Files

T

Samirbous 30883ab9c0 [New] React2Shell Network Security Alert (#5445 )

* [New] React2Shell Network Security Alert

KQL query that reports network security signatures for React2Shell from 4 integrations (Suricata, Fortigate, Cisco FTD and PANW).

* Update initial_access_react_server_rce_network_alerts.toml

* cisco_ftd schema

 build-schemas -i cisco_ftd

* Update initial_access_react_server_rce_network_alerts.toml

* Update pyproject.toml

* Update rules/network/initial_access_react_server_rce_network_alerts.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* cisco_ftd schema and manifest

* Update pyproject.toml

* Revert "cisco_ftd schema and manifest"

This reverts commit ff2200f70f0e0cf94864c49fe8e8a13fda930bc9.

* Revert "Update pyproject.toml"

This reverts commit d382fcdaaa992cac2d4370f5656f81c530b6ec5a.

* Reapply "cisco_ftd schema"

This reverts commit 1494d4aa3e4f07cebd448fcc2597b4c836a989db.

* Revert "Update pyproject.toml"

This reverts commit 39e1f5e9e34cc0500bd82bc4662ece259a5234ba.

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* ++

* Update pyproject.toml

* integration_cisco_ftd

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

2025-12-19 12:22:44 +00:00

_deprecated

[Deprecation] Deprecated - AWS Root Login Without MFA (#5351 )

2025-11-24 10:01:40 -05:00

apm

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

cross-platform

[New] Suricata and Elastic Defend Network Correlation (#5443 )

2025-12-19 09:08:31 +00:00

integrations

[Rule Tuning] Entra ID User Sign-in with Unusual Client (#5473 )

2025-12-18 20:04:11 -05:00

linux

[Tuning] Diverse Rules Tuning (#5482 )

2025-12-18 15:30:12 +00:00

macos

Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008 )

2025-08-26 13:03:59 +01:00

add mitre attack rules for ML job rules, bump dates (#5333 )

2025-12-01 15:48:59 -06:00

network

[New] React2Shell Network Security Alert (#5445 )

2025-12-19 12:22:44 +00:00

promotions

[Rule Tuning] Remove New Wiz Defend Rule (Add Wiz Defend to External Alerts) (#5422 )

2025-12-08 22:24:22 +05:30

threat_intel

[Rule Tuning] Reduce Severity from Critical to High (#4637 )

2025-05-06 21:37:47 +05:30

windows

[Tuning] Diverse Rules Tuning (#5482 )

2025-12-18 15:30:12 +00:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka