min_stack all rules to 8.3 #2259
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
Domain: Cloud Workloads
Domain: Endpoint
Integration: AWS
Mikaayenson
reviewed
Aug 24, 2022
Contributor
Mikaayenson
left a comment
Mikaayenson
left a comment
There was a problem hiding this comment.
The updated dates should be bumped.
terrancedejesus
approved these changes
Aug 24, 2022
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 24, 2022
* min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> Removed changes from: - rules/apm/apm_403_response_to_a_post.toml - rules/apm/apm_405_response_method_not_allowed.toml - rules/apm/apm_null_user_agent.toml - rules/apm/apm_sqlmap_user_agent.toml - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/cross-platform/discovery_security_software_grep.toml - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml - rules/cross-platform/execution_revershell_via_shell_cmd.toml - rules/cross-platform/execution_suspicious_jar_child_process.toml - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml - rules/cross-platform/impact_hosts_file_modified.toml - rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml - rules/cross-platform/persistence_shell_profile_modification.toml - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml - rules/integrations/aws/credential_access_root_console_failure_brute_force.toml - rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml - rules/integrations/aws/exfiltration_rds_snapshot_export.toml - rules/integrations/aws/exfiltration_rds_snapshot_restored.toml - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml - rules/integrations/aws/impact_iam_group_deletion.toml - rules/integrations/aws/impact_rds_group_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml - rules/integrations/aws/initial_access_console_login_root.toml - rules/integrations/aws/initial_access_password_recovery.toml - rules/integrations/aws/initial_access_via_system_manager.toml - rules/integrations/aws/ml_cloudtrail_error_message_spike.toml - rules/integrations/aws/ml_cloudtrail_rare_error_code.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml - rules/integrations/aws/persistence_ec2_network_acl_creation.toml - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml - rules/integrations/aws/persistence_iam_group_creation.toml - rules/integrations/aws/persistence_rds_cluster_creation.toml - rules/integrations/aws/persistence_rds_group_creation.toml - rules/integrations/aws/persistence_rds_instance_creation.toml - rules/integrations/aws/persistence_redshift_instance_creation.toml - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml - rules/integrations/aws/persistence_route_table_created.toml - rules/integrations/aws/persistence_route_table_modified_or_deleted.toml - rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml - rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml - rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml - rules/integrations/azure/credential_access_key_vault_modified.toml - rules/integrations/azure/credential_access_storage_account_key_regenerated.toml - rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml - rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml - rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml - rules/integrations/azure/defense_evasion_event_hub_deletion.toml - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml - rules/integrations/azure/defense_evasion_suppression_rule_created.toml - rules/integrations/azure/discovery_blob_container_access_mod.toml - rules/integrations/azure/execution_command_virtual_machine.toml - rules/integrations/azure/impact_azure_service_principal_credentials_added.toml - rules/integrations/azure/impact_kubernetes_pod_deleted.toml - rules/integrations/azure/impact_resource_group_deletion.toml - rules/integrations/azure/impact_virtual_network_device_modified.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml - rules/integrations/azure/initial_access_external_guest_user_invite.toml - rules/integrations/azure/persistence_azure_automation_account_created.toml - rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml - rules/integrations/azure/persistence_azure_automation_webhook_created.toml - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml - rules/integrations/endpoint/elastic_endpoint_security.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml - rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml - rules/integrations/gcp/impact_gcp_service_account_deleted.toml - rules/integrations/gcp/impact_gcp_service_account_disabled.toml - rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml - rules/integrations/gcp/persistence_gcp_service_account_created.toml - rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml - rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml - rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml - rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml - rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml - rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml - rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml - rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml - rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml - rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml - rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml - rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml - rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml - rules/integrations/okta/credential_access_mfa_push_brute_force.toml - rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml - rules/integrations/okta/credential_access_user_impersonation_access.toml - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml - rules/integrations/okta/impact_possible_okta_dos_attack.toml - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml - rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml - rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml - rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml - rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml - rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml - rules/linux/command_and_control_linux_iodine_activity.toml - rules/linux/command_and_control_tunneling_via_earthworm.toml - rules/linux/credential_access_collection_sensitive_files.toml - rules/linux/credential_access_ssh_backdoor_log.toml - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml - rules/linux/defense_evasion_chattr_immutable_file.toml - rules/linux/defense_evasion_disable_selinux_attempt.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml - rules/linux/defense_evasion_hidden_file_dir_tmp.toml - rules/linux/defense_evasion_hidden_shared_object.toml - rules/linux/defense_evasion_kernel_module_removal.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_linux_hping_activity.toml - rules/linux/discovery_linux_nping_activity.toml - rules/linux/discovery_virtual_machine_fingerprinting.toml - rules/linux/execution_abnormal_process_id_file_created.toml - rules/linux/execution_linux_netcat_network_connection.toml - rules/linux/execution_perl_tty_shell.toml - rules/linux/execution_process_started_from_process_id_file.toml - rules/linux/execution_process_started_in_shared_memory_directory.toml - rules/linux/execution_python_tty_shell.toml - rules/linux/execution_shell_evasion_linux_binary.toml - rules/linux/execution_tc_bpf_filter.toml - rules/linux/impact_process_kill_threshold.toml - rules/linux/lateral_movement_telnet_network_activity_external.toml - rules/linux/lateral_movement_telnet_network_activity_internal.toml - rules/linux/persistence_chkconfig_service_add.toml - rules/linux/persistence_credential_access_modify_ssh_binaries.toml - rules/linux/persistence_dynamic_linker_backup.toml - rules/linux/persistence_etc_file_creation.toml - rules/linux/persistence_insmod_kernel_module_load.toml - rules/linux/persistence_kde_autostart_modification.toml - rules/linux/persistence_shell_activity_by_web_server.toml - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml - rules/linux/privilege_escalation_pkexec_envar_hijack.toml - rules/macos/credential_access_access_to_browser_credentials_procargs.toml - rules/macos/credential_access_credentials_keychains.toml - rules/macos/credential_access_dumping_hashes_bi_cmds.toml - rules/macos/credential_access_dumping_keychain_security.toml - rules/macos/credential_access_kerberosdump_kcc.toml - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml - rules/macos/credential_access_mitm_localhost_webproxy.toml - rules/macos/credential_access_potential_ssh_bruteforce.toml - rules/macos/credential_access_promt_for_pwd_via_osascript.toml - rules/macos/credential_access_systemkey_dumping.toml - rules/macos/defense_evasion_apple_softupdates_modification.toml - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml - rules/macos/defense_evasion_install_root_certificate.toml - rules/macos/defense_evasion_modify_environment_launchctl.toml - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml - rules/macos/defense_evasion_safari_config_change.toml - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml - rules/macos/discovery_users_domain_built_in_commands.toml - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml - rules/macos/execution_initial_access_suspicious_browser_childproc.toml - rules/macos/execution_installer_package_spawned_network_event.toml - rules/macos/execution_script_via_automator_workflows.toml - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml - rules/macos/execution_shell_execution_via_apple_scripting.toml - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml - rules/macos/lateral_movement_mounting_smb_share.toml - rules/macos/lateral_movement_remote_ssh_login_enabled.toml - rules/macos/lateral_movement_vpn_connection_attempt.toml - rules/macos/persistence_account_creation_hide_at_logon.toml - rules/macos/persistence_creation_change_launch_agents_file.toml - rules/macos/persistence_creation_hidden_login_item_osascript.toml - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml - rules/macos/persistence_credential_access_authorization_plugin_creation.toml - rules/macos/persistence_crontab_creation.toml - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml - rules/macos/persistence_directory_services_plugins_modification.toml - rules/macos/persistence_docker_shortcuts_plist_modification.toml - rules/macos/persistence_emond_rules_file_creation.toml - rules/macos/persistence_emond_rules_process_execution.toml - rules/macos/persistence_enable_root_account.toml - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml - rules/macos/persistence_finder_sync_plugin_pluginkit.toml - rules/macos/persistence_folder_action_scripts_runtime.toml - rules/macos/persistence_login_logout_hooks_defaults.toml - rules/macos/persistence_loginwindow_plist_modification.toml - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml - rules/macos/persistence_periodic_tasks_file_mdofiy.toml - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml - rules/macos/persistence_screensaver_plist_file_modification.toml - rules/macos/persistence_suspicious_calendar_modification.toml - rules/macos/persistence_via_atom_init_file_modification.toml - rules/macos/privilege_escalation_applescript_with_admin_privs.toml - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml - rules/macos/privilege_escalation_local_user_added_to_admin.toml - rules/macos/privilege_escalation_root_crontab_filemod.toml - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml - rules/ml/credential_access_ml_suspicious_login_activity.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml - rules/ml/discovery_ml_linux_system_information_discovery.toml - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml - rules/ml/discovery_ml_linux_system_process_discovery.toml - rules/ml/discovery_ml_linux_system_user_discovery.toml - rules/ml/execution_ml_windows_anomalous_script.toml - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml - rules/ml/initial_access_ml_auth_rare_user_logon.toml - rules/ml/initial_access_ml_linux_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml - rules/ml/ml_high_count_network_denies.toml - rules/ml/ml_high_count_network_events.toml - rules/ml/ml_linux_anomalous_network_activity.toml - rules/ml/ml_linux_anomalous_network_port_activity.toml - rules/ml/ml_packetbeat_rare_server_domain.toml - rules/ml/ml_rare_destination_country.toml - rules/ml/ml_spike_in_traffic_to_a_country.toml - rules/ml/ml_windows_anomalous_network_activity.toml - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_rare_process_by_host_linux.toml - rules/ml/persistence_ml_rare_process_by_host_windows.toml - rules/ml/persistence_ml_windows_anomalous_path_activity.toml - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_windows_anomalous_process_creation.toml - rules/ml/persistence_ml_windows_anomalous_service.toml - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml - rules/network/command_and_control_cobalt_strike_beacon.toml - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml - rules/network/command_and_control_download_rar_powershell_from_internet.toml - rules/network/command_and_control_fin7_c2_behavior.toml - rules/network/command_and_control_halfbaked_beacon.toml - rules/network/command_and_control_nat_traversal_port_activity.toml - rules/network/command_and_control_port_26_activity.toml - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml - rules/network/command_and_control_telnet_port_activity.toml - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml - rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml - rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml - rules/network/initial_access_unsecure_elasticsearch_node.toml - rules/promotions/credential_access_endgame_cred_dumping_detected.toml - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml - rules/promotions/endgame_adversary_behavior_detected.toml - rules/promotions/endgame_malware_detected.toml - rules/promotions/endgame_malware_prevented.toml - rules/promotions/endgame_ransomware_detected.toml - rules/promotions/endgame_ransomware_prevented.toml - rules/promotions/execution_endgame_exploit_detected.toml - rules/promotions/execution_endgame_exploit_prevented.toml - rules/promotions/external_alerts.