Files

T

Terrance DeJesus 096723b2a1 [Rule Tuning] Symbolic Link to Shadow Copy Created (#1830 )

* fixed duplicated file name

* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied

* moved rule back to production, added investigation notes and sequencing to EQL query

* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes

* updating with minor changes

* adjusted related rules

* adjusted investigation notes

* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* TOML linted and adjusted updated date

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2022-03-18 11:08:29 -04:00

_deprecated

Deprecate PrintNightmare Rules (#1852 )

2022-03-17 19:39:36 -03:00

apm

[Rule tuning] Revise rule description and other text (#1398 )

2021-08-03 13:07:47 -08:00

cross-platform

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

integrations

Update impact_azure_service_principal_credentials_added.toml (#1802 )

2022-03-02 05:36:21 -03:00

linux

Updation of Mitre Tactic and Threats (#1850 )

2022-03-18 15:06:24 +05:30

macos

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

network

[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651 )

2021-12-07 09:09:03 -03:00

promotions

[Rule Tuning] Bump max_signals on Endgame Promotion Rules (#1662 )

2021-12-14 11:52:12 -03:00

windows

[Rule Tuning] Symbolic Link to Shadow Copy Created (#1830 )

2022-03-18 11:08:29 -04:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka