Isai
442435830f
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Oka |