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml - rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml - rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml - rules/windows/collection_email_powershell_exchange_mailbox.toml - rules/windows/collection_posh_audio_capture.toml - rules/windows/collection_posh_keylogger.toml - rules/windows/collection_posh_screen_grabber.toml - rules/windows/collection_winrar_encryption.toml - rules/windows/command_and_control_certutil_network_connection.toml - rules/windows/command_and_control_common_webservices.toml - rules/windows/command_and_control_dns_tunneling_nslookup.toml - rules/windows/command_and_control_encrypted_channel_freesslcert.toml - rules/windows/command_and_control_iexplore_via_com.toml - rules/windows/command_and_control_port_forwarding_added_registry.toml - rules/windows/command_and_control_rdp_tunnel_plink.toml - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml - rules/windows/command_and_control_remote_file_copy_powershell.toml - rules/windows/command_and_control_remote_file_copy_scripts.toml - rules/windows/command_and_control_sunburst_c2_activity_detected.toml - rules/windows/command_and_control_teamviewer_remote_file_copy.toml - rules/windows/credential_access_cmdline_dump_tool.toml - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml - rules/windows/credential_access_credential_dumping_msbuild.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml - rules/windows/credential_access_dump_registry_hives.toml - rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml - rules/windows/credential_access_iis_connectionstrings_dumping.toml - rules/windows/credential_access_kerberoasting_unusual_process.toml - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_mimikatz_memssp_default_logs.toml - rules/windows/credential_access_mimikatz_powershell_module.toml - rules/windows/credential_access_mod_wdigest_security_provider.toml - rules/windows/credential_access_moving_registry_hive_via_smb.toml - rules/windows/credential_access_persistence_network_logon_provider_modification.toml - rules/windows/credential_access_posh_minidump.toml - rules/windows/credential_access_posh_request_ticket.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vaultcmd.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_comsvcs_imageload.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_amsienable_key_mod.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_create_mod_root_certificate.toml - rules/windows/defense_evasion_cve_2020_0601.toml - rules/windows/defense_evasion_defender_disabled_via_registry.toml - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_dns_over_https_enabled.toml - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml - rules/windows/defense_evasion_execution_windefend_unusual_path.toml - rules/windows/defense_evasion_file_creation_mult_extension.toml - rules/windows/defense_evasion_from_unusual_directory.toml - rules/windows/defense_evasion_hide_encoded_executable_registry.toml - rules/windows/defense_evasion_iis_httplogging_disabled.toml - rules/windows/defense_evasion_injection_msbuild.toml - rules/windows/defense_evasion_installutil_beacon.toml - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml - rules/windows/defense_evasion_masquerading_renamed_autoit.toml - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml - rules/windows/defense_evasion_masquerading_trusted_directory.toml - rules/windows/defense_evasion_masquerading_werfault.toml - rules/windows/defense_evasion_microsoft_defender_tampering.toml - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml - rules/windows/defense_evasion_msbuild_making_network_connections.toml - rules/windows/defense_evasion_mshta_beacon.toml - rules/windows/defense_evasion_msxsl_network.toml - rules/windows/defense_evasion_network_connection_from_windows_binary.toml - rules/windows/defense_evasion_parent_process_pid_spoofing.toml - rules/windows/defense_evasion_posh_assembly_load.toml - rules/windows/defense_evasion_posh_compressed.toml - rules/windows/defense_evasion_posh_process_injection.toml - rules/windows/defense_evasion_potential_processherpaderping.toml - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_proxy_execution_via_msdt.toml - rules/windows/defense_evasion_rundll32_no_arguments.toml - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml - rules/windows/defense_evasion_sip_provider_mod.toml - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/defense_evasion_suspicious_scrobj_load.toml - rules/windows/defense_evasion_suspicious_short_program_name.toml - rules/windows/defense_evasion_suspicious_wmi_script.toml - rules/windows/defense_evasion_suspicious_zoom_child_process.toml - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml - rules/windows/defense_evasion_unusual_ads_file_creation.toml - rules/windows/defense_evasion_unusual_dir_ads.toml - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - rules/windows/defense_evasion_unusual_process_network_connection.toml - rules/windows/defense_evasion_unusual_system_vp_child_program.toml - rules/windows/defense_evasion_via_filter_manager.toml - rules/windows/defense_evasion_workfolders_control_execution.toml - rules/windows/discovery_adfind_command_activity.toml - rules/windows/discovery_admin_recon.toml - rules/windows/discovery_command_system_account.toml - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml - rules/windows/discovery_net_view.toml - rules/windows/discovery_peripheral_device.toml - rules/windows/discovery_posh_suspicious_api_functions.toml - rules/windows/discovery_post_exploitation_external_ip_lookup.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/discovery_remote_system_discovery_commands_windows.toml - rules/windows/discovery_security_software_wmic.toml - rules/windows/discovery_whoami_command_activity.toml - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml - rules/windows/execution_com_object_xwizard.toml - rules/windows/execution_command_prompt_connecting_to_the_internet.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/execution_command_shell_started_by_unusual_process.toml - rules/windows/execution_command_shell_via_rundll32.toml - rules/windows/execution_enumeration_via_wmiprvse.toml - rules/windows/execution_from_unusual_path_cmdline.toml - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - rules/windows/execution_ms_office_written_file.toml - rules/windows/execution_pdf_written_file.toml - rules/windows/execution_posh_portable_executable.toml - rules/windows/execution_posh_psreflect.toml - rules/windows/execution_psexec_lateral_movement_command.toml - rules/windows/execution_register_server_program_connecting_to_the_internet.toml - rules/windows/execution_scheduled_task_powershell_source.toml - rules/windows/execution_shared_modules_local_sxs_dll.toml - rules/windows/execution_suspicious_cmd_wmi.toml - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml - rules/windows/execution_suspicious_pdf_reader.toml - rules/windows/execution_suspicious_powershell_imgload.toml - rules/windows/execution_suspicious_psexesvc.toml - rules/windows/execution_via_compiled_html_file.toml - rules/windows/execution_via_hidden_shell_conhost.toml - rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml - rules/windows/impact_backup_file_deletion.toml - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml - rules/windows/impact_modification_of_boot_config.toml - rules/windows/impact_stop_process_service_threshold.toml - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml - rules/windows/initial_access_script_executing_powershell.toml - rules/windows/initial_access_scripts_process_started_via_wmi.toml - rules/windows/initial_access_suspicious_ms_exchange_files.toml - rules/windows/initial_access_suspicious_ms_exchange_process.toml - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml - rules/windows/initial_access_suspicious_ms_office_child_process.toml - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml - rules/windows/initial_access_unusual_dns_service_children.toml - rules/windows/initial_access_unusual_dns_service_file_writes.toml - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - rules/windows/lateral_movement_cmd_service.toml - rules/windows/lateral_movement_dcom_hta.toml - rules/windows/lateral_movement_dcom_mmc20.toml - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml - rules/windows/lateral_movement_direct_outbound_smb_connection.toml - rules/windows/lateral_movement_dns_server_overflow.toml - rules/windows/lateral_movement_evasion_rdp_shadowing.toml - rules/windows/lateral_movement_executable_tool_transfer_smb.toml - rules/windows/lateral_movement_execution_from_tsclient_mup.toml - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml - rules/windows/lateral_movement_incoming_wmi.toml - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml - rules/windows/lateral_movement_powershell_remoting_target.toml - rules/windows/lateral_movement_rdp_enabled_registry.toml - rules/windows/lateral_movement_rdp_sharprdp_target.toml - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml - rules/windows/lateral_movement_remote_services.toml - rules/windows/lateral_movement_scheduled_task_target.toml - rules/windows/lateral_movement_service_control_spawned_script_int.toml - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_adobe_hijack_persistence.toml - rules/windows/persistence_app_compat_shim.toml - rules/windows/persistence_appcertdlls_registry.toml - rules/windows/persistence_appinitdlls_registry.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_evasion_hidden_local_account_creation.toml - rules/windows/persistence_evasion_registry_ifeo_injection.toml - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml - rules/windows/persistence_gpo_schtask_service_creation.toml - rules/windows/persistence_local_scheduled_job_creation.toml - rules/windows/persistence_local_scheduled_task_creation.toml - rules/windows/persistence_local_scheduled_task_scripting.toml - rules/windows/persistence_ms_office_addins_file.toml - rules/windows/persistence_ms_outlook_vba_template.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml - rules/windows/persistence_priv_escalation_via_accessibility_features.toml - rules/windows/persistence_registry_uncommon.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_run_key_and_startup_broad.toml - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_services_registry.toml - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml - rules/windows/persistence_startup_folder_scripts.toml - rules/windows/persistence_suspicious_com_hijack_registry.toml - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml - rules/windows/persistence_suspicious_scheduled_task_runtime.toml - rules/windows/persistence_suspicious_service_created_registry.toml - rules/windows/persistence_system_shells_via_services.toml - rules/windows/persistence_time_provider_mod.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/persistence_user_account_creation.toml - rules/windows/persistence_via_application_shimming.toml - rules/windows/persistence_via_bits_job_notify_command.toml - rules/windows/persistence_via_hidden_run_key_valuename.toml - rules/windows/persistence_via_lsa_security_support_provider_registry.toml - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml - rules/windows/persistence_via_update_orchestrator_service_hijack.toml - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - rules/windows/persistence_via_wmi_stdregprov_run_services.toml - rules/windows/persistence_webshell_detection.toml - rules/windows/privilege_escalation_disable_uac_registry.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_installertakeover.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_lsa_auth_package.toml - rules/windows/privilege_escalation_named_pipe_impersonation.toml - rules/windows/privilege_escalation_persistence_phantom_dll.toml - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml - rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml - rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml - rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml - rules/windows/privilege_escalation_rogue_windir_environment_var.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml - rules/windows/privilege_escalation_via_rogue_named_pipe.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit 46d5e37)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 24, 2022
* min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> Removed changes from: - rules/apm/apm_403_response_to_a_post.toml - rules/apm/apm_405_response_method_not_allowed.toml - rules/apm/apm_null_user_agent.toml - rules/apm/apm_sqlmap_user_agent.toml - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/cross-platform/discovery_security_software_grep.toml - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml - rules/cross-platform/execution_revershell_via_shell_cmd.toml - rules/cross-platform/execution_suspicious_jar_child_process.toml - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml - rules/cross-platform/impact_hosts_file_modified.toml - rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml - rules/cross-platform/persistence_shell_profile_modification.toml - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml - rules/integrations/aws/credential_access_root_console_failure_brute_force.toml - rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml - rules/integrations/aws/exfiltration_rds_snapshot_export.toml - rules/integrations/aws/exfiltration_rds_snapshot_restored.toml - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml - rules/integrations/aws/impact_iam_group_deletion.toml - rules/integrations/aws/impact_rds_group_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml - rules/integrations/aws/initial_access_console_login_root.toml - rules/integrations/aws/initial_access_password_recovery.toml - rules/integrations/aws/initial_access_via_system_manager.toml - rules/integrations/aws/ml_cloudtrail_error_message_spike.toml - rules/integrations/aws/ml_cloudtrail_rare_error_code.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml - rules/integrations/aws/persistence_ec2_network_acl_creation.toml - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml - rules/integrations/aws/persistence_iam_group_creation.toml - rules/integrations/aws/persistence_rds_cluster_creation.toml - rules/integrations/aws/persistence_rds_group_creation.toml - rules/integrations/aws/persistence_rds_instance_creation.toml - rules/integrations/aws/persistence_redshift_instance_creation.toml - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml - rules/integrations/aws/persistence_route_table_created.toml - rules/integrations/aws/persistence_route_table_modified_or_deleted.toml - rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml - rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml - rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml - rules/integrations/azure/credential_access_key_vault_modified.toml - rules/integrations/azure/credential_access_storage_account_key_regenerated.toml - rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml - rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml - rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml - rules/integrations/azure/defense_evasion_event_hub_deletion.toml - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml - rules/integrations/azure/defense_evasion_suppression_rule_created.toml - rules/integrations/azure/discovery_blob_container_access_mod.toml - rules/integrations/azure/execution_command_virtual_machine.toml - rules/integrations/azure/impact_azure_service_principal_credentials_added.toml - rules/integrations/azure/impact_kubernetes_pod_deleted.toml - rules/integrations/azure/impact_resource_group_deletion.toml - rules/integrations/azure/impact_virtual_network_device_modified.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml - rules/integrations/azure/initial_access_external_guest_user_invite.toml - rules/integrations/azure/persistence_azure_automation_account_created.toml - rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml - rules/integrations/azure/persistence_azure_automation_webhook_created.toml - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml - rules/integrations/endpoint/elastic_endpoint_security.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml - rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml - rules/integrations/gcp/impact_gcp_service_account_deleted.toml - rules/integrations/gcp/impact_gcp_service_account_disabled.toml - rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml - rules/integrations/gcp/persistence_gcp_service_account_created.toml - rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml - rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml - rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml - rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml - rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml - rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml - rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml - rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml - rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml - rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml - rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml - rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml - rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml - rules/integrations/okta/credential_access_mfa_push_brute_force.toml - rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml - rules/integrations/okta/credential_access_user_impersonation_access.toml - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml - rules/integrations/okta/impact_possible_okta_dos_attack.toml - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml - rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml - rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml - rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml - rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml - rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml - rules/linux/command_and_control_linux_iodine_activity.toml - rules/linux/command_and_control_tunneling_via_earthworm.toml - rules/linux/credential_access_collection_sensitive_files.toml - rules/linux/credential_access_ssh_backdoor_log.toml - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml - rules/linux/defense_evasion_chattr_immutable_file.toml - rules/linux/defense_evasion_disable_selinux_attempt.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml - rules/linux/defense_evasion_hidden_file_dir_tmp.toml - rules/linux/defense_evasion_hidden_shared_object.toml - rules/linux/defense_evasion_kernel_module_removal.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_linux_hping_activity.toml - rules/linux/discovery_linux_nping_activity.toml - rules/linux/discovery_virtual_machine_fingerprinting.toml - rules/linux/execution_abnormal_process_id_file_created.toml - rules/linux/execution_linux_netcat_network_connection.toml - rules/linux/execution_perl_tty_shell.toml - rules/linux/execution_process_started_from_process_id_file.toml - rules/linux/execution_process_started_in_shared_memory_directory.toml - rules/linux/execution_python_tty_shell.toml - rules/linux/execution_shell_evasion_linux_binary.toml - rules/linux/execution_tc_bpf_filter.toml - rules/linux/impact_process_kill_threshold.toml - rules/linux/lateral_movement_telnet_network_activity_external.toml - rules/linux/lateral_movement_telnet_network_activity_internal.toml - rules/linux/persistence_chkconfig_service_add.toml - rules/linux/persistence_credential_access_modify_ssh_binaries.toml - rules/linux/persistence_dynamic_linker_backup.toml - rules/linux/persistence_etc_file_creation.toml - rules/linux/persistence_insmod_kernel_module_load.toml - rules/linux/persistence_kde_autostart_modification.toml - rules/linux/persistence_shell_activity_by_web_server.toml - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml - rules/linux/privilege_escalation_pkexec_envar_hijack.toml - rules/macos/credential_access_access_to_browser_credentials_procargs.toml - rules/macos/credential_access_credentials_keychains.toml - rules/macos/credential_access_dumping_hashes_bi_cmds.toml - rules/macos/credential_access_dumping_keychain_security.toml - rules/macos/credential_access_kerberosdump_kcc.toml - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml - rules/macos/credential_access_mitm_localhost_webproxy.toml - rules/macos/credential_access_potential_ssh_bruteforce.toml - rules/macos/credential_access_promt_for_pwd_via_osascript.toml - rules/macos/credential_access_systemkey_dumping.toml - rules/macos/defense_evasion_apple_softupdates_modification.toml - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml - rules/macos/defense_evasion_install_root_certificate.toml - rules/macos/defense_evasion_modify_environment_launchctl.toml - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml - rules/macos/defense_evasion_safari_config_change.toml - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml - rules/macos/discovery_users_domain_built_in_commands.toml - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml - rules/macos/execution_initial_access_suspicious_browser_childproc.toml - rules/macos/execution_installer_package_spawned_network_event.toml - rules/macos/execution_script_via_automator_workflows.toml - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml - rules/macos/execution_shell_execution_via_apple_scripting.toml - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml - rules/macos/lateral_movement_mounting_smb_share.toml - rules/macos/lateral_movement_remote_ssh_login_enabled.toml - rules/macos/lateral_movement_vpn_connection_attempt.toml - rules/macos/persistence_account_creation_hide_at_logon.toml - rules/macos/persistence_creation_change_launch_agents_file.toml - rules/macos/persistence_creation_hidden_login_item_osascript.toml - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml - rules/macos/persistence_credential_access_authorization_plugin_creation.toml - rules/macos/persistence_crontab_creation.toml - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml - rules/macos/persistence_directory_services_plugins_modification.toml - rules/macos/persistence_docker_shortcuts_plist_modification.toml - rules/macos/persistence_emond_rules_file_creation.toml - rules/macos/persistence_emond_rules_process_execution.toml - rules/macos/persistence_enable_root_account.toml - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml - rules/macos/persistence_finder_sync_plugin_pluginkit.toml - rules/macos/persistence_folder_action_scripts_runtime.toml - rules/macos/persistence_login_logout_hooks_defaults.toml - rules/macos/persistence_loginwindow_plist_modification.toml - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml - rules/macos/persistence_periodic_tasks_file_mdofiy.toml - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml - rules/macos/persistence_screensaver_plist_file_modification.toml - rules/macos/persistence_suspicious_calendar_modification.toml - rules/macos/persistence_via_atom_init_file_modification.toml - rules/macos/privilege_escalation_applescript_with_admin_privs.toml - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml - rules/macos/privilege_escalation_local_user_added_to_admin.toml - rules/macos/privilege_escalation_root_crontab_filemod.toml - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml - rules/ml/credential_access_ml_suspicious_login_activity.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml - rules/ml/discovery_ml_linux_system_information_discovery.toml - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml - rules/ml/discovery_ml_linux_system_process_discovery.toml - rules/ml/discovery_ml_linux_system_user_discovery.toml - rules/ml/execution_ml_windows_anomalous_script.toml - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml - rules/ml/initial_access_ml_auth_rare_user_logon.toml - rules/ml/initial_access_ml_linux_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml - rules/ml/ml_high_count_network_denies.toml - rules/ml/ml_high_count_network_events.toml - rules/ml/ml_linux_anomalous_network_activity.toml - rules/ml/ml_linux_anomalous_network_port_activity.toml - rules/ml/ml_packetbeat_rare_server_domain.toml - rules/ml/ml_rare_destination_country.toml - rules/ml/ml_spike_in_traffic_to_a_country.toml - rules/ml/ml_windows_anomalous_network_activity.toml - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_rare_process_by_host_linux.toml - rules/ml/persistence_ml_rare_process_by_host_windows.toml - rules/ml/persistence_ml_windows_anomalous_path_activity.toml - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_windows_anomalous_process_creation.toml - rules/ml/persistence_ml_windows_anomalous_service.toml - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml - rules/network/command_and_control_cobalt_strike_beacon.toml - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml - rules/network/command_and_control_download_rar_powershell_from_internet.toml - rules/network/command_and_control_fin7_c2_behavior.toml - rules/network/command_and_control_halfbaked_beacon.toml - rules/network/command_and_control_nat_traversal_port_activity.toml - rules/network/command_and_control_port_26_activity.toml - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml - rules/network/command_and_control_telnet_port_activity.toml - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml - rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml - rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml - rules/network/initial_access_unsecure_elasticsearch_node.toml - rules/promotions/credential_access_endgame_cred_dumping_detected.toml - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml - rules/promotions/endgame_adversary_behavior_detected.toml - rules/promotions/endgame_malware_detected.toml - rules/promotions/endgame_malware_prevented.toml - rules/promotions/endgame_ransomware_detected.toml - rules/promotions/endgame_ransomware_prevented.toml - rules/promotions/execution_endgame_exploit_detected.toml - rules/promotions/execution_endgame_exploit_prevented.toml - rules/promotions/external_alerts.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml - rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml - rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml - rules/windows/collection_email_powershell_exchange_mailbox.toml - rules/windows/collection_posh_audio_capture.toml - rules/windows/collection_posh_keylogger.toml - rules/windows/collection_posh_screen_grabber.toml - rules/windows/collection_winrar_encryption.toml - rules/windows/command_and_control_certutil_network_connection.toml - rules/windows/command_and_control_common_webservices.toml - rules/windows/command_and_control_dns_tunneling_nslookup.toml - rules/windows/command_and_control_encrypted_channel_freesslcert.toml - rules/windows/command_and_control_iexplore_via_com.toml - rules/windows/command_and_control_port_forwarding_added_registry.toml - rules/windows/command_and_control_rdp_tunnel_plink.toml - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml - rules/windows/command_and_control_remote_file_copy_powershell.toml - rules/windows/command_and_control_remote_file_copy_scripts.toml - rules/windows/command_and_control_sunburst_c2_activity_detected.toml - rules/windows/command_and_control_teamviewer_remote_file_copy.toml - rules/windows/credential_access_cmdline_dump_tool.toml - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml - rules/windows/credential_access_credential_dumping_msbuild.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml - rules/windows/credential_access_dump_registry_hives.toml - rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml - rules/windows/credential_access_iis_connectionstrings_dumping.toml - rules/windows/credential_access_kerberoasting_unusual_process.toml - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_mimikatz_memssp_default_logs.toml - rules/windows/credential_access_mimikatz_powershell_module.toml - rules/windows/credential_access_mod_wdigest_security_provider.toml - rules/windows/credential_access_moving_registry_hive_via_smb.toml - rules/windows/credential_access_persistence_network_logon_provider_modification.toml - rules/windows/credential_access_posh_minidump.toml - rules/windows/credential_access_posh_request_ticket.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vaultcmd.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_comsvcs_imageload.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_amsienable_key_mod.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_create_mod_root_certificate.toml - rules/windows/defense_evasion_cve_2020_0601.toml - rules/windows/defense_evasion_defender_disabled_via_registry.toml - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_dns_over_https_enabled.toml - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml - rules/windows/defense_evasion_execution_windefend_unusual_path.toml - rules/windows/defense_evasion_file_creation_mult_extension.toml - rules/windows/defense_evasion_from_unusual_directory.toml - rules/windows/defense_evasion_hide_encoded_executable_registry.toml - rules/windows/defense_evasion_iis_httplogging_disabled.toml - rules/windows/defense_evasion_injection_msbuild.toml - rules/windows/defense_evasion_installutil_beacon.toml - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml - rules/windows/defense_evasion_masquerading_renamed_autoit.toml - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml - rules/windows/defense_evasion_masquerading_trusted_directory.toml - rules/windows/defense_evasion_masquerading_werfault.toml - rules/windows/defense_evasion_microsoft_defender_tampering.toml - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml - rules/windows/defense_evasion_msbuild_making_network_connections.toml - rules/windows/defense_evasion_mshta_beacon.toml - rules/windows/defense_evasion_msxsl_network.toml - rules/windows/defense_evasion_network_connection_from_windows_binary.toml - rules/windows/defense_evasion_parent_process_pid_spoofing.toml - rules/windows/defense_evasion_posh_assembly_load.toml - rules/windows/defense_evasion_posh_compressed.toml - rules/windows/defense_evasion_posh_process_injection.toml - rules/windows/defense_evasion_potential_processherpaderping.toml - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_proxy_execution_via_msdt.toml - rules/windows/defense_evasion_rundll32_no_arguments.toml - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml - rules/windows/defense_evasion_sip_provider_mod.toml - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/defense_evasion_suspicious_scrobj_load.toml - rules/windows/defense_evasion_suspicious_short_program_name.toml - rules/windows/defense_evasion_suspicious_wmi_script.toml - rules/windows/defense_evasion_suspicious_zoom_child_process.toml - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml - rules/windows/defense_evasion_unusual_ads_file_creation.toml - rules/windows/defense_evasion_unusual_dir_ads.toml - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - rules/windows/defense_evasion_unusual_process_network_connection.toml - rules/windows/defense_evasion_unusual_system_vp_child_program.toml - rules/windows/defense_evasion_via_filter_manager.toml - rules/windows/defense_evasion_workfolders_control_execution.toml - rules/windows/discovery_adfind_command_activity.toml - rules/windows/discovery_admin_recon.toml - rules/windows/discovery_command_system_account.toml - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml - rules/windows/discovery_net_view.toml - rules/windows/discovery_peripheral_device.toml - rules/windows/discovery_posh_suspicious_api_functions.toml - rules/windows/discovery_post_exploitation_external_ip_lookup.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/discovery_remote_system_discovery_commands_windows.toml - rules/windows/discovery_security_software_wmic.toml - rules/windows/discovery_whoami_command_activity.toml - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml - rules/windows/execution_com_object_xwizard.toml - rules/windows/execution_command_prompt_connecting_to_the_internet.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/execution_command_shell_started_by_unusual_process.toml - rules/windows/execution_command_shell_via_rundll32.toml - rules/windows/execution_enumeration_via_wmiprvse.toml - rules/windows/execution_from_unusual_path_cmdline.toml - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - rules/windows/execution_ms_office_written_file.toml - rules/windows/execution_pdf_written_file.toml - rules/windows/execution_posh_portable_executable.toml - rules/windows/execution_posh_psreflect.toml - rules/windows/execution_psexec_lateral_movement_command.toml - rules/windows/execution_register_server_program_connecting_to_the_internet.toml - rules/windows/execution_scheduled_task_powershell_source.toml - rules/windows/execution_shared_modules_local_sxs_dll.toml - rules/windows/execution_suspicious_cmd_wmi.toml - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml - rules/windows/execution_suspicious_pdf_reader.toml - rules/windows/execution_suspicious_powershell_imgload.toml - rules/windows/execution_suspicious_psexesvc.toml - rules/windows/execution_via_compiled_html_file.toml - rules/windows/execution_via_hidden_shell_conhost.toml - rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml - rules/windows/impact_backup_file_deletion.toml - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml - rules/windows/impact_modification_of_boot_config.toml - rules/windows/impact_stop_process_service_threshold.toml - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml - rules/windows/initial_access_script_executing_powershell.toml - rules/windows/initial_access_scripts_process_started_via_wmi.toml - rules/windows/initial_access_suspicious_ms_exchange_files.toml - rules/windows/initial_access_suspicious_ms_exchange_process.toml - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml - rules/windows/initial_access_suspicious_ms_office_child_process.toml - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml - rules/windows/initial_access_unusual_dns_service_children.toml - rules/windows/initial_access_unusual_dns_service_file_writes.toml - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - rules/windows/lateral_movement_cmd_service.toml - rules/windows/lateral_movement_dcom_hta.toml - rules/windows/lateral_movement_dcom_mmc20.toml - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml - rules/windows/lateral_movement_direct_outbound_smb_connection.toml - rules/windows/lateral_movement_dns_server_overflow.toml - rules/windows/lateral_movement_evasion_rdp_shadowing.toml - rules/windows/lateral_movement_executable_tool_transfer_smb.toml - rules/windows/lateral_movement_execution_from_tsclient_mup.toml - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml - rules/windows/lateral_movement_incoming_wmi.toml - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml - rules/windows/lateral_movement_powershell_remoting_target.toml - rules/windows/lateral_movement_rdp_enabled_registry.toml - rules/windows/lateral_movement_rdp_sharprdp_target.toml - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml - rules/windows/lateral_movement_remote_services.toml - rules/windows/lateral_movement_scheduled_task_target.toml - rules/windows/lateral_movement_service_control_spawned_script_int.toml - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_adobe_hijack_persistence.toml - rules/windows/persistence_app_compat_shim.toml - rules/windows/persistence_appcertdlls_registry.toml - rules/windows/persistence_appinitdlls_registry.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_evasion_hidden_local_account_creation.toml - rules/windows/persistence_evasion_registry_ifeo_injection.toml - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml - rules/windows/persistence_gpo_schtask_service_creation.toml - rules/windows/persistence_local_scheduled_job_creation.toml - rules/windows/persistence_local_scheduled_task_creation.toml - rules/windows/persistence_local_scheduled_task_scripting.toml - rules/windows/persistence_ms_office_addins_file.toml - rules/windows/persistence_ms_outlook_vba_template.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml - rules/windows/persistence_priv_escalation_via_accessibility_features.toml - rules/windows/persistence_registry_uncommon.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_run_key_and_startup_broad.toml - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_services_registry.toml - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml - rules/windows/persistence_startup_folder_scripts.toml - rules/windows/persistence_suspicious_com_hijack_registry.toml - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml - rules/windows/persistence_suspicious_scheduled_task_runtime.toml - rules/windows/persistence_suspicious_service_created_registry.toml - rules/windows/persistence_system_shells_via_services.toml - rules/windows/persistence_time_provider_mod.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/persistence_user_account_creation.toml - rules/windows/persistence_via_application_shimming.toml - rules/windows/persistence_via_bits_job_notify_command.toml - rules/windows/persistence_via_hidden_run_key_valuename.toml - rules/windows/persistence_via_lsa_security_support_provider_registry.toml - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml - rules/windows/persistence_via_update_orchestrator_service_hijack.toml - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - rules/windows/persistence_via_wmi_stdregprov_run_services.toml - rules/windows/persistence_webshell_detection.toml - rules/windows/privilege_escalation_disable_uac_registry.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_installertakeover.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_lsa_auth_package.toml - rules/windows/privilege_escalation_named_pipe_impersonation.toml - rules/windows/privilege_escalation_persistence_phantom_dll.toml - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml - rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml - rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml - rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml - rules/windows/privilege_escalation_rogue_windir_environment_var.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml - rules/windows/privilege_escalation_via_rogue_named_pipe.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit 46d5e37)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 24, 2022
* min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> Removed changes from: - rules/apm/apm_403_response_to_a_post.toml - rules/apm/apm_405_response_method_not_allowed.toml - rules/apm/apm_null_user_agent.toml - rules/apm/apm_sqlmap_user_agent.toml - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/cross-platform/discovery_security_software_grep.toml - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml - rules/cross-platform/execution_revershell_via_shell_cmd.toml - rules/cross-platform/execution_suspicious_jar_child_process.toml - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml - rules/cross-platform/impact_hosts_file_modified.toml - rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml - rules/cross-platform/persistence_shell_profile_modification.toml - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml - rules/integrations/aws/credential_access_root_console_failure_brute_force.toml - rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml - rules/integrations/aws/exfiltration_rds_snapshot_export.toml - rules/integrations/aws/exfiltration_rds_snapshot_restored.toml - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml - rules/integrations/aws/impact_iam_group_deletion.toml - rules/integrations/aws/impact_rds_group_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml - rules/integrations/aws/initial_access_console_login_root.toml - rules/integrations/aws/initial_access_password_recovery.toml - rules/integrations/aws/initial_access_via_system_manager.toml - rules/integrations/aws/ml_cloudtrail_error_message_spike.toml - rules/integrations/aws/ml_cloudtrail_rare_error_code.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml - rules/integrations/aws/persistence_ec2_network_acl_creation.toml - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml - rules/integrations/aws/persistence_iam_group_creation.toml - rules/integrations/aws/persistence_rds_cluster_creation.toml - rules/integrations/aws/persistence_rds_group_creation.toml - rules/integrations/aws/persistence_rds_instance_creation.toml - rules/integrations/aws/persistence_redshift_instance_creation.toml - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml - rules/integrations/aws/persistence_route_table_created.toml - rules/integrations/aws/persistence_route_table_modified_or_deleted.toml - rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml - rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml - rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml - rules/integrations/azure/credential_access_key_vault_modified.toml - rules/integrations/azure/credential_access_storage_account_key_regenerated.toml - rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml - rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml - rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml - rules/integrations/azure/defense_evasion_event_hub_deletion.toml - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml - rules/integrations/azure/defense_evasion_suppression_rule_created.toml - rules/integrations/azure/discovery_blob_container_access_mod.toml - rules/integrations/azure/execution_command_virtual_machine.toml - rules/integrations/azure/impact_azure_service_principal_credentials_added.toml - rules/integrations/azure/impact_kubernetes_pod_deleted.toml - rules/integrations/azure/impact_resource_group_deletion.toml - rules/integrations/azure/impact_virtual_network_device_modified.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml - rules/integrations/azure/initial_access_external_guest_user_invite.toml - rules/integrations/azure/persistence_azure_automation_account_created.toml - rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml - rules/integrations/azure/persistence_azure_automation_webhook_created.toml - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml - rules/integrations/endpoint/elastic_endpoint_security.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml - rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml - rules/integrations/gcp/impact_gcp_service_account_deleted.toml - rules/integrations/gcp/impact_gcp_service_account_disabled.toml - rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml - rules/integrations/gcp/persistence_gcp_service_account_created.toml - rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml - rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml - rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml - rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml - rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml - rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml - rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml - rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml - rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml - rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml - rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml - rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml - rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml - rules/integrations/okta/credential_access_mfa_push_brute_force.toml - rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml - rules/integrations/okta/credential_access_user_impersonation_access.toml - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml - rules/integrations/okta/impact_possible_okta_dos_attack.toml - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml - rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml - rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml - rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml - rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml - rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml - rules/linux/command_and_control_linux_iodine_activity.toml - rules/linux/command_and_control_tunneling_via_earthworm.toml - rules/linux/credential_access_collection_sensitive_files.toml - rules/linux/credential_access_ssh_backdoor_log.toml - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml - rules/linux/defense_evasion_chattr_immutable_file.toml - rules/linux/defense_evasion_disable_selinux_attempt.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml - rules/linux/defense_evasion_hidden_file_dir_tmp.toml - rules/linux/defense_evasion_hidden_shared_object.toml - rules/linux/defense_evasion_kernel_module_removal.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_linux_hping_activity.toml - rules/linux/discovery_linux_nping_activity.toml - rules/linux/discovery_virtual_machine_fingerprinting.toml - rules/linux/execution_abnormal_process_id_file_created.toml - rules/linux/execution_linux_netcat_network_connection.toml - rules/linux/execution_perl_tty_shell.toml - rules/linux/execution_process_started_from_process_id_file.toml - rules/linux/execution_process_started_in_shared_memory_directory.toml - rules/linux/execution_python_tty_shell.toml - rules/linux/execution_shell_evasion_linux_binary.toml - rules/linux/execution_tc_bpf_filter.toml - rules/linux/impact_process_kill_threshold.toml - rules/linux/lateral_movement_telnet_network_activity_external.toml - rules/linux/lateral_movement_telnet_network_activity_internal.toml - rules/linux/persistence_chkconfig_service_add.toml - rules/linux/persistence_credential_access_modify_ssh_binaries.toml - rules/linux/persistence_dynamic_linker_backup.toml - rules/linux/persistence_etc_file_creation.toml - rules/linux/persistence_insmod_kernel_module_load.toml - rules/linux/persistence_kde_autostart_modification.toml - rules/linux/persistence_shell_activity_by_web_server.toml - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml - rules/linux/privilege_escalation_pkexec_envar_hijack.toml - rules/macos/credential_access_access_to_browser_credentials_procargs.toml - rules/macos/credential_access_credentials_keychains.toml - rules/macos/credential_access_dumping_hashes_bi_cmds.toml - rules/macos/credential_access_dumping_keychain_security.toml - rules/macos/credential_access_kerberosdump_kcc.toml - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml - rules/macos/credential_access_mitm_localhost_webproxy.toml - rules/macos/credential_access_potential_ssh_bruteforce.toml - rules/macos/credential_access_promt_for_pwd_via_osascript.toml - rules/macos/credential_access_systemkey_dumping.toml - rules/macos/defense_evasion_apple_softupdates_modification.toml - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml - rules/macos/defense_evasion_install_root_certificate.toml - rules/macos/defense_evasion_modify_environment_launchctl.toml - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml - rules/macos/defense_evasion_safari_config_change.toml - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml - rules/macos/discovery_users_domain_built_in_commands.toml - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml - rules/macos/execution_initial_access_suspicious_browser_childproc.toml - rules/macos/execution_installer_package_spawned_network_event.toml - rules/macos/execution_script_via_automator_workflows.toml - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml - rules/macos/execution_shell_execution_via_apple_scripting.toml - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml - rules/macos/lateral_movement_mounting_smb_share.toml - rules/macos/lateral_movement_remote_ssh_login_enabled.toml - rules/macos/lateral_movement_vpn_connection_attempt.toml - rules/macos/persistence_account_creation_hide_at_logon.toml - rules/macos/persistence_creation_change_launch_agents_file.toml - rules/macos/persistence_creation_hidden_login_item_osascript.toml - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml - rules/macos/persistence_credential_access_authorization_plugin_creation.toml - rules/macos/persistence_crontab_creation.toml - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml - rules/macos/persistence_directory_services_plugins_modification.toml - rules/macos/persistence_docker_shortcuts_plist_modification.toml - rules/macos/persistence_emond_rules_file_creation.toml - rules/macos/persistence_emond_rules_process_execution.toml - rules/macos/persistence_enable_root_account.toml - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml - rules/macos/persistence_finder_sync_plugin_pluginkit.toml - rules/macos/persistence_folder_action_scripts_runtime.toml - rules/macos/persistence_login_logout_hooks_defaults.toml - rules/macos/persistence_loginwindow_plist_modification.toml - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml - rules/macos/persistence_periodic_tasks_file_mdofiy.toml - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml - rules/macos/persistence_screensaver_plist_file_modification.toml - rules/macos/persistence_suspicious_calendar_modification.toml - rules/macos/persistence_via_atom_init_file_modification.toml - rules/macos/privilege_escalation_applescript_with_admin_privs.toml - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml - rules/macos/privilege_escalation_local_user_added_to_admin.toml - rules/macos/privilege_escalation_root_crontab_filemod.toml - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml - rules/ml/credential_access_ml_suspicious_login_activity.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml - rules/ml/discovery_ml_linux_system_information_discovery.toml - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml - rules/ml/discovery_ml_linux_system_process_discovery.toml - rules/ml/discovery_ml_linux_system_user_discovery.toml - rules/ml/execution_ml_windows_anomalous_script.toml - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml - rules/ml/initial_access_ml_auth_rare_user_logon.toml - rules/ml/initial_access_ml_linux_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml - rules/ml/ml_high_count_network_denies.toml - rules/ml/ml_high_count_network_events.toml - rules/ml/ml_linux_anomalous_network_activity.toml - rules/ml/ml_linux_anomalous_network_port_activity.toml - rules/ml/ml_packetbeat_rare_server_domain.toml - rules/ml/ml_rare_destination_country.toml - rules/ml/ml_spike_in_traffic_to_a_country.toml - rules/ml/ml_windows_anomalous_network_activity.toml - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_rare_process_by_host_linux.toml - rules/ml/persistence_ml_rare_process_by_host_windows.toml - rules/ml/persistence_ml_windows_anomalous_path_activity.toml - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_windows_anomalous_process_creation.toml - rules/ml/persistence_ml_windows_anomalous_service.toml - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml - rules/network/command_and_control_cobalt_strike_beacon.toml - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml - rules/network/command_and_control_download_rar_powershell_from_internet.toml - rules/network/command_and_control_fin7_c2_behavior.toml - rules/network/command_and_control_halfbaked_beacon.toml - rules/network/command_and_control_nat_traversal_port_activity.toml - rules/network/command_and_control_port_26_activity.toml - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml - rules/network/command_and_control_telnet_port_activity.toml - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml - rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml - rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml - rules/network/initial_access_unsecure_elasticsearch_node.toml - rules/promotions/credential_access_endgame_cred_dumping_detected.toml - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml - rules/promotions/endgame_adversary_behavior_detected.toml - rules/promotions/endgame_malware_detected.toml - rules/promotions/endgame_malware_prevented.toml - rules/promotions/endgame_ransomware_detected.toml - rules/promotions/endgame_ransomware_prevented.toml - rules/promotions/execution_endgame_exploit_detected.toml - rules/promotions/execution_endgame_exploit_prevented.toml - rules/promotions/external_alerts.