Jonhnathan
9387a081bc
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules * . * Update threat_intel_indicator_match_hash.toml * Update to include expiring rules, exclude expiring indexes * . * Apply suggestions from code review * Push changes * Update pyproject.toml * Revert "Update pyproject.toml" This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7. * Update pyproject.toml * Update integration-schemas.json.gz * Revert "Update integration-schemas.json.gz" This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d. * Revert integrations-manifests to the one from main * Fix maturity * Update Name * Update ignore_ids with the indicator rules guid * Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml * Make changes to use labels * Update non-ecs-schema.json * Update rules/cross-platform/threat_intel_fleet_integrations.toml * Apply suggestions from code review * Backport to 8.5 * [Security Content] Add Investigation Guides to Threat Intel rules * Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators * Update threat_intel_indicator_match_hash.toml * Update threat_intel_indicator_match_url.toml * Update threat_intel_indicator_match_url.toml * Apply suggestions from review, adds Setup guide * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Oka |