David French
f438a222d5
* Add okta rule for policy modification/delete * Update rule name Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Add event.module value to query * Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml Add event.category and event.type values to query * Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
aws/ |
Rules written for the Amazon Web Services (AWS) module of filebeat |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
endpoint/ |
Rules specifically for Elastic Endpoint Security solution |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
okta/ |
Rules written for the Okta module of filebeat |
windows/ |
Rules for the Microsoft Windows Operating System |