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml - rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml - rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml - rules/windows/collection_email_powershell_exchange_mailbox.toml - rules/windows/collection_posh_audio_capture.toml - rules/windows/collection_posh_keylogger.toml - rules/windows/collection_posh_screen_grabber.toml - rules/windows/collection_winrar_encryption.toml - rules/windows/command_and_control_certutil_network_connection.toml - rules/windows/command_and_control_common_webservices.toml - rules/windows/command_and_control_dns_tunneling_nslookup.toml - rules/windows/command_and_control_encrypted_channel_freesslcert.toml - rules/windows/command_and_control_iexplore_via_com.toml - rules/windows/command_and_control_port_forwarding_added_registry.toml - rules/windows/command_and_control_rdp_tunnel_plink.toml - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml - rules/windows/command_and_control_remote_file_copy_powershell.toml - rules/windows/command_and_control_remote_file_copy_scripts.toml - rules/windows/command_and_control_sunburst_c2_activity_detected.toml - rules/windows/command_and_control_teamviewer_remote_file_copy.toml - rules/windows/credential_access_cmdline_dump_tool.toml - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml - rules/windows/credential_access_credential_dumping_msbuild.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml - rules/windows/credential_access_dump_registry_hives.toml - rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml - rules/windows/credential_access_iis_connectionstrings_dumping.toml - rules/windows/credential_access_kerberoasting_unusual_process.toml - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_mimikatz_memssp_default_logs.toml - rules/windows/credential_access_mimikatz_powershell_module.toml - rules/windows/credential_access_mod_wdigest_security_provider.toml - rules/windows/credential_access_moving_registry_hive_via_smb.toml - rules/windows/credential_access_persistence_network_logon_provider_modification.toml - rules/windows/credential_access_posh_minidump.toml - rules/windows/credential_access_posh_request_ticket.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vaultcmd.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_comsvcs_imageload.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_amsienable_key_mod.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_create_mod_root_certificate.toml - rules/windows/defense_evasion_cve_2020_0601.toml - rules/windows/defense_evasion_defender_disabled_via_registry.toml - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_dns_over_https_enabled.toml - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml - rules/windows/defense_evasion_execution_windefend_unusual_path.toml - rules/windows/defense_evasion_file_creation_mult_extension.toml - rules/windows/defense_evasion_from_unusual_directory.toml - rules/windows/defense_evasion_hide_encoded_executable_registry.toml - rules/windows/defense_evasion_iis_httplogging_disabled.toml - rules/windows/defense_evasion_injection_msbuild.toml - rules/windows/defense_evasion_installutil_beacon.toml - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml - rules/windows/defense_evasion_masquerading_renamed_autoit.toml - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml - rules/windows/defense_evasion_masquerading_trusted_directory.toml - rules/windows/defense_evasion_masquerading_werfault.toml - rules/windows/defense_evasion_microsoft_defender_tampering.toml - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml - rules/windows/defense_evasion_msbuild_making_network_connections.toml - rules/windows/defense_evasion_mshta_beacon.toml - rules/windows/defense_evasion_msxsl_network.toml - rules/windows/defense_evasion_network_connection_from_windows_binary.toml - rules/windows/defense_evasion_parent_process_pid_spoofing.toml - rules/windows/defense_evasion_posh_assembly_load.toml - rules/windows/defense_evasion_posh_compressed.toml - rules/windows/defense_evasion_posh_process_injection.toml - rules/windows/defense_evasion_potential_processherpaderping.toml - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_proxy_execution_via_msdt.toml - rules/windows/defense_evasion_rundll32_no_arguments.toml - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml - rules/windows/defense_evasion_sip_provider_mod.toml - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/defense_evasion_suspicious_scrobj_load.toml - rules/windows/defense_evasion_suspicious_short_program_name.toml - rules/windows/defense_evasion_suspicious_wmi_script.toml - rules/windows/defense_evasion_suspicious_zoom_child_process.toml - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml - rules/windows/defense_evasion_unusual_ads_file_creation.toml - rules/windows/defense_evasion_unusual_dir_ads.toml - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - rules/windows/defense_evasion_unusual_process_network_connection.toml - rules/windows/defense_evasion_unusual_system_vp_child_program.toml - rules/windows/defense_evasion_via_filter_manager.toml - rules/windows/defense_evasion_workfolders_control_execution.toml - rules/windows/discovery_adfind_command_activity.toml - rules/windows/discovery_admin_recon.toml - rules/windows/discovery_command_system_account.toml - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml - rules/windows/discovery_net_view.toml - rules/windows/discovery_peripheral_device.toml - rules/windows/discovery_posh_suspicious_api_functions.toml - rules/windows/discovery_post_exploitation_external_ip_lookup.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/discovery_remote_system_discovery_commands_windows.toml - rules/windows/discovery_security_software_wmic.toml - rules/windows/discovery_whoami_command_activity.toml - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml - rules/windows/execution_com_object_xwizard.toml - rules/windows/execution_command_prompt_connecting_to_the_internet.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/execution_command_shell_started_by_unusual_process.toml - rules/windows/execution_command_shell_via_rundll32.toml - rules/windows/execution_enumeration_via_wmiprvse.toml - rules/windows/execution_from_unusual_path_cmdline.toml - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - rules/windows/execution_ms_office_written_file.toml - rules/windows/execution_pdf_written_file.toml - rules/windows/execution_posh_portable_executable.toml - rules/windows/execution_posh_psreflect.toml - rules/windows/execution_psexec_lateral_movement_command.toml - rules/windows/execution_register_server_program_connecting_to_the_internet.toml - rules/windows/execution_scheduled_task_powershell_source.toml - rules/windows/execution_shared_modules_local_sxs_dll.toml - rules/windows/execution_suspicious_cmd_wmi.toml - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml - rules/windows/execution_suspicious_pdf_reader.toml - rules/windows/execution_suspicious_powershell_imgload.toml - rules/windows/execution_suspicious_psexesvc.toml - rules/windows/execution_via_compiled_html_file.toml - rules/windows/execution_via_hidden_shell_conhost.toml - rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml - rules/windows/impact_backup_file_deletion.toml - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml - rules/windows/impact_modification_of_boot_config.toml - rules/windows/impact_stop_process_service_threshold.toml - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml - rules/windows/initial_access_script_executing_powershell.toml - rules/windows/initial_access_scripts_process_started_via_wmi.toml - rules/windows/initial_access_suspicious_ms_exchange_files.toml - rules/windows/initial_access_suspicious_ms_exchange_process.toml - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml - rules/windows/initial_access_suspicious_ms_office_child_process.toml - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml - rules/windows/initial_access_unusual_dns_service_children.toml - rules/windows/initial_access_unusual_dns_service_file_writes.toml - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - rules/windows/lateral_movement_cmd_service.toml - rules/windows/lateral_movement_dcom_hta.toml - rules/windows/lateral_movement_dcom_mmc20.toml - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml - rules/windows/lateral_movement_direct_outbound_smb_connection.toml - rules/windows/lateral_movement_dns_server_overflow.toml - rules/windows/lateral_movement_evasion_rdp_shadowing.toml - rules/windows/lateral_movement_executable_tool_transfer_smb.toml - rules/windows/lateral_movement_execution_from_tsclient_mup.toml - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml - rules/windows/lateral_movement_incoming_wmi.toml - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml - rules/windows/lateral_movement_powershell_remoting_target.toml - rules/windows/lateral_movement_rdp_enabled_registry.toml - rules/windows/lateral_movement_rdp_sharprdp_target.toml - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml - rules/windows/lateral_movement_remote_services.toml - rules/windows/lateral_movement_scheduled_task_target.toml - rules/windows/lateral_movement_service_control_spawned_script_int.toml - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_adobe_hijack_persistence.toml - rules/windows/persistence_app_compat_shim.toml - rules/windows/persistence_appcertdlls_registry.toml - rules/windows/persistence_appinitdlls_registry.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_evasion_hidden_local_account_creation.toml - rules/windows/persistence_evasion_registry_ifeo_injection.toml - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml - rules/windows/persistence_gpo_schtask_service_creation.toml - rules/windows/persistence_local_scheduled_job_creation.toml - rules/windows/persistence_local_scheduled_task_creation.toml - rules/windows/persistence_local_scheduled_task_scripting.toml - rules/windows/persistence_ms_office_addins_file.toml - rules/windows/persistence_ms_outlook_vba_template.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml - rules/windows/persistence_priv_escalation_via_accessibility_features.toml - rules/windows/persistence_registry_uncommon.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_run_key_and_startup_broad.toml - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_services_registry.toml - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml - rules/windows/persistence_startup_folder_scripts.toml - rules/windows/persistence_suspicious_com_hijack_registry.toml - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml - rules/windows/persistence_suspicious_scheduled_task_runtime.toml - rules/windows/persistence_suspicious_service_created_registry.toml - rules/windows/persistence_system_shells_via_services.toml - rules/windows/persistence_time_provider_mod.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/persistence_user_account_creation.toml - rules/windows/persistence_via_application_shimming.toml - rules/windows/persistence_via_bits_job_notify_command.toml - rules/windows/persistence_via_hidden_run_key_valuename.toml - rules/windows/persistence_via_lsa_security_support_provider_registry.toml - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml - rules/windows/persistence_via_update_orchestrator_service_hijack.toml - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - rules/windows/persistence_via_wmi_stdregprov_run_services.toml - rules/windows/persistence_webshell_detection.toml - rules/windows/privilege_escalation_disable_uac_registry.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_installertakeover.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_lsa_auth_package.toml - rules/windows/privilege_escalation_named_pipe_impersonation.toml - rules/windows/privilege_escalation_persistence_phantom_dll.toml - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml - rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml - rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml - rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml - rules/windows/privilege_escalation_rogue_windir_environment_var.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml - rules/windows/privilege_escalation_via_rogue_named_pipe.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit 46d5e37)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 24, 2022
* min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> Removed changes from: - rules/apm/apm_403_response_to_a_post.toml - rules/apm/apm_405_response_method_not_allowed.toml - rules/apm/apm_null_user_agent.toml - rules/apm/apm_sqlmap_user_agent.toml - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/cross-platform/discovery_security_software_grep.toml - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml - rules/cross-platform/execution_revershell_via_shell_cmd.toml - rules/cross-platform/execution_suspicious_jar_child_process.toml - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml - rules/cross-platform/impact_hosts_file_modified.toml - rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml - rules/cross-platform/persistence_shell_profile_modification.toml - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml - rules/integrations/aws/credential_access_root_console_failure_brute_force.toml - rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml - rules/integrations/aws/exfiltration_rds_snapshot_export.toml - rules/integrations/aws/exfiltration_rds_snapshot_restored.toml - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml - rules/integrations/aws/impact_iam_group_deletion.toml - rules/integrations/aws/impact_rds_group_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml - rules/integrations/aws/initial_access_console_login_root.toml - rules/integrations/aws/initial_access_password_recovery.toml - rules/integrations/aws/initial_access_via_system_manager.toml - rules/integrations/aws/ml_cloudtrail_error_message_spike.toml - rules/integrations/aws/ml_cloudtrail_rare_error_code.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml - rules/integrations/aws/persistence_ec2_network_acl_creation.toml - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml - rules/integrations/aws/persistence_iam_group_creation.toml - rules/integrations/aws/persistence_rds_cluster_creation.toml - rules/integrations/aws/persistence_rds_group_creation.toml - rules/integrations/aws/persistence_rds_instance_creation.toml - rules/integrations/aws/persistence_redshift_instance_creation.toml - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml - rules/integrations/aws/persistence_route_table_created.toml - rules/integrations/aws/persistence_route_table_modified_or_deleted.toml - rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml - rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml - rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml - rules/integrations/azure/credential_access_key_vault_modified.toml - rules/integrations/azure/credential_access_storage_account_key_regenerated.toml - rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml - rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml - rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml - rules/integrations/azure/defense_evasion_event_hub_deletion.toml - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml - rules/integrations/azure/defense_evasion_suppression_rule_created.toml - rules/integrations/azure/discovery_blob_container_access_mod.toml - rules/integrations/azure/execution_command_virtual_machine.toml - rules/integrations/azure/impact_azure_service_principal_credentials_added.toml - rules/integrations/azure/impact_kubernetes_pod_deleted.toml - rules/integrations/azure/impact_resource_group_deletion.toml - rules/integrations/azure/impact_virtual_network_device_modified.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml - rules/integrations/azure/initial_access_external_guest_user_invite.toml - rules/integrations/azure/persistence_azure_automation_account_created.toml - rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml - rules/integrations/azure/persistence_azure_automation_webhook_created.toml - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml - rules/integrations/endpoint/elastic_endpoint_security.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml - rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml - rules/integrations/gcp/impact_gcp_service_account_deleted.toml - rules/integrations/gcp/impact_gcp_service_account_disabled.toml - rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml - rules/integrations/gcp/persistence_gcp_service_account_created.toml - rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml - rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml - rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml - rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml - rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml - rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml - rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml - rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml - rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml - rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml - rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml - rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml - rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml - rules/integrations/okta/credential_access_mfa_push_brute_force.toml - rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml - rules/integrations/okta/credential_access_user_impersonation_access.toml - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml - rules/integrations/okta/impact_possible_okta_dos_attack.toml - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml - rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml - rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml - rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml - rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml - rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml - rules/linux/command_and_control_linux_iodine_activity.toml - rules/linux/command_and_control_tunneling_via_earthworm.toml - rules/linux/credential_access_collection_sensitive_files.toml - rules/linux/credential_access_ssh_backdoor_log.toml - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml - rules/linux/defense_evasion_chattr_immutable_file.toml - rules/linux/defense_evasion_disable_selinux_attempt.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml - rules/linux/defense_evasion_hidden_file_dir_tmp.toml - rules/linux/defense_evasion_hidden_shared_object.toml - rules/linux/defense_evasion_kernel_module_removal.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_linux_hping_activity.toml - rules/linux/discovery_linux_nping_activity.toml - rules/linux/discovery_virtual_machine_fingerprinting.toml - rules/linux/execution_abnormal_process_id_file_created.toml - rules/linux/execution_linux_netcat_network_connection.toml - rules/linux/execution_perl_tty_shell.toml - rules/linux/execution_process_started_from_process_id_file.toml - rules/linux/execution_process_started_in_shared_memory_directory.toml - rules/linux/execution_python_tty_shell.toml - rules/linux/execution_shell_evasion_linux_binary.toml - rules/linux/execution_tc_bpf_filter.toml - rules/linux/impact_process_kill_threshold.toml - rules/linux/lateral_movement_telnet_network_activity_external.toml - rules/linux/lateral_movement_telnet_network_activity_internal.toml - rules/linux/persistence_chkconfig_service_add.toml - rules/linux/persistence_credential_access_modify_ssh_binaries.toml - rules/linux/persistence_dynamic_linker_backup.toml - rules/linux/persistence_etc_file_creation.toml - rules/linux/persistence_insmod_kernel_module_load.toml - rules/linux/persistence_kde_autostart_modification.toml - rules/linux/persistence_shell_activity_by_web_server.toml - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml - rules/linux/privilege_escalation_pkexec_envar_hijack.toml - rules/macos/credential_access_access_to_browser_credentials_procargs.toml - rules/macos/credential_access_credentials_keychains.toml - rules/macos/credential_access_dumping_hashes_bi_cmds.toml - rules/macos/credential_access_dumping_keychain_security.toml - rules/macos/credential_access_kerberosdump_kcc.toml - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml - rules/macos/credential_access_mitm_localhost_webproxy.toml - rules/macos/credential_access_potential_ssh_bruteforce.toml - rules/macos/credential_access_promt_for_pwd_via_osascript.toml - rules/macos/credential_access_systemkey_dumping.toml - rules/macos/defense_evasion_apple_softupdates_modification.toml - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml - rules/macos/defense_evasion_install_root_certificate.toml - rules/macos/defense_evasion_modify_environment_launchctl.toml - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml - rules/macos/defense_evasion_safari_config_change.toml - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml - rules/macos/discovery_users_domain_built_in_commands.toml - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml - rules/macos/execution_initial_access_suspicious_browser_childproc.toml - rules/macos/execution_installer_package_spawned_network_event.toml - rules/macos/execution_script_via_automator_workflows.toml - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml - rules/macos/execution_shell_execution_via_apple_scripting.toml - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml - rules/macos/lateral_movement_mounting_smb_share.toml - rules/macos/lateral_movement_remote_ssh_login_enabled.toml - rules/macos/lateral_movement_vpn_connection_attempt.toml - rules/macos/persistence_account_creation_hide_at_logon.toml - rules/macos/persistence_creation_change_launch_agents_file.toml - rules/macos/persistence_creation_hidden_login_item_osascript.toml - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml - rules/macos/persistence_credential_access_authorization_plugin_creation.toml - rules/macos/persistence_crontab_creation.toml - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml - rules/macos/persistence_directory_services_plugins_modification.toml - rules/macos/persistence_docker_shortcuts_plist_modification.toml - rules/macos/persistence_emond_rules_file_creation.toml - rules/macos/persistence_emond_rules_process_execution.toml - rules/macos/persistence_enable_root_account.toml - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml - rules/macos/persistence_finder_sync_plugin_pluginkit.toml - rules/macos/persistence_folder_action_scripts_runtime.toml - rules/macos/persistence_login_logout_hooks_defaults.toml - rules/macos/persistence_loginwindow_plist_modification.toml - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml - rules/macos/persistence_periodic_tasks_file_mdofiy.toml - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml - rules/macos/persistence_screensaver_plist_file_modification.toml - rules/macos/persistence_suspicious_calendar_modification.toml - rules/macos/persistence_via_atom_init_file_modification.toml - rules/macos/privilege_escalation_applescript_with_admin_privs.toml - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml - rules/macos/privilege_escalation_local_user_added_to_admin.toml - rules/macos/privilege_escalation_root_crontab_filemod.toml - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml - rules/ml/credential_access_ml_suspicious_login_activity.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml - rules/ml/discovery_ml_linux_system_information_discovery.toml - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml - rules/ml/discovery_ml_linux_system_process_discovery.toml - rules/ml/discovery_ml_linux_system_user_discovery.toml - rules/ml/execution_ml_windows_anomalous_script.toml - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml - rules/ml/initial_access_ml_auth_rare_user_logon.toml - rules/ml/initial_access_ml_linux_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml - rules/ml/ml_high_count_network_denies.toml - rules/ml/ml_high_count_network_events.toml - rules/ml/ml_linux_anomalous_network_activity.toml - rules/ml/ml_linux_anomalous_network_port_activity.toml - rules/ml/ml_packetbeat_rare_server_domain.toml - rules/ml/ml_rare_destination_country.toml - rules/ml/ml_spike_in_traffic_to_a_country.toml - rules/ml/ml_windows_anomalous_network_activity.toml - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_rare_process_by_host_linux.toml - rules/ml/persistence_ml_rare_process_by_host_windows.toml - rules/ml/persistence_ml_windows_anomalous_path_activity.toml - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_windows_anomalous_process_creation.toml - rules/ml/persistence_ml_windows_anomalous_service.toml - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml - rules/network/command_and_control_cobalt_strike_beacon.toml - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml - rules/network/command_and_control_download_rar_powershell_from_internet.toml - rules/network/command_and_control_fin7_c2_behavior.toml - rules/network/command_and_control_halfbaked_beacon.toml - rules/network/command_and_control_nat_traversal_port_activity.toml - rules/network/command_and_control_port_26_activity.toml - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml - rules/network/command_and_control_telnet_port_activity.toml - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml - rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml - rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml - rules/network/initial_access_unsecure_elasticsearch_node.toml - rules/promotions/credential_access_endgame_cred_dumping_detected.toml - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml - rules/promotions/endgame_adversary_behavior_detected.toml - rules/promotions/endgame_malware_detected.toml - rules/promotions/endgame_malware_prevented.toml - rules/promotions/endgame_ransomware_detected.toml - rules/promotions/endgame_ransomware_prevented.toml - rules/promotions/execution_endgame_exploit_detected.toml - rules/promotions/execution_endgame_exploit_prevented.toml - rules/promotions/external_alerts.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml - rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml - rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml - rules/windows/collection_email_powershell_exchange_mailbox.toml - rules/windows/collection_posh_audio_capture.toml - rules/windows/collection_posh_keylogger.toml - rules/windows/collection_posh_screen_grabber.toml - rules/windows/collection_winrar_encryption.toml - rules/windows/command_and_control_certutil_network_connection.toml - rules/windows/command_and_control_common_webservices.toml - rules/windows/command_and_control_dns_tunneling_nslookup.toml - rules/windows/command_and_control_encrypted_channel_freesslcert.toml - rules/windows/command_and_control_iexplore_via_com.toml - rules/windows/command_and_control_port_forwarding_added_registry.toml - rules/windows/command_and_control_rdp_tunnel_plink.toml - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml - rules/windows/command_and_control_remote_file_copy_powershell.toml - rules/windows/command_and_control_remote_file_copy_scripts.toml - rules/windows/command_and_control_sunburst_c2_activity_detected.toml - rules/windows/command_and_control_teamviewer_remote_file_copy.toml - rules/windows/credential_access_cmdline_dump_tool.toml - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml - rules/windows/credential_access_credential_dumping_msbuild.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml - rules/windows/credential_access_dump_registry_hives.toml - rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml - rules/windows/credential_access_iis_connectionstrings_dumping.toml - rules/windows/credential_access_kerberoasting_unusual_process.toml - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_mimikatz_memssp_default_logs.toml - rules/windows/credential_access_mimikatz_powershell_module.toml - rules/windows/credential_access_mod_wdigest_security_provider.toml - rules/windows/credential_access_moving_registry_hive_via_smb.toml - rules/windows/credential_access_persistence_network_logon_provider_modification.toml - rules/windows/credential_access_posh_minidump.toml - rules/windows/credential_access_posh_request_ticket.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vaultcmd.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_comsvcs_imageload.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_amsienable_key_mod.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_create_mod_root_certificate.toml - rules/windows/defense_evasion_cve_2020_0601.toml - rules/windows/defense_evasion_defender_disabled_via_registry.toml - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_dns_over_https_enabled.toml - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml - rules/windows/defense_evasion_execution_windefend_unusual_path.toml - rules/windows/defense_evasion_file_creation_mult_extension.toml - rules/windows/defense_evasion_from_unusual_directory.toml - rules/windows/defense_evasion_hide_encoded_executable_registry.toml - rules/windows/defense_evasion_iis_httplogging_disabled.toml - rules/windows/defense_evasion_injection_msbuild.toml - rules/windows/defense_evasion_installutil_beacon.toml - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml - rules/windows/defense_evasion_masquerading_renamed_autoit.toml - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml - rules/windows/defense_evasion_masquerading_trusted_directory.toml - rules/windows/defense_evasion_masquerading_werfault.toml - rules/windows/defense_evasion_microsoft_defender_tampering.toml - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml - rules/windows/defense_evasion_msbuild_making_network_connections.toml - rules/windows/defense_evasion_mshta_beacon.toml - rules/windows/defense_evasion_msxsl_network.toml - rules/windows/defense_evasion_network_connection_from_windows_binary.toml - rules/windows/defense_evasion_parent_process_pid_spoofing.toml - rules/windows/defense_evasion_posh_assembly_load.toml - rules/windows/defense_evasion_posh_compressed.toml - rules/windows/defense_evasion_posh_process_injection.toml - rules/windows/defense_evasion_potential_processherpaderping.toml - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_proxy_execution_via_msdt.toml - rules/windows/defense_evasion_rundll32_no_arguments.toml - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml - rules/windows/defense_evasion_sip_provider_mod.toml - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/defense_evasion_suspicious_scrobj_load.toml - rules/windows/defense_evasion_suspicious_short_program_name.toml - rules/windows/defense_evasion_suspicious_wmi_script.toml - rules/windows/defense_evasion_suspicious_zoom_child_process.toml - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml - rules/windows/defense_evasion_unusual_ads_file_creation.toml - rules/windows/defense_evasion_unusual_dir_ads.toml - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - rules/windows/defense_evasion_unusual_process_network_connection.toml - rules/windows/defense_evasion_unusual_system_vp_child_program.toml - rules/windows/defense_evasion_via_filter_manager.toml - rules/windows/defense_evasion_workfolders_control_execution.toml - rules/windows/discovery_adfind_command_activity.toml - rules/windows/discovery_admin_recon.toml - rules/windows/discovery_command_system_account.toml - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml - rules/windows/discovery_net_view.toml - rules/windows/discovery_peripheral_device.toml - rules/windows/discovery_posh_suspicious_api_functions.toml - rules/windows/discovery_post_exploitation_external_ip_lookup.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/discovery_remote_system_discovery_commands_windows.toml - rules/windows/discovery_security_software_wmic.toml - rules/windows/discovery_whoami_command_activity.toml - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml - rules/windows/execution_com_object_xwizard.toml - rules/windows/execution_command_prompt_connecting_to_the_internet.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/execution_command_shell_started_by_unusual_process.toml - rules/windows/execution_command_shell_via_rundll32.toml - rules/windows/execution_enumeration_via_wmiprvse.toml - rules/windows/execution_from_unusual_path_cmdline.toml - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - rules/windows/execution_ms_office_written_file.toml - rules/windows/execution_pdf_written_file.toml - rules/windows/execution_posh_portable_executable.toml - rules/windows/execution_posh_psreflect.toml - rules/windows/execution_psexec_lateral_movement_command.toml - rules/windows/execution_register_server_program_connecting_to_the_internet.toml - rules/windows/execution_scheduled_task_powershell_source.toml - rules/windows/execution_shared_modules_local_sxs_dll.toml - rules/windows/execution_suspicious_cmd_wmi.toml - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml - rules/windows/execution_suspicious_pdf_reader.toml - rules/windows/execution_suspicious_powershell_imgload.toml - rules/windows/execution_suspicious_psexesvc.toml - rules/windows/execution_via_compiled_html_file.toml - rules/windows/execution_via_hidden_shell_conhost.toml - rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml - rules/windows/impact_backup_file_deletion.toml - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml - rules/windows/impact_modification_of_boot_config.toml - rules/windows/impact_stop_process_service_threshold.toml - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml - rules/windows/initial_access_script_executing_powershell.toml - rules/windows/initial_access_scripts_process_started_via_wmi.toml - rules/windows/initial_access_suspicious_ms_exchange_files.toml - rules/windows/initial_access_suspicious_ms_exchange_process.toml - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml - rules/windows/initial_access_suspicious_ms_office_child_process.toml - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml - rules/windows/initial_access_unusual_dns_service_children.toml - rules/windows/initial_access_unusual_dns_service_file_writes.toml - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - rules/windows/lateral_movement_cmd_service.toml - rules/windows/lateral_movement_dcom_hta.toml - rules/windows/lateral_movement_dcom_mmc20.toml - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml - rules/windows/lateral_movement_direct_outbound_smb_connection.toml - rules/windows/lateral_movement_dns_server_overflow.toml - rules/windows/lateral_movement_evasion_rdp_shadowing.toml - rules/windows/lateral_movement_executable_tool_transfer_smb.toml - rules/windows/lateral_movement_execution_from_tsclient_mup.toml - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml - rules/windows/lateral_movement_incoming_wmi.toml - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml - rules/windows/lateral_movement_powershell_remoting_target.toml - rules/windows/lateral_movement_rdp_enabled_registry.toml - rules/windows/lateral_movement_rdp_sharprdp_target.toml - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml - rules/windows/lateral_movement_remote_services.toml - rules/windows/lateral_movement_scheduled_task_target.toml - rules/windows/lateral_movement_service_control_spawned_script_int.toml - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_adobe_hijack_persistence.toml - rules/windows/persistence_app_compat_shim.toml - rules/windows/persistence_appcertdlls_registry.toml - rules/windows/persistence_appinitdlls_registry.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_evasion_hidden_local_account_creation.toml - rules/windows/persistence_evasion_registry_ifeo_injection.toml - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml - rules/windows/persistence_gpo_schtask_service_creation.toml - rules/windows/persistence_local_scheduled_job_creation.toml - rules/windows/persistence_local_scheduled_task_creation.toml - rules/windows/persistence_local_scheduled_task_scripting.toml - rules/windows/persistence_ms_office_addins_file.toml - rules/windows/persistence_ms_outlook_vba_template.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml - rules/windows/persistence_priv_escalation_via_accessibility_features.toml - rules/windows/persistence_registry_uncommon.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_run_key_and_startup_broad.toml - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_services_registry.toml - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml - rules/windows/persistence_startup_folder_scripts.toml - rules/windows/persistence_suspicious_com_hijack_registry.toml - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml - rules/windows/persistence_suspicious_scheduled_task_runtime.toml - rules/windows/persistence_suspicious_service_created_registry.toml - rules/windows/persistence_system_shells_via_services.toml - rules/windows/persistence_time_provider_mod.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/persistence_user_account_creation.toml - rules/windows/persistence_via_application_shimming.toml - rules/windows/persistence_via_bits_job_notify_command.toml - rules/windows/persistence_via_hidden_run_key_valuename.toml - rules/windows/persistence_via_lsa_security_support_provider_registry.toml - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml - rules/windows/persistence_via_update_orchestrator_service_hijack.toml - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - rules/windows/persistence_via_wmi_stdregprov_run_services.toml - rules/windows/persistence_webshell_detection.toml - rules/windows/privilege_escalation_disable_uac_registry.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_installertakeover.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_lsa_auth_package.toml - rules/windows/privilege_escalation_named_pipe_impersonation.toml - rules/windows/privilege_escalation_persistence_phantom_dll.toml - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml - rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml - rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml - rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml - rules/windows/privilege_escalation_rogue_windir_environment_var.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml - rules/windows/privilege_escalation_via_rogue_named_pipe.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit 46d5e37)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 24, 2022
* min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> (cherry picked from commit 46d5e37)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 24, 2022
* min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> (cherry picked from commit 46d5e37)
5 tasks
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
related to #2251
Summary
min_stack all rules to 8.3 to account for new fields