Terrance DeJesus
835be9b245
* adding new LotL rules * added endpoint tags; updated technique mapping * added missing data source tag * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * updated note, references and date * changed ATT&CK technique to binary proxy execution --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>