Samirbous
9792d967d7
* [Rule Tuning] 5 rules * [Rule Tuning] Converted two IIS CredAccess rules to EQL * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/evasion_rundll32_no_arguments.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * deleted. rule looks incompatible with endpoint * fixing units testing error * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * desc * fixed tags duplicate * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_rundll32_no_arguments.toml * adjusted process args count to 1 adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs). Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
aws/ |
Rules written for the Amazon Web Services (AWS) module of filebeat |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
okta/ |
Rules written for the Okta module of filebeat |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |