Files

T

Jonhnathan c2d1586270 [Rule Tuning] Windows BBR Promotion (#3577 )

* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

2024-04-16 09:28:17 -03:00

_deprecated

[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477 )

2024-04-01 11:01:20 -04:00

apm

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

cross-platform

[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477 )

2024-04-01 11:01:20 -04:00

integrations

Fix minstack version for O365 prod rules (#3565 )

2024-04-02 21:33:18 +05:30

linux

Add filebeat-* index pattern to rules based on system.auth dataset (#3561 )

2024-04-03 11:27:31 +02:00

macos

[Security Content] Small tweaks on the setup guides (#3308 )

2024-03-11 09:09:40 -03:00

Adding related integrations to ML rules (#2972 )

2023-08-22 14:39:18 -04:00

network

[Rule Tuning] SMTP on Port 26/TCP (#3521 )

2024-03-19 15:55:25 -05:00

promotions

[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368 )

2024-01-17 14:14:38 -05:00

windows

[Rule Tuning] Windows BBR Promotion (#3577 )

2024-04-16 09:28:17 -03:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka