David French
cedb2e1289
* new-rule-azure-conditional-access-policy-modified * Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml Update maturity to production Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml * Update query to include result value * Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml * Update query to search both the Azure audit logs and activity logs * Optimize formatting of query * Tweak consent grant attack rule Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs * Tweak formatting of query to improve Brent's happiness level Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
aws/ |
Rules written for the Amazon Web Services (AWS) module of filebeat |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
okta/ |
Rules written for the Okta module of filebeat |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |