed_by_execution.toml
* removed timeline_id
* fixed logic and also added references URL
* tuned logic to exclude potential FPs
not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.
* adjusted a bit desc and name
* changed rule file name
* adjusted executable.path for performance
avoiding leading wildcard, users can customize rule if they have different drive letters
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* relinted
* lint
* ecs_version
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* relinted
* deleted ecs_version
* Update rules/windows/defense_evasion_potential_processherpaderping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
* changed rule name as per ross sugges
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Justin Ibarra