Tags: esk1llz/detection-rules
Tags
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (elastic#1781) * Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (cherry picked from commit 5e073af)
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (elastic#1781) * Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (cherry picked from commit 5e073af)
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (elastic#1775) * Initial Review of Sysmon Registry Rules * Update defense_evasion_sip_provider_mod.toml
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (elastic#1768) * Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 * Trigger Build * Remove change to trigger build Co-authored-by: DefSecSentinel <DefSecSentinel@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 8f36346)
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Pytho… …n3 and bypasses fix (elastic#1649)" (elastic#1731) This reverts commit 625d1df.
Add pyproject.toml and setup.cfg (elastic#1672) * add pyproject.toml * add setup.cfg (cherry picked from commit 179ebb5)
[New Rule] PowerShell Suspicious Script with Screenshot Capabilities (e… …lastic#1581) * Create collection_posh_screen_grabber.toml * Update collection_posh_screen_grabber.toml * Update collection_posh_screen_grabber.toml * Update collection_posh_screen_grabber.toml * Update rules/windows/collection_posh_screen_grabber.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update query condition * lint * Update execution_python_tty_shell.toml * Revert "Update execution_python_tty_shell.toml" This reverts commit d2d72ea. * Update collection_posh_screen_grabber.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Lock versions for releases: 7.13,7.14,7.15,7.16 (elastic#1659) * Locked versions for releases: 7.13,7.14,7.15,7.16 (cherry picked from commit a33de6b)
[Rule Tuning] Support ECS 1.11 field for IM rule (elastic#1560) * Support ecs field for IM rule * update time interval * Change additional lookback to 5 minutes * Add old rule * Add newline * Update rules/cross-platform/threat_intel_module_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Remove im legacy rule * Udpdate name and description * Remove min_stack_comment * Keep 2 IM rule * add min_stack_comments to rule * Update rules/cross-platform/threat_intel_indicator_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * adds new rules Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ece Özalp <ozale272@newschool.edu> Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
PreviousNext