security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,665 Commits 1 Branch 0 Tags
f6b6bee5c287d2d6806000ed3ce2b7c605a2bb35
Commit Graph

564 Commits

Author SHA1 Message Date
Hilton ccfc931fbd Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity (#3091) 
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity

When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server"  as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html

Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.

* simplified detection logic by utilising process.parent.args

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-09-13 13:51:07 -03:00
Jonhnathan ddb1f75352 [New Rule] New BBR Rules - Part 2 (#3029) 
* [New Rule] New BBR Rules - Part 2

* Update discovery_generic_account_groups.toml

* Update discovery_generic_account_groups.toml

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/execution_downloaded_shortcut_files.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/defense_evasion_unusual_process_extension.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update defense_evasion_unusual_process_extension.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-09-12 21:49:22 -03:00
Jonhnathan af99186992 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-09-12 21:28:01 -03:00
Jonhnathan 3614f42b00 [New Rule] New BBR Rules - Part 5 (#3052) 
* [New Rule] New BBR Rules - Part 5

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Tag work

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-09-05 18:36:34 -03:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Jonhnathan fdd45148b8 [New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015) 
* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-31 12:59:02 -03:00
Eric 41a7a36817 Tune rule for new DLL written to Windows Servicing (#3062) 2023-08-30 13:51:23 -03:00
Jonhnathan 6d7df50d78 [New Rule] Suspicious WMI Event Subscription Created (#1860) 
* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-29 16:42:19 -03:00
Jonhnathan 7004c99ef5 [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-29 09:10:25 -03:00
Samirbous 22931d6afb Update credential_access_lsass_openprocess_api.toml (#3047) 2023-08-28 16:22:08 +01:00
Jonhnathan de32287889 [Rule Tuning] High Number of Process and/or Service Terminations (#2940) 2023-08-25 19:19:25 -03:00
Terrance DeJesus 2ddcf7817e [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) 
* adding tuning to ignore windows update

* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-22 13:04:25 -04:00
Jonhnathan 0c3b251208 [Rule Tuning] PowerShell Keylogging Script (#3023) 2023-08-22 07:45:00 -03:00
Samirbous 5e801b2edf [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-21 16:23:34 +01:00
Jonhnathan 72f15dda6a [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-20 17:29:16 -03:00
Joe Desimone b5e011a892 [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-17 13:52:26 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00
Eric d0d99829a2 Correct misspelling of AppDara to AppData (#2952) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 08:10:03 -03:00
Jonhnathan 5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Add IG Tag

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-19 08:07:01 -03:00
Jonhnathan 23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) 2023-07-18 08:55:59 -03:00
Jonhnathan fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) 
* [Rule Tuning] PowerShell Rule Tunings

* bump
 2023-07-14 15:41:36 -03:00
Terrance DeJesus cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) 
* forking rules with version collisions

* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
 2023-07-06 10:39:20 -04:00
Eric df0a1facd1 [WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843) 
* Tune WMI Incoming Lateral Movement

* Tune WMI Incoming Lateral Movement

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 17:12:05 -04:00
Eric f78de8c9d4 Add MS Office exceptions to query (#2836) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 16:09:17 -04:00
Eric 35ea2727dc [Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850) 2023-06-30 18:01:35 -04:00
Samirbous 7aa8a7b5fb [Rules Tuning] diverse tuning (#2506) 
* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_remote_services.toml

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_rdp_enabled_registry.toml

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_updated.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/persistence_scheduled_task_updated.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-30 18:57:00 +01:00
Jonhnathan d5dddae0ef [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721) 
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-30 10:56:13 -03:00
Samirbous 2a4749d3d0 [New Rule] New Term Rule for USB Devices (#2644) 
* Create

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-30 10:41:38 -03:00
Jonhnathan a7e605a0e5 [Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 (#2889) 
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823

* Add exception to unit test

* fixed linting

* proper linting fix

* updated to add to definitions.py

* fix linting

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-06-28 15:55:43 -03:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Eric 1e404cde34 [Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions (#2831) 
* Add Ssms.exe to query exceptions

* Changed updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-12 16:15:47 -03:00
Jonhnathan 665bf03ec0 [Rule Tuning] Remote System Discovery Commands (#2834) 2023-06-07 14:24:53 -03:00
Eric 601788c4df Added Outlook.exe as a query exception (#2814) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-06 17:47:25 +01:00
Eric 221e756b48 Adjusted exceptions to rule for Nessus (#2774) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-06 17:39:34 +01:00
Jonhnathan 05aac4f371 [Security Content] Add Investigation Guides to Windows rules (#2678) 
* [Security Content] Add Investigation Guides to Windows rules

* Update privilege_escalation_service_control_spawned_script_int.toml

* Update execution_reverse_shell_via_named_pipe.toml

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update execution_command_prompt_connecting_to_the_internet.toml

---------

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-05-26 10:25:41 -03:00
Jonhnathan 0b3f603179 [Rule Tuning] Adding Hidden File Attribute via Attrib (#2726) 
* [New Rule] Adding Hidden File Attribute via Attrib

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-17 10:23:11 -03:00
Jonhnathan 9f734c2c1f [Rule Tuning] System Information Discovery via Windows Command Shell (#2741) 2023-05-17 09:58:21 -03:00
Jonhnathan d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) 
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-15 20:31:59 -03:00
Jonhnathan 6655932190 [Rule Tuning] Startup or Run Key Registry Modification (#2766) 
* [Rule Tuning] Startup or Run Key Registry Modification

* Update persistence_run_key_and_startup_broad.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-04 09:42:12 -03:00
Terrance DeJesus d5350ae6e0 [New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685) 
* adding initial rule

* changed new terms to host.id

* removed windows integration tag

* removed windows integration tag

* changed rule to be process started related

* rule linted

* updating description

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

* added process.name.caseless to non-ecs.json

* removed host type related to #2761

* added host.os.type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-02 23:09:17 -04:00
Samirbous 2eda02c10e [Rule Tuning] Multiple Logon Failure from the same Source Address (#2588) 
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-24 09:16:17 -03:00
Jonhnathan 84acf004da [Rule Tuning] Component Object Model Hijacking (#2730) 2023-04-21 18:43:02 -03:00
Jonhnathan 12d6b49a24 [Rule Tuning] Potential Credential Access via Windows Utilities (#2727) 
* [Rule Tuning] Potential Credential Access via Windows Utilities

* Add system integration index

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-04-21 18:27:44 -03:00
Jonhnathan 255c53cff0 [Rule Tuning] Connection to Commonly Abused Web Services (#2728) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-04-20 18:26:00 -03:00
Jonhnathan b1e3215cd5 [Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729) 2023-04-20 12:37:06 -03:00
Jonhnathan fb09208132 [Rule Tuning] Connection to Commonly Abused Web Services (#2717) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2023-04-18 09:15:47 -03:00