Files

T

shashank-elastic 283cbca702 find shell evasion threat(#1801 )

* new:rule:issue-1800 Adding new rule for find shell evasion

* new:rule:issue-1800 Adding new rule for find shell evasion

* new:rule:issue-1800 Adding new rule for find shell evasion

* Update rules/linux/privilege_escalation_find_binary.toml

* Update rules/linux/privilege_escalation_find_binary.toml

* new:rule:issue-1800 Adding Mittre Attack Techniques

* Update rules/linux/privilege_escalation_find_binary.toml

* Update rules/linux/privilege_escalation_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_find_binary.toml

* Update rules/linux/privilege_escalation_find_binary.toml

* Update rules/linux/privilege_escalation_find_binary.toml

* Update rules/linux/privilege_escalation_find_binary.toml

* new:rule:issue-1800 Review Comments

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

2022-03-02 22:00:29 +05:30

_deprecated

[Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match (#1703 )

2022-01-25 16:46:49 -09:00

apm

[Rule tuning] Revise rule description and other text (#1398 )

2021-08-03 13:07:47 -08:00

cross-platform

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

integrations

Update impact_azure_service_principal_credentials_added.toml (#1802 )

2022-03-02 05:36:21 -03:00

linux

find shell evasion threat(#1801 )

2022-03-02 22:00:29 +05:30

macos

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

network

[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651 )

2021-12-07 09:09:03 -03:00

promotions

[Rule Tuning] Bump max_signals on Endgame Promotion Rules (#1662 )

2021-12-14 11:52:12 -03:00

windows

[New Rule] Registry Hive File Creation via SMB (#1779 )

2022-03-02 10:12:17 +01:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka