Files

T

Isai 5fd155849e [New Rule] File Made Executable via Chmod Inside A Container (#2757 )

* [New Rule] File Made Executable via Chmod Inside A Container

new rule

* edit threat matrix urls

add final / to reference urls

* Apply suggestions from code review

removed unused fields, adjust from field for readability

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

added Defense Evasion tag

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

adjusted tags

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

2023-05-16 15:15:49 -04:00

_deprecated

[Rule Tuning] Potential Shell via Web Server (#2585 )

2023-05-05 09:47:49 +02:00

apm

[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 )

2023-01-04 09:30:07 -05:00

cross-platform

[rule tuning] modified std auth module or config (#2737 )

2023-05-03 09:32:33 +02:00

integrations

[New Rule] File Made Executable via Chmod Inside A Container (#2757 )

2023-05-16 15:15:49 -04:00

linux

[New Rules] Ransomware Encryption & Note Creation (#2652 )

2023-05-16 11:30:00 +02:00

macos

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

Updating some rule names (#2744 )

2023-04-25 09:01:06 -03:00

network

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

promotions

[New Rule] new CWP rule to surface alerts from the cloud_defend integration (#2679 )

2023-04-05 21:31:03 -03:00

windows

[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761 )

2023-05-15 20:31:59 -03:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka