├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── bug_report.yaml │ ├── feature_request.yaml │ ├── hunt_tuning.yaml │ ├── new_hunt.yaml │ ├── new_meta.yaml │ ├── new_rule.yaml │ ├── rule_deprecation.yaml │ ├── rule_tuning.yaml │ └── schema_feature_request.yaml ├── PULL_REQUEST_GUIDELINES │ ├── bug_guidelines.md │ ├── enhancement_guidelines.md │ ├── hunt_new_guidelines.md │ ├── hunt_tuning_guidelines.md │ ├── rule_deprecation_guidelines.md │ ├── rule_new_guidelines.md │ ├── rule_tuning_guidelines.md │ └── schema_enhancement_guidelines.md ├── PULL_REQUEST_TEMPLATE.md ├── paths-labeller.yml ├── release-drafter.yml ├── stale.yml └── workflows │ ├── add-guidelines.yml │ ├── backport.yml │ ├── branch-status-checks.yml │ ├── code-checks.yml │ ├── community.yml │ ├── docs-build.yml │ ├── docs-cleanup.yml │ ├── esql-validation.yml │ ├── get-target-branches.yml │ ├── kibana-mitre-update.yml │ ├── lock-versions.yml │ ├── manual-backport.yml │ ├── pythonpackage.yml │ ├── react-tests-dispatcher.yml │ ├── release-docs.yml │ ├── release-fleet.yml │ └── version-code-and-release.yml ├── .gitignore ├── .gitmodules ├── .pre-commit-config.yaml ├── CLI.md ├── CONTRIBUTING.md ├── LICENSE.txt ├── Makefile ├── NOTICE.txt ├── PHILOSOPHY.md ├── README.md ├── Troubleshooting.md ├── catalog-info.yaml ├── detection_rules ├── __init__.py ├── __main__.py ├── action.py ├── action_connector.py ├── attack.py ├── beats.py ├── cli_utils.py ├── config.py ├── custom_rules.py ├── custom_schemas.py ├── devtools.py ├── docs.py ├── ecs.py ├── endgame.py ├── esql.py ├── esql_errors.py ├── eswrap.py ├── etc │ ├── __init__.py │ ├── _config.yaml │ ├── api_schemas │ │ ├── 7.10 │ │ │ ├── 7.10.base.json │ │ │ ├── 7.10.eql.json │ │ │ ├── 7.10.machine_learning.json │ │ │ ├── 7.10.query.json │ │ │ ├── 7.10.saved_query.json │ │ │ └── 7.10.threshold.json │ │ ├── 7.11 │ │ │ ├── 7.11.base.json │ │ │ ├── 7.11.eql.json │ │ │ ├── 7.11.machine_learning.json │ │ │ ├── 7.11.query.json │ │ │ ├── 7.11.saved_query.json │ │ │ └── 7.11.threshold.json │ │ ├── 7.12 │ │ │ ├── 7.12.base.json │ │ │ ├── 7.12.eql.json │ │ │ ├── 7.12.machine_learning.json │ │ │ ├── 7.12.query.json │ │ │ ├── 7.12.saved_query.json │ │ │ └── 7.12.threshold.json │ │ ├── 7.13 │ │ │ ├── 7.13.base.json │ │ │ ├── 7.13.eql.json │ │ │ ├── 7.13.machine_learning.json │ │ │ ├── 7.13.query.json │ │ │ ├── 7.13.threat_match.json │ │ │ └── 7.13.threshold.json │ │ ├── 7.14 │ │ │ ├── 7.14.base.json │ │ │ ├── 7.14.eql.json │ │ │ ├── 7.14.machine_learning.json │ │ │ ├── 7.14.query.json │ │ │ ├── 7.14.threat_match.json │ │ │ └── 7.14.threshold.json │ │ ├── 7.15 │ │ │ ├── 7.15.base.json │ │ │ ├── 7.15.eql.json │ │ │ ├── 7.15.machine_learning.json │ │ │ ├── 7.15.query.json │ │ │ ├── 7.15.threat_match.json │ │ │ └── 7.15.threshold.json │ │ ├── 7.16 │ │ │ ├── 7.16.base.json │ │ │ ├── 7.16.eql.json │ │ │ ├── 7.16.machine_learning.json │ │ │ ├── 7.16.query.json │ │ │ ├── 7.16.threat_match.json │ │ │ └── 7.16.threshold.json │ │ ├── 7.8 │ │ │ ├── 7.8.base.json │ │ │ ├── 7.8.machine_learning.json │ │ │ ├── 7.8.query.json │ │ │ └── 7.8.saved_query.json │ │ ├── 7.9 │ │ │ ├── 7.9.base.json │ │ │ ├── 7.9.machine_learning.json │ │ │ ├── 7.9.query.json │ │ │ ├── 7.9.saved_query.json │ │ │ └── 7.9.threshold.json │ │ ├── 8.0 │ │ │ ├── 8.0.base.json │ │ │ ├── 8.0.eql.json │ │ │ ├── 8.0.machine_learning.json │ │ │ ├── 8.0.query.json │ │ │ ├── 8.0.threat_match.json │ │ │ └── 8.0.threshold.json │ │ ├── 8.1 │ │ │ ├── 8.1.base.json │ │ │ ├── 8.1.eql.json │ │ │ ├── 8.1.machine_learning.json │ │ │ ├── 8.1.query.json │ │ │ ├── 8.1.threat_match.json │ │ │ └── 8.1.threshold.json │ │ ├── 8.10 │ │ │ ├── 8.10.base.json │ │ │ ├── 8.10.eql.json │ │ │ ├── 8.10.machine_learning.json │ │ │ ├── 8.10.new_terms.json │ │ │ ├── 8.10.query.json │ │ │ ├── 8.10.threat_match.json │ │ │ └── 8.10.threshold.json │ │ ├── 8.11 │ │ │ ├── 8.11.base.json │ │ │ ├── 8.11.eql.json │ │ │ ├── 8.11.machine_learning.json │ │ │ ├── 8.11.new_terms.json │ │ │ ├── 8.11.query.json │ │ │ ├── 8.11.threat_match.json │ │ │ └── 8.11.threshold.json │ │ ├── 8.12 │ │ │ ├── 8.12.base.json │ │ │ ├── 8.12.eql.json │ │ │ ├── 8.12.machine_learning.json │ │ │ ├── 8.12.new_terms.json │ │ │ ├── 8.12.query.json │ │ │ ├── 8.12.threat_match.json │ │ │ └── 8.12.threshold.json │ │ ├── 8.13 │ │ │ ├── 8.13.base.json │ │ │ ├── 8.13.eql.json │ │ │ ├── 8.13.esql.json │ │ │ ├── 8.13.machine_learning.json │ │ │ ├── 8.13.new_terms.json │ │ │ ├── 8.13.query.json │ │ │ ├── 8.13.threat_match.json │ │ │ └── 8.13.threshold.json │ │ ├── 8.14 │ │ │ └── master │ │ │ │ ├── 8.14.base.json │ │ │ │ ├── 8.14.eql.json │ │ │ │ ├── 8.14.esql.json │ │ │ │ ├── 8.14.machine_learning.json │ │ │ │ ├── 8.14.new_terms.json │ │ │ │ ├── 8.14.query.json │ │ │ │ ├── 8.14.threat_match.json │ │ │ │ └── 8.14.threshold.json │ │ ├── 8.15 │ │ │ ├── 8.15.base.json │ │ │ ├── 8.15.eql.json │ │ │ ├── 8.15.esql.json │ │ │ ├── 8.15.machine_learning.json │ │ │ ├── 8.15.new_terms.json │ │ │ ├── 8.15.query.json │ │ │ ├── 8.15.threat_match.json │ │ │ └── 8.15.threshold.json │ │ ├── 8.16 │ │ │ ├── 8.16.base.json │ │ │ ├── 8.16.eql.json │ │ │ ├── 8.16.esql.json │ │ │ ├── 8.16.machine_learning.json │ │ │ ├── 8.16.new_terms.json │ │ │ ├── 8.16.query.json │ │ │ ├── 8.16.threat_match.json │ │ │ └── 8.16.threshold.json │ │ ├── 8.17 │ │ │ ├── 8.17.base.json │ │ │ ├── 8.17.eql.json │ │ │ ├── 8.17.esql.json │ │ │ ├── 8.17.machine_learning.json │ │ │ ├── 8.17.new_terms.json │ │ │ ├── 8.17.query.json │ │ │ ├── 8.17.threat_match.json │ │ │ └── 8.17.threshold.json │ │ ├── 8.18 │ │ │ ├── 8.18.base.json │ │ │ ├── 8.18.eql.json │ │ │ ├── 8.18.esql.json │ │ │ ├── 8.18.machine_learning.json │ │ │ ├── 8.18.new_terms.json │ │ │ ├── 8.18.query.json │ │ │ ├── 8.18.threat_match.json │ │ │ └── 8.18.threshold.json │ │ ├── 8.19 │ │ │ ├── 8.19.base.json │ │ │ ├── 8.19.eql.json │ │ │ ├── 8.19.esql.json │ │ │ ├── 8.19.machine_learning.json │ │ │ ├── 8.19.new_terms.json │ │ │ ├── 8.19.query.json │ │ │ ├── 8.19.threat_match.json │ │ │ └── 8.19.threshold.json │ │ ├── 8.2 │ │ │ ├── 8.2.base.json │ │ │ ├── 8.2.eql.json │ │ │ ├── 8.2.machine_learning.json │ │ │ ├── 8.2.query.json │ │ │ ├── 8.2.threat_match.json │ │ │ └── 8.2.threshold.json │ │ ├── 8.3 │ │ │ ├── 8.3.base.json │ │ │ ├── 8.3.eql.json │ │ │ ├── 8.3.machine_learning.json │ │ │ ├── 8.3.query.json │ │ │ ├── 8.3.threat_match.json │ │ │ └── 8.3.threshold.json │ │ ├── 8.4 │ │ │ ├── 8.4.base.json │ │ │ ├── 8.4.eql.json │ │ │ ├── 8.4.machine_learning.json │ │ │ ├── 8.4.query.json │ │ │ ├── 8.4.threat_match.json │ │ │ └── 8.4.threshold.json │ │ ├── 8.5 │ │ │ ├── 8.5.base.json │ │ │ ├── 8.5.eql.json │ │ │ ├── 8.5.machine_learning.json │ │ │ ├── 8.5.query.json │ │ │ ├── 8.5.threat_match.json │ │ │ └── 8.5.threshold.json │ │ ├── 8.6 │ │ │ ├── 8.6.base.json │ │ │ ├── 8.6.eql.json │ │ │ ├── 8.6.machine_learning.json │ │ │ ├── 8.6.query.json │ │ │ ├── 8.6.threat_match.json │ │ │ └── 8.6.threshold.json │ │ ├── 8.7 │ │ │ ├── 8.7.base.json │ │ │ ├── 8.7.eql.json │ │ │ ├── 8.7.machine_learning.json │ │ │ ├── 8.7.new_terms.json │ │ │ ├── 8.7.query.json │ │ │ ├── 8.7.threat_match.json │ │ │ └── 8.7.threshold.json │ │ ├── 8.8 │ │ │ ├── 8.8.base.json │ │ │ ├── 8.8.eql.json │ │ │ ├── 8.8.machine_learning.json │ │ │ ├── 8.8.new_terms.json │ │ │ ├── 8.8.query.json │ │ │ ├── 8.8.threat_match.json │ │ │ └── 8.8.threshold.json │ │ ├── 8.9 │ │ │ ├── 8.9.base.json │ │ │ ├── 8.9.eql.json │ │ │ ├── 8.9.machine_learning.json │ │ │ ├── 8.9.new_terms.json │ │ │ ├── 8.9.query.json │ │ │ ├── 8.9.threat_match.json │ │ │ └── 8.9.threshold.json │ │ ├── 9.0 │ │ │ ├── 9.0.base.json │ │ │ ├── 9.0.eql.json │ │ │ ├── 9.0.esql.json │ │ │ ├── 9.0.machine_learning.json │ │ │ ├── 9.0.new_terms.json │ │ │ ├── 9.0.query.json │ │ │ ├── 9.0.threat_match.json │ │ │ └── 9.0.threshold.json │ │ ├── 9.1 │ │ │ ├── 9.1.base.json │ │ │ ├── 9.1.eql.json │ │ │ ├── 9.1.esql.json │ │ │ ├── 9.1.machine_learning.json │ │ │ ├── 9.1.new_terms.json │ │ │ ├── 9.1.query.json │ │ │ ├── 9.1.threat_match.json │ │ │ └── 9.1.threshold.json │ │ ├── 9.2 │ │ │ ├── 9.2.base.json │ │ │ ├── 9.2.eql.json │ │ │ ├── 9.2.esql.json │ │ │ ├── 9.2.machine_learning.json │ │ │ ├── 9.2.new_terms.json │ │ │ ├── 9.2.query.json │ │ │ ├── 9.2.threat_match.json │ │ │ └── 9.2.threshold.json │ │ └── master │ │ │ ├── master.base.json │ │ │ ├── master.eql.json │ │ │ ├── master.esql.json │ │ │ ├── master.machine_learning.json │ │ │ ├── master.new_terms.json │ │ │ ├── master.query.json │ │ │ ├── master.threat_match.json │ │ │ └── master.threshold.json │ ├── attack-crosswalk.json │ ├── attack-technique-redirects.json │ ├── attack-v18.0.0.json.gz │ ├── beats_schemas │ │ ├── main.json.gz │ │ ├── v7.10.0.json.gz │ │ ├── v7.11.2.json.gz │ │ ├── v7.12.0.json.gz │ │ ├── v7.13.2.json.gz │ │ ├── v7.14.0.json.gz │ │ ├── v7.15.1.json.gz │ │ ├── v7.16.2.json.gz │ │ ├── v7.7.0.json.gz │ │ ├── v7.8.1.json.gz │ │ ├── v7.9.2.json.gz │ │ ├── v8.0.1.json.gz │ │ ├── v8.1.2.json.gz │ │ ├── v8.10.3.json.gz │ │ ├── v8.11.2.json.gz │ │ ├── v8.12.2.json.gz │ │ ├── v8.13.4.json.gz │ │ ├── v8.14.3.json.gz │ │ ├── v8.15.0.json.gz │ │ ├── v8.15.2.json.gz │ │ ├── v8.15.3.json.gz │ │ ├── v8.16.1.json.gz │ │ ├── v8.17.0.json.gz │ │ ├── v8.17.1.json.gz │ │ ├── v8.18.0.json.gz │ │ ├── v8.18.3.json.gz │ │ ├── v8.2.1.json.gz │ │ ├── v8.2.3.json.gz │ │ ├── v8.3.3.json.gz │ │ ├── v8.4.1.json.gz │ │ ├── v8.4.2.json.gz │ │ ├── v8.4.3.json.gz │ │ ├── v8.5.1.json.gz │ │ ├── v8.5.2.json.gz │ │ ├── v8.5.3.json.gz │ │ ├── v8.6.1.json.gz │ │ ├── v8.7.0.json.gz │ │ ├── v8.8.2.json.gz │ │ ├── v8.9.0.json.gz │ │ ├── v9.0.0-beta1.json.gz │ │ ├── v9.0.0.json.gz │ │ ├── v9.0.3.json.gz │ │ ├── v9.1.3.json.gz │ │ ├── v9.1.5.json.gz │ │ └── v9.2.0.json.gz │ ├── commit-and-push.sh │ ├── custom-consolidated-rules.ndjson │ ├── deprecated_rules.json │ ├── downloadable_updates.json │ ├── ecs_schemas │ │ ├── 1.0.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.1.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.10.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.11.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.12.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.12.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.12.2 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.2.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.3.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.3.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.4.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.5.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.6.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.7.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.8.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.9.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.0.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.0.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.1.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.10.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.11.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.16.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.17.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.2.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.2.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.3.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.3.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.4.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.4.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.2 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.6.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.6.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.6.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.7.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.7.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.8.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.9.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.0.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.0.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.1.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.2.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.2.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ └── master_9.3.0-dev │ │ │ └── ecs_flat.json.gz │ ├── endgame_schemas │ │ ├── 1.9.0 │ │ │ └── endgame_ecs_mapping.json.gz │ │ └── 8.4.0 │ │ │ └── endgame_ecs_mapping.json.gz │ ├── endpoint_schemas │ │ └── endpoint_process.json.gz │ ├── example_test_config.yaml │ ├── integration-manifests.json.gz │ ├── integration-schemas.json.gz │ ├── lock-multiple.sh │ ├── non-ecs-schema.json │ ├── packages.yaml │ ├── rule_template_typosquatting_domain.json │ ├── security-logo-color-64px.svg │ ├── stack-schema-map.yaml │ ├── test_cli.bash │ ├── test_hunting_cli.bash │ ├── test_remote_cli.bash │ ├── test_toml.json │ └── version.lock.json ├── exception.py ├── generic_loader.py ├── ghwrap.py ├── index_mappings.py ├── integrations.py ├── kbwrap.py ├── main.py ├── misc.py ├── mixins.py ├── ml.py ├── navigator.py ├── packaging.py ├── remote_validation.py ├── rule.py ├── rule_formatter.py ├── rule_loader.py ├── rule_validators.py ├── schemas │ ├── __init__.py │ ├── definitions.py │ ├── registry_package.py │ └── stack_compat.py ├── utils.py └── version_lock.py ├── docs-dev ├── ATT&CK-coverage.md ├── custom-rules-management.md ├── deprecating.md ├── detections-as-code.md ├── developing.md ├── experimental-machine-learning │ ├── DGA.md │ ├── beaconing.md │ ├── experimental-detections.md │ ├── host-risk-score.md │ ├── images │ │ ├── 0a_host_risk_score_card.png │ │ ├── 0b_alert_summary.png │ │ ├── 0c_host_page_risk_column.png │ │ ├── 0d_host_page_hosts_by_risk_tab.png │ │ ├── 0e_host_details_page_risk_overview.png │ │ ├── 0f_host_details_page_hosts_by_risk_tab.png │ │ ├── 1_create_deployment.png │ │ ├── 2_edit_configuration.png │ │ ├── 3_edit_user_settings.png │ │ ├── 4_add_flag.png │ │ ├── 5_save_settings.png │ │ └── 6_confirm_activity_finished.png │ ├── problem-child.md │ ├── readme.md │ ├── url-spoof.md │ └── user-risk-score.md ├── rule-insights.md ├── typosquatting_rule.md └── versioning.md ├── docs ├── audit_policies │ └── windows │ │ ├── README.md │ │ ├── audit_authorization_policy_change.md │ │ ├── audit_computer_account_management.md │ │ ├── audit_detailed_file_share.md │ │ ├── audit_directory_service_access.md │ │ ├── audit_directory_service_changes.md │ │ ├── audit_filtering_platform_connection.md │ │ ├── audit_filtering_platform_packet_drop.md │ │ ├── audit_handle_manipulation.md │ │ ├── audit_logon.md │ │ ├── audit_other_object_access_events.md │ │ ├── audit_policy_change.md │ │ ├── audit_powershell_scriptblock.md │ │ ├── audit_process_creation_and_command_line.md │ │ ├── audit_security_group_management.md │ │ ├── audit_security_system_extension.md │ │ ├── audit_sensitive_privilege_use.md │ │ ├── audit_special_logon.md │ │ ├── audit_token_right_adjusted_events.md │ │ ├── audit_user_account_management.md │ │ ├── sysmon_eventid10_process_access.md │ │ ├── sysmon_eventid11_file_create.md │ │ ├── sysmon_eventid12_13_14_registry_event.md │ │ ├── sysmon_eventid17_18_pipe_event.md │ │ ├── sysmon_eventid19_20_21_wmi_event.md │ │ ├── sysmon_eventid1_process_creation.md │ │ ├── sysmon_eventid22_dns_query.md │ │ ├── sysmon_eventid23_file_delete.md │ │ ├── sysmon_eventid2_file_creation_time_changed.md │ │ ├── sysmon_eventid3_network_connection.md │ │ ├── sysmon_eventid7_image_loaded.md │ │ └── sysmon_eventid8_createremotethread.md ├── docset.yml └── index.md ├── hunting ├── README.md ├── __init__.py ├── __main__.py ├── aws │ ├── docs │ │ ├── ec2_discovery_multi_region_describe_instance_calls.md │ │ ├── ec2_high_instance_deployment_count_attempts.md │ │ ├── ec2_modify_instance_attribute_user_data.md │ │ ├── ec2_suspicious_get_user_password_request.md │ │ ├── iam_assume_role_creation_with_attached_policy.md │ │ ├── iam_customer_managed_policies_attached_to_existing_roles.md │ │ ├── iam_unusual_access_key_usage_for_user.md │ │ ├── iam_unusual_default_aviatrix_role_activity.md │ │ ├── iam_user_activity_with_no_mfa_session.md │ │ ├── iam_user_creation_with_administrator_policy_assigned.md │ │ ├── lambda_add_permissions_for_write_actions_to_function.md │ │ ├── multiple_service_logging_deleted_or_stopped.md │ │ ├── s3_public_bucket_rapid_object_access_attempts.md │ │ ├── secretsmanager_high_frequency_get_secret_value.md │ │ ├── servicequotas_discovery_multi_region_get_service_quota_calls.md │ │ ├── signin_single_factor_console_login_via_federated_session.md │ │ ├── sns_direct_to_phone_messaging_spike.md │ │ ├── sns_email_subscription_by_rare_user.md │ │ ├── sns_topic_created_by_rare_user.md │ │ ├── sns_topic_message_published_by_rare_user.md │ │ ├── ssm_rare_sendcommand_code_execution.md │ │ ├── ssm_sendcommand_api_used_by_ec2_instance.md │ │ ├── ssm_start_remote_session_to_ec2_instance.md │ │ └── sts_suspicious_federated_temporary_credential_request.md │ └── queries │ │ ├── ec2_discovery_multi_region_describe_instance_calls.toml │ │ ├── ec2_high_instance_deployment_count_attempts.toml │ │ ├── ec2_modify_instance_attribute_user_data.toml │ │ ├── ec2_suspicious_get_user_password_request.toml │ │ ├── iam_assume_role_creation_with_attached_policy.toml │ │ ├── iam_customer_managed_policies_attached_to_existing_roles.toml │ │ ├── iam_unusual_access_key_usage_for_user.toml │ │ ├── iam_unusual_default_aviatrix_role_activity.toml │ │ ├── iam_user_activity_with_no_mfa_session.toml │ │ ├── iam_user_creation_with_administrator_policy_assigned.toml │ │ ├── lambda_add_permissions_for_write_actions_to_function.toml │ │ ├── multiple_service_logging_deleted_or_stopped.toml │ │ ├── s3_public_bucket_rapid_object_access_attempts.toml │ │ ├── secretsmanager_high_frequency_get_secret_value.toml │ │ ├── servicequotas_discovery_multi_region_get_service_quota_calls.toml │ │ ├── signin_single_factor_console_login_via_federated_session.toml │ │ ├── sns_direct_to_phone_messaging_spike.toml │ │ ├── sns_email_subscription_by_rare_user.toml │ │ ├── sns_topic_created_by_rare_user.toml │ │ ├── sns_topic_message_published_by_rare_user.toml │ │ ├── ssm_rare_sendcommand_code_execution.toml │ │ ├── ssm_sendcommand_api_used_by_ec2_instance.toml │ │ ├── ssm_start_remote_session_to_ec2_instance.toml │ │ └── sts_suspicious_federated_temporary_credential_request.toml ├── azure │ ├── docs │ │ ├── entra_authentication_attempts_behind_rare_user_agents.md │ │ ├── entra_authentication_attempts_from_abused_hosting_service_providers.md │ │ ├── entra_device_code_authentication_from_unusual_principal.md │ │ ├── entra_excessive_non_interactive_sfa_sign_ins_across_users.md │ │ ├── entra_rare_actions_by_service_principal.md │ │ ├── entra_service_principal_credentials_added_to_rare_app.md │ │ ├── entra_suspicious_odata_client_requests.md │ │ └── entra_unusual_client_app_auth_request_on_behalf_of_user.md │ └── queries │ │ ├── entra_authentication_attempts_behind_rare_user_agents.toml │ │ ├── entra_authentication_attempts_from_abused_hosting_service_providers.toml │ │ ├── entra_device_code_authentication_from_unusual_principal.toml │ │ ├── entra_excessive_non_interactive_sfa_sign_ins_across_users.toml │ │ ├── entra_rare_actions_by_service_principal.toml │ │ ├── entra_service_principal_credentials_added_to_rare_app.toml │ │ ├── entra_suspicious_odata_client_requests.toml │ │ └── entra_unusual_client_app_auth_request_on_behalf_of_user.toml ├── cross-platform │ ├── docs │ │ └── potentially_spoofed_microsoft_authentication_domain.md │ └── queries │ │ └── potentially_spoofed_microsoft_authentication_domain.toml ├── definitions.py ├── index.md ├── index.yml ├── linux │ ├── docs │ │ ├── command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.md │ │ ├── command_and_control_via_unusual_file_downloads_from_source_addresses.md │ │ ├── defense_evasion_via_capitalized_process_execution.md │ │ ├── defense_evasion_via_hidden_process_execution.md │ │ ├── defense_evasion_via_multi_dot_process_execution.md │ │ ├── excessive_ssh_network_activity_unique_destinations.md │ │ ├── execution_uncommon_process_execution_from_suspicious_directory.md │ │ ├── login_activity_by_source_address.md │ │ ├── low_volume_external_network_connections_from_process.md │ │ ├── low_volume_gtfobins_external_network_connections.md │ │ ├── low_volume_modifications_to_critical_system_binaries.md │ │ ├── low_volume_process_injection_syscalls_by_executable.md │ │ ├── persistence_general_kernel_manipulation.md │ │ ├── persistence_reverse_bind_shells.md │ │ ├── persistence_via_cron.md │ │ ├── persistence_via_desktop_bus.md │ │ ├── persistence_via_driver_load_with_low_occurrence_frequency.md │ │ ├── persistence_via_dynamic_linker_hijacking.md │ │ ├── persistence_via_git_hook_pager.md │ │ ├── persistence_via_grub_bootloader.md │ │ ├── persistence_via_initramfs.md │ │ ├── persistence_via_loadable_kernel_modules.md │ │ ├── persistence_via_malicious_docker_container.md │ │ ├── persistence_via_message_of_the_day.md │ │ ├── persistence_via_network_manager_dispatcher_script.md │ │ ├── persistence_via_package_manager.md │ │ ├── persistence_via_pluggable_authentication_module.md │ │ ├── persistence_via_policykit.md │ │ ├── persistence_via_rc_local.md │ │ ├── persistence_via_rpm_dpkg_installer_packages.md │ │ ├── persistence_via_shell_modification_persistence.md │ │ ├── persistence_via_ssh_configurations_and_keys.md │ │ ├── persistence_via_systemd_timers.md │ │ ├── persistence_via_sysv_init.md │ │ ├── persistence_via_udev.md │ │ ├── persistence_via_unusual_system_binary_parent.md │ │ ├── persistence_via_user_group_creation_modification.md │ │ ├── persistence_via_web_shell.md │ │ ├── persistence_via_xdg_autostart_modifications.md │ │ ├── privilege_escalation_via_existing_sudoers.md │ │ ├── privilege_escalation_via_process_capabilities.md │ │ ├── privilege_escalation_via_segmentation_fault_and_buffer_overflow.md │ │ └── privilege_escalation_via_suid_binaries.md │ └── queries │ │ ├── command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml │ │ ├── command_and_control_via_unusual_file_downloads_from_source_addresses.toml │ │ ├── defense_evasion_via_capitalized_process_execution.toml │ │ ├── defense_evasion_via_hidden_process_execution.toml │ │ ├── defense_evasion_via_multi_dot_process_execution.toml │ │ ├── excessive_ssh_network_activity_unique_destinations.toml │ │ ├── execution_uncommon_process_execution_from_suspicious_directory.toml │ │ ├── login_activity_by_source_address.toml │ │ ├── low_volume_external_network_connections_from_process.toml │ │ ├── low_volume_gtfobins_external_network_connections.toml │ │ ├── low_volume_modifications_to_critical_system_binaries.toml │ │ ├── low_volume_process_injection_syscalls_by_executable.toml │ │ ├── persistence_general_kernel_manipulation.toml │ │ ├── persistence_reverse_bind_shells.toml │ │ ├── persistence_via_cron.toml │ │ ├── persistence_via_desktop_bus.toml │ │ ├── persistence_via_driver_load_with_low_occurrence_frequency.toml │ │ ├── persistence_via_dynamic_linker_hijacking.toml │ │ ├── persistence_via_git_hook_pager.toml │ │ ├── persistence_via_grub_bootloader.toml │ │ ├── persistence_via_initramfs.toml │ │ ├── persistence_via_loadable_kernel_modules.toml │ │ ├── persistence_via_malicious_docker_container.toml │ │ ├── persistence_via_message_of_the_day.toml │ │ ├── persistence_via_network_manager_dispatcher_script.toml │ │ ├── persistence_via_package_manager.toml │ │ ├── persistence_via_pluggable_authentication_module.toml │ │ ├── persistence_via_policykit.toml │ │ ├── persistence_via_rc_local.toml │ │ ├── persistence_via_rpm_dpkg_installer_packages.toml │ │ ├── persistence_via_shell_modification_persistence.toml │ │ ├── persistence_via_ssh_configurations_and_keys.toml │ │ ├── persistence_via_systemd_timers.toml │ │ ├── persistence_via_sysv_init.toml │ │ ├── persistence_via_udev.toml │ │ ├── persistence_via_unusual_system_binary_parent.toml │ │ ├── persistence_via_user_group_creation_modification.toml │ │ ├── persistence_via_web_shell.toml │ │ ├── persistence_via_xdg_autostart_modifications.toml │ │ ├── privilege_escalation_via_existing_sudoers.toml │ │ ├── privilege_escalation_via_process_capabilities.toml │ │ ├── privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml │ │ └── privilege_escalation_via_suid_binaries.toml ├── llm │ ├── README.md │ ├── docs │ │ ├── aws_bedrock_dos_resource_exhaustion_detection.md │ │ ├── aws_bedrock_ignore_previous_prompt_detection.md │ │ ├── aws_bedrock_latency_anomalies_detection.md │ │ └── aws_bedrock_sensitive_content_refusal_detection.md │ └── queries │ │ ├── aws_bedrock_dos_resource_exhaustion_detection.toml │ │ ├── aws_bedrock_ignore_previous_prompt_detection.toml │ │ ├── aws_bedrock_latency_anomalies_detection.toml │ │ └── aws_bedrock_sensitive_content_refusal_detection.toml ├── macos │ ├── docs │ │ ├── command_and_control_suspicious_executable_file_creation_via_python.md │ │ ├── credential_access_potential_python_stealer.md │ │ ├── defense_evasion_python_library_load_and_delete.md │ │ ├── defense_evasion_self_deleted_python_script_accessing_sensitive_files.md │ │ ├── defense_evasion_self_deleted_python_script_outbound_network_connection.md │ │ ├── defense_evasion_self_deleting_python_script.md │ │ ├── execution_python_script_drop_and_execute.md │ │ ├── execution_suspicious_executable_file_modification_via_docker.md │ │ ├── execution_suspicious_file_access_via_docker.md │ │ ├── execution_suspicious_python_app_execution_via_streamlit.md │ │ ├── execution_unsigned_or_untrusted_binary_execution_via_python.md │ │ ├── execution_unsigned_or_untrusted_binary_fork_via_python.md │ │ ├── execution_unusual_library_load_via_python.md │ │ ├── persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md │ │ └── suspicious_network_connections_by_unsigned_macho.md │ └── queries │ │ ├── command_and_control_suspicious_executable_file_creation_via_python.toml │ │ ├── credential_access_potential_python_stealer.toml │ │ ├── defense_evasion_python_library_load_and_delete.toml │ │ ├── defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml │ │ ├── defense_evasion_self_deleted_python_script_outbound_network_connection.toml │ │ ├── defense_evasion_self_deleting_python_script.toml │ │ ├── execution_python_script_drop_and_execute.toml │ │ ├── execution_suspicious_executable_file_modification_via_docker.toml │ │ ├── execution_suspicious_file_access_via_docker.toml │ │ ├── execution_suspicious_python_app_execution_via_streamlit.toml │ │ ├── execution_unsigned_or_untrusted_binary_execution_via_python.toml │ │ ├── execution_unsigned_or_untrusted_binary_fork_via_python.toml │ │ ├── execution_unusual_library_load_via_python.toml │ │ ├── persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml │ │ └── suspicious_network_connections_by_unsigned_macho.toml ├── markdown.py ├── okta │ ├── docs │ │ ├── credential_access_mfa_bombing_push_notications.md │ │ ├── credential_access_rapid_reset_password_requests_for_different_users.md │ │ ├── defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md │ │ ├── defense_evasion_multiple_application_sso_authentication_repeat_source.md │ │ ├── defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.md │ │ ├── defense_evasion_rare_oauth_access_token_granted_by_application.md │ │ ├── initial_access_higher_than_average_failed_authentication.md │ │ ├── initial_access_impossible_travel_sign_on.md │ │ ├── initial_access_password_spraying_from_repeat_source.md │ │ ├── persistence_multi_factor_push_notification_bombing.md │ │ └── persistence_rare_domain_with_user_authentication.md │ └── queries │ │ ├── credential_access_mfa_bombing_push_notications.toml │ │ ├── credential_access_rapid_reset_password_requests_for_different_users.toml │ │ ├── defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml │ │ ├── defense_evasion_multiple_application_sso_authentication_repeat_source.toml │ │ ├── defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml │ │ ├── defense_evasion_rare_oauth_access_token_granted_by_application.toml │ │ ├── initial_access_higher_than_average_failed_authentication.toml │ │ ├── initial_access_impossible_travel_sign_on.toml │ │ ├── initial_access_password_spraying_from_repeat_source.toml │ │ ├── persistence_multi_factor_push_notification_bombing.toml │ │ └── persistence_rare_domain_with_user_authentication.toml ├── run.py ├── search.py ├── utils.py └── windows │ ├── docs │ ├── createremotethread_by_source_process_with_low_occurrence.md │ ├── detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md │ ├── detect_masquerading_attempts_as_native_windows_binaries.md │ ├── detect_rare_dll_sideload_by_occurrence.md │ ├── detect_rare_lsass_process_access_attempts.md │ ├── domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md │ ├── drivers_load_with_low_occurrence_frequency.md │ ├── excessive_rdp_network_activity_by_source_host_and_user.md │ ├── excessive_smb_network_activity_by_process_id.md │ ├── executable_file_creation_by_an_unusual_microsoft_binary.md │ ├── execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md │ ├── execution_via_remote_services_by_client_address.md │ ├── execution_via_startup_with_low_occurrence_frequency.md │ ├── execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md │ ├── execution_via_windows_scheduled_task_with_low_occurrence_frequency.md │ ├── execution_via_windows_services_with_low_occurrence_frequency.md │ ├── high_count_of_network_connection_over_extended_period_by_process.md │ ├── libraries_loaded_by_svchost_with_low_occurrence_frequency.md │ ├── microsoft_office_child_processes_with_low_occurrence_frequency.md │ ├── network_discovery_via_sensitive_ports_by_unusual_process.md │ ├── pe_file_transfer_via_smb_admin_shares_by_agent.md │ ├── persistence_via_run_key_with_low_occurrence_frequency.md │ ├── persistence_via_startup_with_low_occurrence_frequency.md │ ├── potential_exfiltration_by_process_total_egress_bytes.md │ ├── rundll32_execution_aggregated_by_cmdline.md │ ├── scheduled_task_creation_by_action_via_registry.md │ ├── scheduled_tasks_creation_for_unique_hosts_by_task_command.md │ ├── suspicious_base64_encoded_powershell_commands.md │ ├── suspicious_dns_txt_record_lookups_by_process.md │ ├── unique_windows_services_creation_by_servicefilename.md │ ├── windows_command_and_scripting_interpreter_from_unusual_parent.md │ └── windows_logon_activity_by_source_ip.md │ └── queries │ ├── createremotethread_by_source_process_with_low_occurrence.toml │ ├── detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml │ ├── detect_masquerading_attempts_as_native_windows_binaries.toml │ ├── detect_rare_dll_sideload_by_occurrence.toml │ ├── detect_rare_lsass_process_access_attempts.toml │ ├── domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml │ ├── drivers_load_with_low_occurrence_frequency.toml │ ├── excessive_rdp_network_activity_by_source_host_and_user.toml │ ├── excessive_smb_network_activity_by_process_id.toml │ ├── executable_file_creation_by_an_unusual_microsoft_binary.toml │ ├── execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml │ ├── execution_via_remote_services_by_client_address.toml │ ├── execution_via_startup_with_low_occurrence_frequency.toml │ ├── execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml │ ├── execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml │ ├── execution_via_windows_services_with_low_occurrence_frequency.toml │ ├── high_count_of_network_connection_over_extended_period_by_process.toml │ ├── libraries_loaded_by_svchost_with_low_occurrence_frequency.toml │ ├── microsoft_office_child_processes_with_low_occurrence_frequency.toml │ ├── network_discovery_via_sensitive_ports_by_unusual_process.toml │ ├── pe_file_transfer_via_smb_admin_shares_by_agent.toml │ ├── persistence_via_run_key_with_low_occurrence_frequency.toml │ ├── persistence_via_startup_with_low_occurrence_frequency.toml │ ├── potential_exfiltration_by_process_total_egress_bytes.toml │ ├── rundll32_execution_aggregated_by_cmdline.toml │ ├── scheduled_task_creation_by_action_via_registry.toml │ ├── scheduled_tasks_creation_for_unique_hosts_by_task_command.toml │ ├── suspicious_base64_encoded_powershell_commands.toml │ ├── suspicious_dns_txt_record_lookups_by_process.toml │ ├── unique_windows_services_creation_by_servicefilename.toml │ ├── windows_command_and_scripting_interpreter_from_unusual_parent.toml │ └── windows_logon_activity_by_source_ip.toml ├── lib ├── kibana │ ├── kibana │ │ ├── __init__.py │ │ ├── connector.py │ │ ├── definitions.py │ │ └── resources.py │ └── pyproject.toml └── kql │ ├── kql │ ├── __init__.py │ ├── ast.py │ ├── dsl.py │ ├── eql2kql.py │ ├── errors.py │ ├── evaluator.py │ ├── kql.g │ ├── kql2eql.py │ ├── optimizer.py │ ├── parser.py │ └── utils.py │ └── pyproject.toml ├── pyproject.toml ├── renovate.json ├── rules ├── README.md ├── _deprecated │ ├── apm_null_user_agent.toml │ ├── command_and_control_connection_attempt_by_non_ssh_root_session.toml │ ├── command_and_control_dns_directly_to_the_internet.toml │ ├── command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml │ ├── command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml │ ├── command_and_control_linux_iodine_activity.toml │ ├── command_and_control_linux_port_knocking_reverse_connection.toml │ ├── command_and_control_port_8000_activity_to_the_internet.toml │ ├── command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml │ ├── command_and_control_proxy_port_activity_to_the_internet.toml │ ├── command_and_control_smtp_to_the_internet.toml │ ├── command_and_control_sql_server_port_activity_to_the_internet.toml │ ├── command_and_control_ssh_secure_shell_from_the_internet.toml │ ├── command_and_control_ssh_secure_shell_to_the_internet.toml │ ├── command_and_control_tor_activity_to_the_internet.toml │ ├── container_workload_protection.toml │ ├── credential_access_aws_creds_search_inside_a_container.toml │ ├── credential_access_collection_sensitive_files_compression_inside_a_container.toml │ ├── credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml │ ├── credential_access_microsoft_365_potential_password_spraying_attack.toml │ ├── credential_access_potential_linux_ssh_bruteforce_root.toml │ ├── credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml │ ├── credential_access_tcpdump_activity.toml │ ├── defense_evasion_attempt_to_disable_iptables_or_firewall.toml │ ├── defense_evasion_base64_encoding_or_decoding_activity.toml │ ├── defense_evasion_code_injection_conhost.toml │ ├── defense_evasion_execution_via_trusted_developer_utilities.toml │ ├── defense_evasion_hex_encoding_or_decoding_activity.toml │ ├── defense_evasion_ld_preload_env_variable_process_injection.toml │ ├── defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml │ ├── defense_evasion_mshta_making_network_connections.toml │ ├── defense_evasion_potential_processherpaderping.toml │ ├── defense_evasion_whitespace_padding_in_command_line.toml │ ├── discovery_file_dir_discovery.toml │ ├── discovery_process_discovery_via_tasklist_command.toml │ ├── discovery_query_registry_via_reg.toml │ ├── discovery_suspicious_network_tool_launched_inside_a_container.toml │ ├── discovery_whoami_commmand.toml │ ├── execution_apt_binary.toml │ ├── execution_awk_binary_shell.toml │ ├── execution_busybox_binary.toml │ ├── execution_c89_c99_binary.toml │ ├── execution_command_shell_started_by_powershell.toml │ ├── execution_container_management_binary_launched_inside_a_container.toml │ ├── execution_cpulimit_binary.toml │ ├── execution_crash_binary.toml │ ├── execution_env_binary.toml │ ├── execution_expect_binary.toml │ ├── execution_file_made_executable_via_chmod_inside_a_container.toml │ ├── execution_find_binary.toml │ ├── execution_flock_binary.toml │ ├── execution_gcc_binary.toml │ ├── execution_interactive_exec_to_container.toml │ ├── execution_interactive_shell_spawned_from_inside_a_container.toml │ ├── execution_linux_process_started_in_temp_directory.toml │ ├── execution_mysql_binary.toml │ ├── execution_netcat_listener_established_inside_a_container.toml │ ├── execution_reverse_shell_via_named_pipe.toml │ ├── execution_shell_suspicious_parent_child_revshell_linux.toml │ ├── execution_ssh_binary.toml │ ├── execution_suspicious_jar_child_process.toml │ ├── execution_vi_binary.toml │ ├── execution_via_net_com_assemblies.toml │ ├── exfiltration_ec2_snapshot_change_activity.toml │ ├── exfiltration_rds_snapshot_export.toml │ ├── impact_potential_linux_ransomware_file_encryption.toml │ ├── impact_virtual_network_device_modified.toml │ ├── initial_access_cross_site_scripting.toml │ ├── initial_access_login_failures.toml │ ├── initial_access_login_location.toml │ ├── initial_access_login_sessions.toml │ ├── initial_access_login_time.toml │ ├── initial_access_rdp_remote_desktop_protocol_to_the_internet.toml │ ├── initial_access_ssh_connection_established_inside_a_container.toml │ ├── lateral_movement_malicious_remote_file_creation.toml │ ├── lateral_movement_remote_file_creation_in_sensitive_directory.toml │ ├── lateral_movement_ssh_process_launched_inside_a_container.toml │ ├── linux_mknod_activity.toml │ ├── linux_nmap_activity.toml │ ├── linux_socat_activity.toml │ ├── persistence_cron_jobs_creation_and_runtime.toml │ ├── persistence_etc_file_creation.toml │ ├── persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml │ ├── persistence_kernel_module_activity.toml │ ├── persistence_shell_activity_by_web_server.toml │ ├── persistence_ssh_authorized_keys_modification_inside_a_container.toml │ ├── privilege_escalation_debugfs_launched_inside_a_privileged_container.toml │ ├── privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml │ ├── privilege_escalation_krbrelayup_suspicious_logon.toml │ ├── privilege_escalation_linux_strace_activity.toml │ ├── privilege_escalation_mount_launched_inside_a_privileged_container.toml │ ├── privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml │ ├── privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml │ ├── privilege_escalation_printspooler_malicious_driver_file_changes.toml │ ├── privilege_escalation_printspooler_malicious_registry_modification.toml │ ├── privilege_escalation_root_login_without_mfa.toml │ ├── privilege_escalation_setgid_bit_set_via_chmod.toml │ ├── threat_intel_filebeat7x.toml │ ├── threat_intel_filebeat8x.toml │ └── threat_intel_fleet_integrations.toml ├── apm │ ├── apm_403_response_to_a_post.toml │ ├── apm_405_response_method_not_allowed.toml │ └── apm_sqlmap_user_agent.toml ├── cross-platform │ ├── command_and_control_curl_wget_spawn_via_nodejs_parent.toml │ ├── command_and_control_google_drive_malicious_file_download.toml │ ├── command_and_control_non_standard_ssh_port.toml │ ├── command_and_control_pan_elastic_defend_c2.toml │ ├── command_and_control_socks_fortigate_endpoint.toml │ ├── credential_access_cookies_chromium_browsers_debugging.toml │ ├── credential_access_forced_authentication_pipes.toml │ ├── credential_access_gitleaks_execution.toml │ ├── credential_access_multi_could_secrets_via_api.toml │ ├── credential_access_trufflehog_execution.toml │ ├── defense_evasion_agent_spoofing_mismatched_id.toml │ ├── defense_evasion_agent_spoofing_multiple_hosts.toml │ ├── defense_evasion_deleting_websvr_access_logs.toml │ ├── defense_evasion_deletion_of_bash_command_line_history.toml │ ├── defense_evasion_elastic_agent_service_terminated.toml │ ├── defense_evasion_encoding_rot13_python_script.toml │ ├── defense_evasion_masquerading_space_after_filename.toml │ ├── defense_evasion_potential_http_downgrade_attack.toml │ ├── defense_evasion_timestomp_touch.toml │ ├── defense_evasion_whitespace_padding_command_line.toml │ ├── discovery_security_software_grep.toml │ ├── discovery_virtual_machine_fingerprinting_grep.toml │ ├── execution_aws_ssm_sendcommand_with_command_parameters.toml │ ├── execution_git_exploit_cve_2025_48384.toml │ ├── execution_nodejs_pre_or_post_install_script_execution.toml │ ├── execution_pentest_eggshell_remote_admin_tool.toml │ ├── execution_potential_widespread_malware_infection.toml │ ├── execution_privileged_container_creation_with_host_reference.toml │ ├── execution_register_github_actions_runner.toml │ ├── execution_revershell_via_shell_cmd.toml │ ├── execution_suspicious_java_netcon_childproc.toml │ ├── execution_via_github_actions_runner.toml │ ├── execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml │ ├── guided_onboarding_sample_rule.toml │ ├── impact_hosts_file_modified.toml │ ├── initial_access_azure_o365_with_network_alert.toml │ ├── initial_access_execution_susp_react_serv_child.toml │ ├── initial_access_exfiltration_new_usb_device_mounted.toml │ ├── initial_access_file_upload_followed_by_get_request.toml │ ├── initial_access_zoom_meeting_with_no_passcode.toml │ ├── multiple_alerts_different_tactics_host.toml │ ├── multiple_alerts_edr_elastic_defend_by_host.toml │ ├── multiple_alerts_elastic_defend_netsecurity_by_host.toml │ ├── multiple_alerts_email_elastic_defend_correlation.toml │ ├── multiple_alerts_involving_user.toml │ ├── multiple_alerts_risky_host_esql.toml │ ├── persistence_credential_access_modify_auth_module_or_config.toml │ ├── persistence_shell_profile_modification.toml │ ├── persistence_ssh_authorized_keys_modification.toml │ ├── persistence_web_server_potential_command_injection.toml │ ├── privilege_escalation_echo_nopasswd_sudoers.toml │ ├── privilege_escalation_setuid_setgid_bit_set_via_chmod.toml │ ├── privilege_escalation_sudo_buffer_overflow.toml │ ├── privilege_escalation_sudoers_file_mod.toml │ ├── reconnaissance_web_server_discovery_or_fuzzing_activity.toml │ ├── reconnaissance_web_server_unusual_spike_in_error_logs.toml │ ├── reconnaissance_web_server_unusual_spike_in_error_response_codes.toml │ └── reconnaissance_web_server_unusual_user_agents.toml ├── integrations │ ├── aws │ │ ├── NOTICE.txt │ │ ├── collection_cloudtrail_logging_created.toml │ │ ├── collection_s3_unauthenticated_bucket_access_by_rare_source.toml │ │ ├── credential_access_aws_getpassword_for_ec2_instance.toml │ │ ├── credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml │ │ ├── credential_access_iam_user_addition_to_group.toml │ │ ├── credential_access_new_terms_secretsmanager_getsecretvalue.toml │ │ ├── credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml │ │ ├── credential_access_retrieve_secure_string_parameters_via_ssm.toml │ │ ├── credential_access_root_console_failure_brute_force.toml │ │ ├── defense_evasion_cloudtrail_logging_deleted.toml │ │ ├── defense_evasion_cloudtrail_logging_evasion.toml │ │ ├── defense_evasion_cloudtrail_logging_suspended.toml │ │ ├── defense_evasion_cloudwatch_alarm_deletion.toml │ │ ├── defense_evasion_config_service_rule_deletion.toml │ │ ├── defense_evasion_configuration_recorder_stopped.toml │ │ ├── defense_evasion_ec2_flow_log_deletion.toml │ │ ├── defense_evasion_ec2_network_acl_deletion.toml │ │ ├── defense_evasion_elasticache_security_group_creation.toml │ │ ├── defense_evasion_elasticache_security_group_modified_or_deleted.toml │ │ ├── defense_evasion_guardduty_detector_deletion.toml │ │ ├── defense_evasion_rds_instance_restored.toml │ │ ├── defense_evasion_route53_dns_query_resolver_config_deletion.toml │ │ ├── defense_evasion_s3_bucket_configuration_deletion.toml │ │ ├── defense_evasion_s3_bucket_lifecycle_expiration_added.toml │ │ ├── defense_evasion_s3_bucket_server_access_logging_disabled.toml │ │ ├── defense_evasion_sqs_purge_queue.toml │ │ ├── defense_evasion_sts_get_federation_token.toml │ │ ├── defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml │ │ ├── defense_evasion_waf_acl_deletion.toml │ │ ├── defense_evasion_waf_rule_or_rule_group_deletion.toml │ │ ├── discovery_ec2_deprecated_ami_discovery.toml │ │ ├── discovery_ec2_multi_region_describe_instances.toml │ │ ├── discovery_ec2_multiple_discovery_api_calls_via_cli.toml │ │ ├── discovery_ec2_userdata_request_for_ec2_instance.toml │ │ ├── discovery_iam_principal_enumeration_via_update_assume_role_policy.toml │ │ ├── discovery_new_terms_sts_getcalleridentity.toml │ │ ├── discovery_servicequotas_multi_region_service_quota_requests.toml │ │ ├── execution_lambda_external_layer_added_to_function.toml │ │ ├── execution_new_terms_cloudformation_createstack.toml │ │ ├── execution_ssm_command_document_created_by_rare_user.toml │ │ ├── execution_ssm_sendcommand_by_rare_user.toml │ │ ├── exfiltration_dynamodb_scan_by_unusual_user.toml │ │ ├── exfiltration_dynamodb_table_exported_to_s3.toml │ │ ├── exfiltration_ec2_ami_shared_with_separate_account.toml │ │ ├── exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml │ │ ├── exfiltration_ec2_export_task.toml │ │ ├── exfiltration_ec2_full_network_packet_capture_detected.toml │ │ ├── exfiltration_ec2_vm_export_failure.toml │ │ ├── exfiltration_rds_snapshot_export.toml │ │ ├── exfiltration_rds_snapshot_shared_with_another_account.toml │ │ ├── exfiltration_s3_bucket_policy_added_for_external_account_access.toml │ │ ├── exfiltration_s3_bucket_policy_added_for_public_access.toml │ │ ├── exfiltration_s3_bucket_replicated_to_external_account.toml │ │ ├── exfiltration_sns_rare_protocol_subscription_by_user.toml │ │ ├── impact_aws_eventbridge_rule_disabled_or_deleted.toml │ │ ├── impact_aws_s3_bucket_enumeration_or_brute_force.toml │ │ ├── impact_cloudtrail_logging_updated.toml │ │ ├── impact_cloudwatch_log_group_deletion.toml │ │ ├── impact_cloudwatch_log_stream_deletion.toml │ │ ├── impact_ec2_disable_ebs_encryption.toml │ │ ├── impact_ec2_ebs_snapshot_access_removed.toml │ │ ├── impact_efs_filesystem_deleted.toml │ │ ├── impact_iam_deactivate_mfa_device.toml │ │ ├── impact_iam_group_deletion.toml │ │ ├── impact_kms_cmk_disabled_or_scheduled_for_deletion.toml │ │ ├── impact_rds_group_deletion.toml │ │ ├── impact_rds_instance_cluster_deletion.toml │ │ ├── impact_rds_instance_cluster_deletion_protection_disabled.toml │ │ ├── impact_rds_instance_cluster_stoppage.toml │ │ ├── impact_rds_snapshot_deleted.toml │ │ ├── impact_s3_bucket_object_uploaded_with_ransom_extension.toml │ │ ├── impact_s3_excessive_object_encryption_with_sse_c.toml │ │ ├── impact_s3_object_encryption_with_external_key.toml │ │ ├── impact_s3_object_versioning_disabled.toml │ │ ├── impact_s3_static_site_js_file_uploaded.toml │ │ ├── impact_s3_unusual_object_encryption_with_sse_c.toml │ │ ├── initial_access_console_login_root.toml │ │ ├── initial_access_iam_session_token_used_from_multiple_addresses.toml │ │ ├── initial_access_kali_user_agent_detected_with_aws_cli.toml │ │ ├── initial_access_password_recovery.toml │ │ ├── initial_access_signin_console_login_federated_user.toml │ │ ├── lateral_movement_aws_ssm_start_session_to_ec2_instance.toml │ │ ├── lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml │ │ ├── lateral_movement_ec2_instance_console_login.toml │ │ ├── lateral_movement_sns_topic_message_publish_by_rare_user.toml │ │ ├── ml_cloudtrail_error_message_spike.toml │ │ ├── ml_cloudtrail_rare_error_code.toml │ │ ├── ml_cloudtrail_rare_method_by_city.toml │ │ ├── ml_cloudtrail_rare_method_by_country.toml │ │ ├── ml_cloudtrail_rare_method_by_user.toml │ │ ├── persistence_aws_attempt_to_register_virtual_mfa_device.toml │ │ ├── persistence_ec2_network_acl_creation.toml │ │ ├── persistence_ec2_route_table_modified_or_deleted.toml │ │ ├── persistence_ec2_security_group_configuration_change_detection.toml │ │ ├── persistence_iam_api_calls_via_user_session_token.toml │ │ ├── persistence_iam_create_login_profile_for_root.toml │ │ ├── persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml │ │ ├── persistence_iam_group_creation.toml │ │ ├── persistence_iam_roles_anywhere_profile_created.toml │ │ ├── persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml │ │ ├── persistence_iam_user_created_access_keys_for_another_user.toml │ │ ├── persistence_lambda_backdoor_invoke_function_for_any_principal.toml │ │ ├── persistence_rds_cluster_creation.toml │ │ ├── persistence_rds_db_instance_password_modified.toml │ │ ├── persistence_rds_group_creation.toml │ │ ├── persistence_rds_instance_creation.toml │ │ ├── persistence_rds_instance_made_public.toml │ │ ├── persistence_redshift_instance_creation.toml │ │ ├── persistence_route_53_domain_transfer_lock_disabled.toml │ │ ├── persistence_route_53_domain_transferred_to_another_account.toml │ │ ├── persistence_route_53_hosted_zone_associated_with_a_vpc.toml │ │ ├── persistence_route_table_created.toml │ │ ├── persistence_sts_assume_role_with_new_mfa.toml │ │ ├── privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml │ │ ├── privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml │ │ ├── privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml │ │ ├── privilege_escalation_iam_customer_managed_policy_attached_to_role.toml │ │ ├── privilege_escalation_iam_saml_provider_updated.toml │ │ ├── privilege_escalation_iam_update_assume_role_policy.toml │ │ ├── privilege_escalation_role_assumption_by_service.toml │ │ ├── privilege_escalation_role_assumption_by_user.toml │ │ ├── privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml │ │ ├── privilege_escalation_sts_role_chaining.toml │ │ └── resource_development_sns_topic_created_by_rare_user.toml │ ├── aws_bedrock │ │ ├── aws_bedrock_execution_without_guardrails.toml │ │ ├── aws_bedrock_guardrails_multiple_violations_by_single_user.toml │ │ ├── aws_bedrock_guardrails_multiple_violations_in_single_request.toml │ │ ├── aws_bedrock_high_confidence_misconduct_blocks_detected.toml │ │ ├── aws_bedrock_high_resource_consumption_detection.toml │ │ ├── aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml │ │ ├── aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml │ │ ├── aws_bedrock_multiple_topic_policy_blocks_detected.toml │ │ ├── aws_bedrock_multiple_validation_exception_errors_by_single_user.toml │ │ └── aws_bedrock_multiple_word_policy_blocks_detected.toml │ ├── azure │ │ ├── collection_azure_storage_account_blob_public_access_enabled.toml │ │ ├── collection_entra_auth_broker_sharepoint_access_for_user_principal.toml │ │ ├── collection_graph_email_access_by_unusual_public_client_via_graph.toml │ │ ├── credential_access_azure_entra_susp_device_code_signin.toml │ │ ├── credential_access_azure_entra_suspicious_signin.toml │ │ ├── credential_access_azure_entra_totp_brute_force_attempts.toml │ │ ├── credential_access_azure_full_network_packet_capture_detected.toml │ │ ├── credential_access_azure_key_vault_excessive_retrieval.toml │ │ ├── credential_access_azure_key_vault_retrieval_from_rare_identity.toml │ │ ├── credential_access_azure_storage_account_keys_accessed.toml │ │ ├── credential_access_entra_id_brute_force_activity.toml │ │ ├── credential_access_entra_id_excessive_account_lockouts.toml │ │ ├── credential_access_entra_signin_brute_force_microsoft_365.toml │ │ ├── credential_access_storage_account_key_regenerated.toml │ │ ├── defense_evasion_azure_automation_runbook_deleted.toml │ │ ├── defense_evasion_azure_blob_permissions_modified.toml │ │ ├── defense_evasion_azure_diagnostic_settings_deletion.toml │ │ ├── defense_evasion_event_hub_deletion.toml │ │ ├── defense_evasion_firewall_policy_deletion.toml │ │ ├── defense_evasion_frontdoor_firewall_policy_deletion.toml │ │ ├── defense_evasion_kubernetes_events_deleted.toml │ │ ├── defense_evasion_network_watcher_deletion.toml │ │ ├── defense_evasion_suppression_rule_created.toml │ │ ├── discovery_blob_container_access_mod.toml │ │ ├── discovery_bloodhound_user_agents_detected.toml │ │ ├── discovery_teamfiltration_user_agents_detected.toml │ │ ├── execution_azure_automation_runbook_created_or_modified.toml │ │ ├── execution_command_virtual_machine.toml │ │ ├── exfiltration_azure_storage_blob_download_azcopy_sas_token.toml │ │ ├── impact_azure_compute_restore_point_collection_deleted.toml │ │ ├── impact_azure_compute_restore_point_collections_deleted.toml │ │ ├── impact_azure_compute_vm_snapshot_deletion.toml │ │ ├── impact_azure_compute_vm_snapshot_deletions.toml │ │ ├── impact_azure_key_vault_modified.toml │ │ ├── impact_azure_storage_account_deletion.toml │ │ ├── impact_azure_storage_account_deletion_multiple.toml │ │ ├── impact_kubernetes_pod_deleted.toml │ │ ├── impact_resource_group_deletion.toml │ │ ├── initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml │ │ ├── initial_access_azure_active_directory_powershell_signin.toml │ │ ├── initial_access_entra_graph_single_session_from_multiple_addresses.toml │ │ ├── initial_access_entra_id_actor_token_user_impersonation_abuse.toml │ │ ├── initial_access_entra_id_device_code_auth_with_broker_client.toml │ │ ├── initial_access_entra_id_high_risk_signin.toml │ │ ├── initial_access_entra_id_oauth_user_impersonation_scope.toml │ │ ├── initial_access_entra_id_protection_confirmed_compromise.toml │ │ ├── initial_access_entra_id_protection_sign_in_risk_detected.toml │ │ ├── initial_access_entra_id_protection_user_risk_detected.toml │ │ ├── initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml │ │ ├── initial_access_entra_id_unusual_ropc_login_attempt.toml │ │ ├── initial_access_entra_id_user_reported_risk.toml │ │ ├── initial_access_entra_illicit_consent_grant_via_registered_application.toml │ │ ├── initial_access_entra_oauth_phishing_via_vscode_client.toml │ │ ├── initial_access_entra_protection_multi_azure_identity_protection_alerts.toml │ │ ├── initial_access_entra_rare_app_id_for_principal_auth.toml │ │ ├── initial_access_entra_rare_authentication_requirement_for_principal_user.toml │ │ ├── initial_access_external_guest_user_invite.toml │ │ ├── initial_access_first_time_seen_device_code_auth.toml │ │ ├── initial_access_graph_first_occurrence_of_client_request.toml │ │ ├── ml_azure_event_failures.toml │ │ ├── ml_azure_rare_event_failures.toml │ │ ├── ml_azure_rare_method_by_city.toml │ │ ├── ml_azure_rare_method_by_country.toml │ │ ├── ml_azure_rare_method_by_user.toml │ │ ├── persistence_azure_application_credential_modification.toml │ │ ├── persistence_azure_automation_account_created.toml │ │ ├── persistence_azure_automation_webhook_created.toml │ │ ├── persistence_azure_global_administrator_role_assigned.toml │ │ ├── persistence_azure_pim_user_added_global_admin.toml │ │ ├── persistence_azure_privileged_identity_management_role_modified.toml │ │ ├── persistence_azure_service_principal_credentials_added.toml │ │ ├── persistence_entra_conditional_access_policy_modified.toml │ │ ├── persistence_entra_id_mfa_disabled_for_user.toml │ │ ├── persistence_entra_id_oidc_discovery_url_change.toml │ │ ├── persistence_entra_id_rt_to_prt_transition_from_user_device.toml │ │ ├── persistence_entra_id_suspicious_adrs_token_request.toml │ │ ├── persistence_entra_id_suspicious_cloud_device_registration.toml │ │ ├── persistence_entra_id_user_signed_in_from_unusual_device.toml │ │ ├── persistence_entra_service_principal_created.toml │ │ ├── persistence_graph_eam_addition_or_modification.toml │ │ ├── persistence_identity_protect_alert_followed_by_device_reg.toml │ │ ├── persistence_update_event_hub_auth_rule.toml │ │ ├── persistence_user_added_as_owner_for_azure_application.toml │ │ ├── persistence_user_added_as_owner_for_azure_service_principal.toml │ │ ├── privilege_escalation_azure_kubernetes_rolebinding_created.toml │ │ ├── privilege_escalation_azure_rbac_administrator_roles_assigned.toml │ │ └── privilege_escalation_entra_id_elevate_to_user_administrator_access.toml │ ├── azure_openai │ │ ├── azure_openai_denial_of_ml_service_detection.toml │ │ ├── azure_openai_insecure_output_handling_detection.toml │ │ └── azure_openai_model_theft_detection.toml │ ├── beaconing │ │ ├── command_and_control_beaconing.toml │ │ └── command_and_control_beaconing_high_confidence.toml │ ├── cyberarkpas │ │ ├── privilege_escalation_cyberarkpas_error_audit_event_promotion.toml │ │ └── privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml │ ├── ded │ │ ├── exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml │ │ ├── exfiltration_ml_high_bytes_destination_ip.toml │ │ ├── exfiltration_ml_high_bytes_destination_port.toml │ │ ├── exfiltration_ml_high_bytes_destination_region_name.toml │ │ ├── exfiltration_ml_high_bytes_written_to_external_device.toml │ │ ├── exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml │ │ └── exfiltration_ml_rare_process_writing_to_external_device.toml │ ├── dga │ │ ├── command_and_control_ml_dga_activity_using_sunburst_domain.toml │ │ ├── command_and_control_ml_dga_high_sum_probability.toml │ │ ├── command_and_control_ml_dns_request_high_dga_probability.toml │ │ └── command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml │ ├── endpoint │ │ ├── defense_evasion_elastic_memory_threat_detected.toml │ │ ├── defense_evasion_elastic_memory_threat_prevented.toml │ │ ├── elastic_endpoint_security.toml │ │ ├── elastic_endpoint_security_behavior_detected.toml │ │ ├── elastic_endpoint_security_behavior_prevented.toml │ │ ├── execution_elastic_malicious_file_detected.toml │ │ ├── execution_elastic_malicious_file_prevented.toml │ │ ├── impact_elastic_ransomware_detected.toml │ │ └── impact_elastic_ransomware_prevented.toml │ ├── fim │ │ └── persistence_suspicious_file_modifications.toml │ ├── gcp │ │ ├── collection_gcp_pub_sub_subscription_creation.toml │ │ ├── collection_gcp_pub_sub_topic_creation.toml │ │ ├── defense_evasion_gcp_firewall_rule_created.toml │ │ ├── defense_evasion_gcp_firewall_rule_deleted.toml │ │ ├── defense_evasion_gcp_firewall_rule_modified.toml │ │ ├── defense_evasion_gcp_logging_bucket_deletion.toml │ │ ├── defense_evasion_gcp_logging_sink_deletion.toml │ │ ├── defense_evasion_gcp_pub_sub_subscription_deletion.toml │ │ ├── defense_evasion_gcp_pub_sub_topic_deletion.toml │ │ ├── defense_evasion_gcp_storage_bucket_configuration_modified.toml │ │ ├── defense_evasion_gcp_storage_bucket_permissions_modified.toml │ │ ├── defense_evasion_gcp_virtual_private_cloud_network_deleted.toml │ │ ├── defense_evasion_gcp_virtual_private_cloud_route_created.toml │ │ ├── defense_evasion_gcp_virtual_private_cloud_route_deleted.toml │ │ ├── exfiltration_gcp_logging_sink_modification.toml │ │ ├── impact_gcp_iam_role_deletion.toml │ │ ├── impact_gcp_service_account_deleted.toml │ │ ├── impact_gcp_service_account_disabled.toml │ │ ├── impact_gcp_storage_bucket_deleted.toml │ │ ├── initial_access_gcp_iam_custom_role_creation.toml │ │ ├── ml_gcp_error_message_spike.toml │ │ ├── ml_gcp_rare_error_code.toml │ │ ├── ml_gcp_rare_method_by_city.toml │ │ ├── ml_gcp_rare_method_by_country.toml │ │ ├── ml_gcp_rare_method_by_user.toml │ │ ├── persistence_gcp_iam_service_account_key_deletion.toml │ │ ├── persistence_gcp_key_created_for_service_account.toml │ │ └── persistence_gcp_service_account_created.toml │ ├── github │ │ ├── defense_evasion_github_protected_branch_settings_changed.toml │ │ ├── execution_github_app_deleted.toml │ │ ├── execution_github_high_number_of_cloned_repos_from_pat.toml │ │ ├── execution_github_ueba_multiple_behavior_alerts_from_account.toml │ │ ├── execution_new_github_app_installed.toml │ │ ├── impact_github_repository_deleted.toml │ │ ├── initial_access_github_register_self_hosted_runner.toml │ │ ├── persistence_github_org_owner_added.toml │ │ └── persistence_organization_owner_role_granted.toml │ ├── google_workspace │ │ ├── collection_google_drive_ownership_transferred_via_google_workspace.toml │ │ ├── collection_google_workspace_custom_gmail_route_created_or_modified.toml │ │ ├── credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml │ │ ├── defense_evasion_application_removed_from_blocklist_in_google_workspace.toml │ │ ├── defense_evasion_domain_added_to_google_workspace_trusted_domains.toml │ │ ├── defense_evasion_google_workspace_bitlocker_setting_disabled.toml │ │ ├── defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml │ │ ├── defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml │ │ ├── google_workspace_alert_center_promotion.toml │ │ ├── impact_google_workspace_admin_role_deletion.toml │ │ ├── impact_google_workspace_mfa_enforcement_disabled.toml │ │ ├── initial_access_external_user_added_to_google_workspace_group.toml │ │ ├── initial_access_google_workspace_suspended_user_renewed.toml │ │ ├── initial_access_object_copied_to_external_drive_with_app_consent.toml │ │ ├── persistence_application_added_to_google_workspace_domain.toml │ │ ├── persistence_google_workspace_2sv_policy_disabled.toml │ │ ├── persistence_google_workspace_admin_role_assigned_to_user.toml │ │ ├── persistence_google_workspace_api_access_granted_via_dwd.toml │ │ ├── persistence_google_workspace_custom_admin_role_created.toml │ │ ├── persistence_google_workspace_password_policy_modified.toml │ │ ├── persistence_google_workspace_role_modified.toml │ │ ├── persistence_google_workspace_user_organizational_unit_changed.toml │ │ └── persistence_mfa_disabled_for_google_workspace_organization.toml │ ├── kubernetes │ │ ├── defense_evasion_events_deleted.toml │ │ ├── discovery_denied_service_account_request.toml │ │ ├── discovery_suspicious_self_subject_review.toml │ │ ├── execution_forbidden_creation_request.toml │ │ ├── execution_forbidden_request_from_unsual_user_agent.toml │ │ ├── execution_unusual_request_response_by_user_agent.toml │ │ ├── execution_user_exec_to_pod.toml │ │ ├── initial_access_anonymous_request_authorized.toml │ │ ├── persistence_exposed_service_created_with_type_nodeport.toml │ │ ├── privilege_escalation_container_created_with_excessive_linux_capabilities.toml │ │ ├── privilege_escalation_pod_created_with_hostipc.toml │ │ ├── privilege_escalation_pod_created_with_hostnetwork.toml │ │ ├── privilege_escalation_pod_created_with_hostpid.toml │ │ ├── privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml │ │ ├── privilege_escalation_privileged_pod_created.toml │ │ └── privilege_escalation_suspicious_assignment_of_controller_service_account.toml │ ├── lmd │ │ ├── lateral_movement_ml_high_mean_rdp_process_args.toml │ │ ├── lateral_movement_ml_high_mean_rdp_session_duration.toml │ │ ├── lateral_movement_ml_high_remote_file_size.toml │ │ ├── lateral_movement_ml_high_variance_rdp_session_duration.toml │ │ ├── lateral_movement_ml_rare_remote_file_directory.toml │ │ ├── lateral_movement_ml_rare_remote_file_extension.toml │ │ ├── lateral_movement_ml_spike_in_connections_from_a_source_ip.toml │ │ ├── lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml │ │ ├── lateral_movement_ml_spike_in_rdp_processes.toml │ │ ├── lateral_movement_ml_spike_in_remote_file_transfers.toml │ │ └── lateral_movement_ml_unusual_time_for_an_rdp_session.toml │ ├── o365 │ │ ├── collection_microsoft_365_excessive_mail_items_accessed.toml │ │ ├── collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml │ │ ├── collection_microsoft_365_new_inbox_rule.toml │ │ ├── collection_onedrive_excessive_file_downloads.toml │ │ ├── credential_access_antra_id_device_reg_via_oauth_redirection.toml │ │ ├── credential_access_microsoft_365_excessive_account_lockouts.toml │ │ ├── credential_access_microsoft_365_potential_user_account_brute_force.toml │ │ ├── credential_access_user_excessive_sso_logon_errors.toml │ │ ├── defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml │ │ ├── defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml │ │ ├── defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml │ │ ├── defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml │ │ ├── defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml │ │ ├── defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml │ │ ├── defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml │ │ ├── defense_evasion_microsoft_365_exchange_safelinks_disabled.toml │ │ ├── defense_evasion_microsoft_365_mailboxauditbypassassociation.toml │ │ ├── defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml │ │ ├── defense_evasion_microsoft_365_susp_oauth2_authorization.toml │ │ ├── defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml │ │ ├── defense_evasion_microsoft_365_teams_external_access_enabled.toml │ │ ├── exfiltration_microsoft_365_exchange_transport_rule_creation.toml │ │ ├── exfiltration_microsoft_365_exchange_transport_rule_mod.toml │ │ ├── impact_microsoft_365_potential_ransomware_activity.toml │ │ ├── impact_microsoft_365_unusual_volume_of_file_deletion.toml │ │ ├── initial_access_defender_for_m365_threat_intelligence_signal.toml │ │ ├── initial_access_entra_id_portal_login_atypical_travel.toml │ │ ├── initial_access_entra_id_portal_login_impossible_travel.toml │ │ ├── initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml │ │ ├── initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml │ │ ├── initial_access_microsoft_365_user_restricted_from_sending_email.toml │ │ ├── initial_access_o365_user_reported_phish_malware.toml │ │ ├── lateral_movement_malware_uploaded_onedrive.toml │ │ ├── lateral_movement_malware_uploaded_sharepoint.toml │ │ ├── persistence_exchange_suspicious_mailbox_permission_delegation.toml │ │ ├── persistence_microsoft_365_exchange_management_role_assignment.toml │ │ ├── persistence_microsoft_365_global_administrator_role_assign.toml │ │ ├── persistence_microsoft_365_teams_guest_access_enabled.toml │ │ └── privilege_escalation_new_or_modified_federation_domain.toml │ ├── okta │ │ ├── credential_access_attempted_bypass_of_okta_mfa.toml │ │ ├── credential_access_attempts_to_brute_force_okta_user_account.toml │ │ ├── credential_access_multiple_auth_events_from_single_device_behind_proxy.toml │ │ ├── credential_access_multiple_device_token_hashes_for_single_okta_session.toml │ │ ├── credential_access_multiple_user_agent_os_authentication.toml │ │ ├── credential_access_okta_authentication_for_multiple_users_from_single_source.toml │ │ ├── credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml │ │ ├── credential_access_okta_brute_force_or_password_spraying.toml │ │ ├── credential_access_okta_mfa_bombing_via_push_notifications.toml │ │ ├── credential_access_okta_multiple_device_token_hashes_for_single_user.toml │ │ ├── credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml │ │ ├── credential_access_user_impersonation_access.toml │ │ ├── defense_evasion_attempt_to_deactivate_okta_network_zone.toml │ │ ├── defense_evasion_attempt_to_delete_okta_network_zone.toml │ │ ├── defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml │ │ ├── defense_evasion_okta_attempt_to_deactivate_okta_policy.toml │ │ ├── defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml │ │ ├── defense_evasion_okta_attempt_to_delete_okta_policy.toml │ │ ├── defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml │ │ ├── defense_evasion_okta_attempt_to_modify_okta_network_zone.toml │ │ ├── defense_evasion_okta_attempt_to_modify_okta_policy.toml │ │ ├── defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml │ │ ├── defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml │ │ ├── impact_attempt_to_revoke_okta_api_token.toml │ │ ├── impact_okta_attempt_to_deactivate_okta_application.toml │ │ ├── impact_okta_attempt_to_delete_okta_application.toml │ │ ├── impact_okta_attempt_to_modify_okta_application.toml │ │ ├── impact_possible_okta_dos_attack.toml │ │ ├── initial_access_first_occurrence_user_session_started_via_proxy.toml │ │ ├── initial_access_new_authentication_behavior_detection.toml │ │ ├── initial_access_okta_fastpass_phishing.toml │ │ ├── initial_access_okta_user_attempted_unauthorized_access.toml │ │ ├── initial_access_okta_user_sessions_started_from_different_geolocations.toml │ │ ├── initial_access_sign_in_events_via_third_party_idp.toml │ │ ├── initial_access_successful_application_sso_from_unknown_client_device.toml │ │ ├── initial_access_suspicious_activity_reported_by_okta_user.toml │ │ ├── lateral_movement_multiple_sessions_for_single_user.toml │ │ ├── okta_threatinsight_threat_suspected_promotion.toml │ │ ├── persistence_administrator_privileges_assigned_to_okta_group.toml │ │ ├── persistence_administrator_role_assigned_to_okta_user.toml │ │ ├── persistence_attempt_to_create_okta_api_token.toml │ │ ├── persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml │ │ ├── persistence_mfa_deactivation_with_no_reactivation.toml │ │ ├── persistence_new_idp_successfully_added_by_admin.toml │ │ ├── persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml │ │ └── persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml │ ├── pad │ │ ├── privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml │ │ ├── privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml │ │ ├── privileged_access_ml_linux_rare_process_executed_by_user.toml │ │ ├── privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml │ │ ├── privileged_access_ml_okta_rare_host_name_by_user.toml │ │ ├── privileged_access_ml_okta_rare_region_name_by_user.toml │ │ ├── privileged_access_ml_okta_rare_source_ip_by_user.toml │ │ ├── privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_group_membership_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_group_privilege_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml │ │ ├── privileged_access_ml_windows_high_count_group_management_events.toml │ │ ├── privileged_access_ml_windows_high_count_special_logon_events.toml │ │ ├── privileged_access_ml_windows_high_count_special_privilege_use_events.toml │ │ ├── privileged_access_ml_windows_high_count_user_account_management_events.toml │ │ ├── privileged_access_ml_windows_rare_device_by_user.toml │ │ ├── privileged_access_ml_windows_rare_group_name_by_user.toml │ │ ├── privileged_access_ml_windows_rare_privilege_assigned_to_user.toml │ │ ├── privileged_access_ml_windows_rare_region_name_by_user.toml │ │ └── privileged_access_ml_windows_rare_source_ip_by_user.toml │ └── problemchild │ │ ├── defense_evasion_ml_rare_process_for_a_host.toml │ │ ├── defense_evasion_ml_rare_process_for_a_parent_process.toml │ │ ├── defense_evasion_ml_rare_process_for_a_user.toml │ │ ├── defense_evasion_ml_suspicious_windows_event_high_probability.toml │ │ ├── defense_evasion_ml_suspicious_windows_event_low_probability.toml │ │ ├── defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml │ │ ├── defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml │ │ └── defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml ├── linux │ ├── collection_linux_clipboard_activity.toml │ ├── command_and_control_aws_cli_endpoint_url_used.toml │ ├── command_and_control_cat_network_activity.toml │ ├── command_and_control_cupsd_foomatic_rip_netcon.toml │ ├── command_and_control_curl_socks_proxy_detected.toml │ ├── command_and_control_frequent_egress_netcon_from_sus_executable.toml │ ├── command_and_control_git_repo_or_file_download_to_sus_dir.toml │ ├── command_and_control_ip_forwarding_activity.toml │ ├── command_and_control_kubectl_networking_modification.toml │ ├── command_and_control_linux_chisel_client_activity.toml │ ├── command_and_control_linux_chisel_server_activity.toml │ ├── command_and_control_linux_kworker_netcon.toml │ ├── command_and_control_linux_proxychains_activity.toml │ ├── command_and_control_linux_ssh_x11_forwarding.toml │ ├── command_and_control_linux_suspicious_proxychains_activity.toml │ ├── command_and_control_linux_tunneling_and_port_forwarding.toml │ ├── command_and_control_linux_tunneling_via_ssh_option.toml │ ├── command_and_control_suspicious_network_activity_from_unknown_executable.toml │ ├── command_and_control_telegram_api_request.toml │ ├── command_and_control_tunneling_via_earthworm.toml │ ├── credential_access_aws_creds_search_inside_container.toml │ ├── credential_access_collection_sensitive_files.toml │ ├── credential_access_collection_sensitive_files_compression_inside_container.toml │ ├── credential_access_credential_dumping.toml │ ├── credential_access_gdb_init_process_hooking.toml │ ├── credential_access_gdb_process_hooking.toml │ ├── credential_access_gh_auth_via_nodejs.toml │ ├── credential_access_kubernetes_service_account_secret_access.toml │ ├── credential_access_manual_memory_dumping.toml │ ├── credential_access_potential_linux_local_account_bruteforce.toml │ ├── credential_access_potential_linux_ssh_bruteforce_external.toml │ ├── credential_access_potential_linux_ssh_bruteforce_internal.toml │ ├── credential_access_potential_successful_linux_ftp_bruteforce.toml │ ├── credential_access_potential_successful_linux_rdp_bruteforce.toml │ ├── credential_access_potential_successful_linux_ssh_bruteforce.toml │ ├── credential_access_proc_credential_dumping.toml │ ├── credential_access_sensitive_keys_or_passwords_search_inside_container.toml │ ├── credential_access_ssh_backdoor_log.toml │ ├── credential_access_ssh_password_grabbing_via_strace.toml │ ├── credential_access_unusual_instance_metadata_service_api_request.toml │ ├── defense_evasion_acl_modification_via_setfacl.toml │ ├── defense_evasion_attempt_to_disable_auditd_service.toml │ ├── defense_evasion_attempt_to_disable_iptables_or_firewall.toml │ ├── defense_evasion_attempt_to_disable_syslog_service.toml │ ├── defense_evasion_authorized_keys_file_deletion.toml │ ├── defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml │ ├── defense_evasion_base64_decoding_activity.toml │ ├── defense_evasion_binary_copied_to_suspicious_directory.toml │ ├── defense_evasion_busybox_indirect_shell_spawn.toml │ ├── defense_evasion_chattr_immutable_file.toml │ ├── defense_evasion_clear_kernel_ring_buffer.toml │ ├── defense_evasion_creation_of_hidden_files_directories.toml │ ├── defense_evasion_curl_or_wget_executed_via_lolbin.toml │ ├── defense_evasion_directory_creation_in_bin.toml │ ├── defense_evasion_disable_apparmor_attempt.toml │ ├── defense_evasion_disable_selinux_attempt.toml │ ├── defense_evasion_doas_configuration_creation_or_rename.toml │ ├── defense_evasion_dynamic_linker_file_creation.toml │ ├── defense_evasion_esxi_suspicious_timestomp_touch.toml │ ├── defense_evasion_file_deletion_via_shred.toml │ ├── defense_evasion_file_mod_writable_dir.toml │ ├── defense_evasion_hex_payload_execution_via_commandline.toml │ ├── defense_evasion_hex_payload_execution_via_utility.toml │ ├── defense_evasion_hidden_directory_creation.toml │ ├── defense_evasion_hidden_file_dir_tmp.toml │ ├── defense_evasion_hidden_shared_object.toml │ ├── defense_evasion_interactive_shell_from_system_user.toml │ ├── defense_evasion_interpreter_launched_from_decoded_payload.toml │ ├── defense_evasion_journalctl_clear_logs.toml │ ├── defense_evasion_kernel_module_removal.toml │ ├── defense_evasion_kill_command_executed.toml │ ├── defense_evasion_kthreadd_masquerading.toml │ ├── defense_evasion_ld_preload_cmdline.toml │ ├── defense_evasion_ld_so_creation.toml │ ├── defense_evasion_log_files_deleted.toml │ ├── defense_evasion_mount_execution.toml │ ├── defense_evasion_multi_base64_decoding_attempt.toml │ ├── defense_evasion_potential_kubectl_impersonation.toml │ ├── defense_evasion_potential_kubectl_masquerading.toml │ ├── defense_evasion_potential_proot_exploits.toml │ ├── defense_evasion_prctl_process_name_tampering.toml │ ├── defense_evasion_rename_esxi_files.toml │ ├── defense_evasion_rename_esxi_index_file.toml │ ├── defense_evasion_root_certificate_installation.toml │ ├── defense_evasion_selinux_configuration_creation_or_renaming.toml │ ├── defense_evasion_ssl_certificate_deletion.toml │ ├── defense_evasion_sus_utility_executed_via_tmux_or_screen.toml │ ├── defense_evasion_suspicious_path_mounted.toml │ ├── defense_evasion_symlink_binary_to_writable_dir.toml │ ├── defense_evasion_sysctl_kernel_feature_activity.toml │ ├── defense_evasion_unsual_kill_signal.toml │ ├── defense_evasion_unusual_preload_env_vars.toml │ ├── defense_evasion_var_log_file_creation_by_unsual_process.toml │ ├── discovery_docker_socket_discovery.toml │ ├── discovery_dynamic_linker_via_od.toml │ ├── discovery_esxi_software_via_find.toml │ ├── discovery_esxi_software_via_grep.toml │ ├── discovery_kernel_module_enumeration.toml │ ├── discovery_kernel_seeking.toml │ ├── discovery_kernel_unpacking.toml │ ├── discovery_kubeconfig_file_discovery.toml │ ├── discovery_kubectl_permission_discovery.toml │ ├── discovery_linux_hping_activity.toml │ ├── discovery_linux_nping_activity.toml │ ├── discovery_manual_mount_discovery_via_exports_or_fstab.toml │ ├── discovery_pam_version_discovery.toml │ ├── discovery_ping_sweep_detected.toml │ ├── discovery_polkit_version_discovery.toml │ ├── discovery_port_scanning_activity_from_compromised_host.toml │ ├── discovery_private_key_password_searching_activity.toml │ ├── discovery_proc_maps_read.toml │ ├── discovery_process_capabilities.toml │ ├── discovery_pspy_process_monitoring_detected.toml │ ├── discovery_security_file_access_via_common_utility.toml │ ├── discovery_subnet_scanning_activity_from_compromised_host.toml │ ├── discovery_sudo_allowed_command_enumeration.toml │ ├── discovery_suid_sguid_enumeration.toml │ ├── discovery_suspicious_memory_grep_activity.toml │ ├── discovery_suspicious_network_tool_launched_inside_container.toml │ ├── discovery_suspicious_which_command_execution.toml │ ├── discovery_unusual_user_enumeration_via_id.toml │ ├── discovery_virtual_machine_fingerprinting.toml │ ├── discovery_yum_dnf_plugin_detection.toml │ ├── execution_abnormal_process_id_file_created.toml │ ├── execution_container_management_binary_launched_inside_container.toml │ ├── execution_cupsd_foomatic_rip_file_creation.toml │ ├── execution_cupsd_foomatic_rip_lp_user_execution.toml │ ├── execution_cupsd_foomatic_rip_shell_execution.toml │ ├── execution_cupsd_foomatic_rip_suspicious_child_execution.toml │ ├── execution_curl_cve_2023_38545_heap_overflow.toml │ ├── execution_egress_connection_from_entrypoint_in_container.toml │ ├── execution_executable_stack_execution.toml │ ├── execution_file_execution_followed_by_deletion.toml │ ├── execution_file_made_executable_via_chmod_inside_container.toml │ ├── execution_file_transfer_or_listener_established_via_netcat.toml │ ├── execution_interpreter_tty_upgrade.toml │ ├── execution_kubectl_apply_pod_from_url.toml │ ├── execution_kubernetes_direct_api_request_via_curl_or_wget.toml │ ├── execution_nc_listener_via_rlwrap.toml │ ├── execution_netcon_from_rwx_mem_region_binary.toml │ ├── execution_network_event_post_compilation.toml │ ├── execution_perl_tty_shell.toml │ ├── execution_potential_hack_tool_executed.toml │ ├── execution_potentially_overly_permissive_container_creation.toml │ ├── execution_process_backgrounded_by_unusual_parent.toml │ ├── execution_process_started_from_process_id_file.toml │ ├── execution_process_started_in_shared_memory_directory.toml │ ├── execution_python_tty_shell.toml │ ├── execution_python_webserver_spawned.toml │ ├── execution_remote_code_execution_via_postgresql.toml │ ├── execution_shell_evasion_linux_binary.toml │ ├── execution_shell_openssl_client_or_server.toml │ ├── execution_shell_via_background_process.toml │ ├── execution_shell_via_child_tcp_utility_linux.toml │ ├── execution_shell_via_java_revshell_linux.toml │ ├── execution_shell_via_lolbin_interpreter_linux.toml │ ├── execution_shell_via_meterpreter_linux.toml │ ├── execution_shell_via_suspicious_binary.toml │ ├── execution_shell_via_tcp_cli_utility_linux.toml │ ├── execution_shell_via_udp_cli_utility_linux.toml │ ├── execution_sus_extraction_or_decrompression_via_funzip.toml │ ├── execution_suspicious_executable_running_system_commands.toml │ ├── execution_suspicious_mining_process_creation_events.toml │ ├── execution_suspicious_mkfifo_execution.toml │ ├── execution_suspicious_pod_or_container_creation_command_execution.toml │ ├── execution_system_binary_file_permission_change.toml │ ├── execution_tc_bpf_filter.toml │ ├── execution_unix_socket_communication.toml │ ├── execution_unknown_rwx_mem_region_binary_executed.toml │ ├── execution_unusual_interactive_process_inside_container.toml │ ├── execution_unusual_kthreadd_execution.toml │ ├── execution_unusual_path_invocation_from_command_line.toml │ ├── execution_unusual_pkexec_execution.toml │ ├── exfiltration_potential_curl_data_exfiltration.toml │ ├── exfiltration_potential_data_splitting_for_exfiltration.toml │ ├── exfiltration_unusual_file_transfer_utility_launched.toml │ ├── impact_data_encrypted_via_openssl.toml │ ├── impact_esxi_process_kill.toml │ ├── impact_memory_swap_modification.toml │ ├── impact_potential_bruteforce_malware_infection.toml │ ├── impact_potential_linux_ransomware_note_detected.toml │ ├── impact_process_kill_threshold.toml │ ├── initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml │ ├── initial_access_first_time_public_key_authentication.toml │ ├── initial_access_successful_ssh_authentication_by_unusual_ip.toml │ ├── initial_access_successful_ssh_authentication_by_unusual_user.toml │ ├── lateral_movement_kubeconfig_file_activity.toml │ ├── lateral_movement_remote_file_creation_world_writeable_dir.toml │ ├── lateral_movement_ssh_it_worm_download.toml │ ├── lateral_movement_ssh_process_launched_inside_container.toml │ ├── lateral_movement_telnet_network_activity_external.toml │ ├── lateral_movement_telnet_network_activity_internal.toml │ ├── lateral_movement_unusual_remote_file_creation.toml │ ├── persistence_apt_package_manager_execution.toml │ ├── persistence_apt_package_manager_file_creation.toml │ ├── persistence_apt_package_manager_netcon.toml │ ├── persistence_at_job_creation.toml │ ├── persistence_boot_file_copy.toml │ ├── persistence_bpf_probe_write_user.toml │ ├── persistence_chkconfig_service_add.toml │ ├── persistence_credential_access_modify_ssh_binaries.toml │ ├── persistence_cron_job_creation.toml │ ├── persistence_dbus_service_creation.toml │ ├── persistence_dbus_unsual_daemon_parent_execution.toml │ ├── persistence_dnf_package_manager_plugin_file_creation.toml │ ├── persistence_dpkg_package_installation_from_unusual_parent.toml │ ├── persistence_dpkg_unusual_execution.toml │ ├── persistence_dracut_module_creation.toml │ ├── persistence_dynamic_linker_backup.toml │ ├── persistence_extract_initramfs_via_cpio.toml │ ├── persistence_git_hook_execution.toml │ ├── persistence_git_hook_file_creation.toml │ ├── persistence_git_hook_netcon.toml │ ├── persistence_git_hook_process_execution.toml │ ├── persistence_grub_configuration_creation.toml │ ├── persistence_grub_makeconfig.toml │ ├── persistence_init_d_file_creation.toml │ ├── persistence_insmod_kernel_module_load.toml │ ├── persistence_kde_autostart_modification.toml │ ├── persistence_kernel_driver_load.toml │ ├── persistence_kernel_driver_load_by_non_root.toml │ ├── persistence_kernel_object_file_creation.toml │ ├── persistence_kubernetes_sensitive_file_activity.toml │ ├── persistence_kworker_file_creation.toml │ ├── persistence_linux_backdoor_user_creation.toml │ ├── persistence_linux_group_creation.toml │ ├── persistence_linux_shell_activity_via_web_server.toml │ ├── persistence_linux_user_account_creation.toml │ ├── persistence_linux_user_added_to_privileged_group.toml │ ├── persistence_lkm_configuration_file_creation.toml │ ├── persistence_manual_dracut_execution.toml │ ├── persistence_message_of_the_day_creation.toml │ ├── persistence_message_of_the_day_execution.toml │ ├── persistence_network_manager_dispatcher_persistence.toml │ ├── persistence_openssl_passwd_hash_generation.toml │ ├── persistence_pluggable_authentication_module_creation.toml │ ├── persistence_pluggable_authentication_module_creation_in_unusual_dir.toml │ ├── persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml │ ├── persistence_pluggable_authentication_module_source_download.toml │ ├── persistence_polkit_policy_creation.toml │ ├── persistence_potential_persistence_script_executable_bit_set.toml │ ├── persistence_process_capability_set_via_setcap.toml │ ├── persistence_pth_file_creation.toml │ ├── persistence_rc_local_error_via_syslog.toml │ ├── persistence_rc_local_service_already_running.toml │ ├── persistence_rc_script_creation.toml │ ├── persistence_rpm_package_installation_from_unusual_parent.toml │ ├── persistence_setuid_setgid_capability_set.toml │ ├── persistence_shadow_file_modification.toml │ ├── persistence_shared_object_creation.toml │ ├── persistence_shell_configuration_modification.toml │ ├── persistence_simple_web_server_connection_accepted.toml │ ├── persistence_simple_web_server_creation.toml │ ├── persistence_site_and_user_customize_file_creation.toml │ ├── persistence_ssh_key_generation.toml │ ├── persistence_ssh_netcon.toml │ ├── persistence_ssh_via_backdoored_system_user.toml │ ├── persistence_suspicious_file_opened_through_editor.toml │ ├── persistence_suspicious_ssh_execution_xzbackdoor.toml │ ├── persistence_systemd_generator_creation.toml │ ├── persistence_systemd_netcon.toml │ ├── persistence_systemd_scheduled_timer_created.toml │ ├── persistence_systemd_service_creation.toml │ ├── persistence_systemd_service_started.toml │ ├── persistence_systemd_shell_execution.toml │ ├── persistence_tainted_kernel_module_load.toml │ ├── persistence_tainted_kernel_module_out_of_tree_load.toml │ ├── persistence_udev_rule_creation.toml │ ├── persistence_unpack_initramfs_via_unmkinitramfs.toml │ ├── persistence_unusual_exim4_child_process.toml │ ├── persistence_unusual_pam_grantor.toml │ ├── persistence_unusual_sshd_child_process.toml │ ├── persistence_user_credential_modification_via_echo.toml │ ├── persistence_user_or_group_creation_or_modification.toml │ ├── persistence_web_server_sus_child_spawned.toml │ ├── persistence_web_server_sus_command_execution.toml │ ├── persistence_web_server_sus_destination_port.toml │ ├── persistence_web_server_unusual_command_execution.toml │ ├── persistence_xdg_autostart_netcon.toml │ ├── persistence_yum_package_manager_plugin_file_creation.toml │ ├── privilege_escalation_chown_chmod_unauthorized_file_read.toml │ ├── privilege_escalation_container_util_misconfiguration.toml │ ├── privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml │ ├── privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml │ ├── privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml │ ├── privilege_escalation_dac_permissions.toml │ ├── privilege_escalation_debugfs_launched_inside_container.toml │ ├── privilege_escalation_docker_escape_via_nsenter.toml │ ├── privilege_escalation_docker_mount_chroot_container_escape.toml │ ├── privilege_escalation_docker_release_file_creation.toml │ ├── privilege_escalation_enlightenment_window_manager.toml │ ├── privilege_escalation_gdb_sys_ptrace_elevation.toml │ ├── privilege_escalation_gdb_sys_ptrace_netcon.toml │ ├── privilege_escalation_kworker_uid_elevation.toml │ ├── privilege_escalation_ld_preload_shared_object_modif.toml │ ├── privilege_escalation_linux_suspicious_symbolic_link.toml │ ├── privilege_escalation_linux_uid_int_max_bug.toml │ ├── privilege_escalation_load_and_unload_of_kernel_via_kexec.toml │ ├── privilege_escalation_looney_tunables_cve_2023_4911.toml │ ├── privilege_escalation_mount_launched_inside_container.toml │ ├── privilege_escalation_netcon_via_sudo_binary.toml │ ├── privilege_escalation_overlayfs_local_privesc.toml │ ├── privilege_escalation_pkexec_envar_hijack.toml │ ├── privilege_escalation_potential_bufferoverflow_attack.toml │ ├── privilege_escalation_potential_suid_sgid_exploitation.toml │ ├── privilege_escalation_potential_suid_sgid_proxy_execution.toml │ ├── privilege_escalation_potential_wildcard_shell_spawn.toml │ ├── privilege_escalation_sda_disk_mount_non_root.toml │ ├── privilege_escalation_shadow_file_read.toml │ ├── privilege_escalation_sudo_cve_2019_14287.toml │ ├── privilege_escalation_sudo_hijacking.toml │ ├── privilege_escalation_sudo_token_via_process_injection.toml │ ├── privilege_escalation_suspicious_cap_setuid_python_execution.toml │ ├── privilege_escalation_suspicious_chown_fowner_elevation.toml │ ├── privilege_escalation_suspicious_passwd_file_write.toml │ ├── privilege_escalation_suspicious_uid_guid_elevation.toml │ ├── privilege_escalation_uid_change_post_compilation.toml │ ├── privilege_escalation_uid_elevation_from_unknown_executable.toml │ ├── privilege_escalation_unshare_namespace_manipulation.toml │ └── privilege_escalation_writable_docker_socket.toml ├── macos │ ├── command_and_control_unusual_connection_to_suspicious_top_level_domain.toml │ ├── command_and_control_unusual_network_connection_to_suspicious_web_service.toml │ ├── credential_access_credentials_keychains.toml │ ├── credential_access_dumping_hashes_bi_cmds.toml │ ├── credential_access_dumping_keychain_security.toml │ ├── credential_access_high_volume_of_pbpaste.toml │ ├── credential_access_kerberosdump_kcc.toml │ ├── credential_access_keychain_pwd_retrieval_security_cmd.toml │ ├── credential_access_mitm_localhost_webproxy.toml │ ├── credential_access_potential_macos_ssh_bruteforce.toml │ ├── credential_access_promt_for_pwd_via_osascript.toml │ ├── credential_access_suspicious_web_browser_sensitive_file_access.toml │ ├── credential_access_systemkey_dumping.toml │ ├── defense_evasion_apple_softupdates_modification.toml │ ├── defense_evasion_attempt_del_quarantine_attrib.toml │ ├── defense_evasion_attempt_to_disable_gatekeeper.toml │ ├── defense_evasion_install_root_certificate.toml │ ├── defense_evasion_modify_environment_launchctl.toml │ ├── defense_evasion_privacy_controls_tcc_database_modification.toml │ ├── defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml │ ├── defense_evasion_safari_config_change.toml │ ├── defense_evasion_sandboxed_office_app_suspicious_zip_file.toml │ ├── defense_evasion_tcc_bypass_mounted_apfs_access.toml │ ├── defense_evasion_unload_endpointsecurity_kext.toml │ ├── discovery_users_domain_built_in_commands.toml │ ├── execution_defense_evasion_electron_app_childproc_node_js.toml │ ├── execution_initial_access_suspicious_browser_childproc.toml │ ├── execution_installer_package_spawned_network_event.toml │ ├── execution_script_via_automator_workflows.toml │ ├── execution_scripting_osascript_exec_followed_by_netcon.toml │ ├── execution_shell_execution_via_apple_scripting.toml │ ├── initial_access_suspicious_mac_ms_office_child_process.toml │ ├── lateral_movement_credential_access_kerberos_bifrostconsole.toml │ ├── lateral_movement_mounting_smb_share.toml │ ├── lateral_movement_remote_ssh_login_enabled.toml │ ├── lateral_movement_vpn_connection_attempt.toml │ ├── persistence_account_creation_hide_at_logon.toml │ ├── persistence_creation_change_launch_agents_file.toml │ ├── persistence_creation_hidden_login_item_osascript.toml │ ├── persistence_creation_modif_launch_deamon_sequence.toml │ ├── persistence_credential_access_authorization_plugin_creation.toml │ ├── persistence_crontab_creation.toml │ ├── persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml │ ├── persistence_directory_services_plugins_modification.toml │ ├── persistence_docker_shortcuts_plist_modification.toml │ ├── persistence_emond_rules_file_creation.toml │ ├── persistence_emond_rules_process_execution.toml │ ├── persistence_enable_root_account.toml │ ├── persistence_evasion_hidden_launch_agent_deamon_creation.toml │ ├── persistence_finder_sync_plugin_pluginkit.toml │ ├── persistence_folder_action_scripts_runtime.toml │ ├── persistence_login_logout_hooks_defaults.toml │ ├── persistence_loginwindow_plist_modification.toml │ ├── persistence_modification_sublime_app_plugin_or_script.toml │ ├── persistence_periodic_tasks_file_mdofiy.toml │ ├── persistence_screensaver_engine_unexpected_child_process.toml │ ├── persistence_screensaver_plist_file_modification.toml │ ├── persistence_suspicious_calendar_modification.toml │ ├── persistence_via_atom_init_file_modification.toml │ ├── privilege_escalation_applescript_with_admin_privs.toml │ ├── privilege_escalation_explicit_creds_via_scripting.toml │ ├── privilege_escalation_exploit_adobe_acrobat_updater.toml │ ├── privilege_escalation_local_user_added_to_admin.toml │ ├── privilege_escalation_root_crontab_filemod.toml │ └── privilege_escalation_user_added_to_admin_group.toml ├── ml │ ├── command_and_control_ml_packetbeat_dns_tunneling.toml │ ├── command_and_control_ml_packetbeat_rare_dns_question.toml │ ├── command_and_control_ml_packetbeat_rare_urls.toml │ ├── command_and_control_ml_packetbeat_rare_user_agent.toml │ ├── credential_access_ml_auth_spike_in_failed_logon_events.toml │ ├── credential_access_ml_auth_spike_in_logon_events.toml │ ├── credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml │ ├── credential_access_ml_linux_anomalous_metadata_process.toml │ ├── credential_access_ml_linux_anomalous_metadata_user.toml │ ├── credential_access_ml_suspicious_login_activity.toml │ ├── credential_access_ml_windows_anomalous_metadata_process.toml │ ├── credential_access_ml_windows_anomalous_metadata_user.toml │ ├── discovery_ml_linux_system_information_discovery.toml │ ├── discovery_ml_linux_system_network_configuration_discovery.toml │ ├── discovery_ml_linux_system_network_connection_discovery.toml │ ├── discovery_ml_linux_system_process_discovery.toml │ ├── discovery_ml_linux_system_user_discovery.toml │ ├── execution_ml_windows_anomalous_script.toml │ ├── initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml │ ├── initial_access_ml_auth_rare_source_ip_for_a_user.toml │ ├── initial_access_ml_auth_rare_user_logon.toml │ ├── initial_access_ml_linux_anomalous_user_name.toml │ ├── initial_access_ml_windows_anomalous_user_name.toml │ ├── initial_access_ml_windows_rare_user_type10_remote_login.toml │ ├── ml_high_count_events_for_a_host_name.toml │ ├── ml_high_count_network_denies.toml │ ├── ml_high_count_network_events.toml │ ├── ml_linux_anomalous_network_activity.toml │ ├── ml_linux_anomalous_network_port_activity.toml │ ├── ml_low_count_events_for_a_host_name.toml │ ├── ml_packetbeat_rare_server_domain.toml │ ├── ml_rare_destination_country.toml │ ├── ml_spike_in_traffic_to_a_country.toml │ ├── ml_windows_anomalous_network_activity.toml │ ├── persistence_ml_linux_anomalous_process_all_hosts.toml │ ├── persistence_ml_rare_process_by_host_linux.toml │ ├── persistence_ml_rare_process_by_host_windows.toml │ ├── persistence_ml_windows_anomalous_path_activity.toml │ ├── persistence_ml_windows_anomalous_process_all_hosts.toml │ ├── persistence_ml_windows_anomalous_process_creation.toml │ ├── persistence_ml_windows_anomalous_service.toml │ ├── privilege_escalation_ml_linux_anomalous_sudo_activity.toml │ ├── privilege_escalation_ml_windows_rare_user_runas_event.toml │ └── resource_development_ml_linux_anomalous_compiler_activity.toml ├── network │ ├── command_and_control_accepted_default_telnet_port_connection.toml │ ├── command_and_control_cobalt_strike_beacon.toml │ ├── command_and_control_cobalt_strike_default_teamserver_cert.toml │ ├── command_and_control_download_rar_powershell_from_internet.toml │ ├── command_and_control_fin7_c2_behavior.toml │ ├── command_and_control_halfbaked_beacon.toml │ ├── command_and_control_nat_traversal_port_activity.toml │ ├── command_and_control_port_26_activity.toml │ ├── command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml │ ├── command_and_control_vnc_virtual_network_computing_from_the_internet.toml │ ├── command_and_control_vnc_virtual_network_computing_to_the_internet.toml │ ├── discovery_potential_network_sweep_detected.toml │ ├── discovery_potential_port_scan_detected.toml │ ├── discovery_potential_syn_port_scan_detected.toml │ ├── initial_access_rpc_remote_procedure_call_from_the_internet.toml │ ├── initial_access_rpc_remote_procedure_call_to_the_internet.toml │ ├── initial_access_smb_windows_file_sharing_activity_to_the_internet.toml │ ├── initial_access_unsecure_elasticsearch_node.toml │ └── lateral_movement_dns_server_overflow.toml ├── promotions │ ├── credential_access_endgame_cred_dumping_detected.toml │ ├── credential_access_endgame_cred_dumping_prevented.toml │ ├── crowdstrike_external_alerts.toml │ ├── elastic_security_external_alerts.toml │ ├── endgame_adversary_behavior_detected.toml │ ├── endgame_malware_detected.toml │ ├── endgame_malware_prevented.toml │ ├── endgame_ransomware_detected.toml │ ├── endgame_ransomware_prevented.toml │ ├── execution_endgame_exploit_detected.toml │ ├── execution_endgame_exploit_prevented.toml │ ├── external_alerts.toml │ ├── google_secops_external_alerts.toml │ ├── microsoft_sentinel_external_alerts.toml │ ├── privilege_escalation_endgame_cred_manipulation_detected.toml │ ├── privilege_escalation_endgame_cred_manipulation_prevented.toml │ ├── privilege_escalation_endgame_permission_theft_detected.toml │ ├── privilege_escalation_endgame_permission_theft_prevented.toml │ ├── privilege_escalation_endgame_process_injection_detected.toml │ ├── privilege_escalation_endgame_process_injection_prevented.toml │ ├── sentinelone_alert_external_alerts.toml │ ├── sentinelone_threat_external_alerts.toml │ └── splunk_external_alerts.toml ├── threat_intel │ ├── threat_intel_indicator_match_address.toml │ ├── threat_intel_indicator_match_email.toml │ ├── threat_intel_indicator_match_hash.toml │ ├── threat_intel_indicator_match_registry.toml │ ├── threat_intel_indicator_match_url.toml │ └── threat_intel_rapid7_threat_command.toml └── windows │ ├── collection_email_outlook_mailbox_via_com.toml │ ├── collection_email_powershell_exchange_mailbox.toml │ ├── collection_mailbox_export_winlog.toml │ ├── collection_posh_audio_capture.toml │ ├── collection_posh_clipboard_capture.toml │ ├── collection_posh_keylogger.toml │ ├── collection_posh_mailbox.toml │ ├── collection_posh_screen_grabber.toml │ ├── collection_posh_webcam_video_capture.toml │ ├── collection_winrar_encryption.toml │ ├── command_and_control_certreq_postdata.toml │ ├── command_and_control_common_llm_endpoint.toml │ ├── command_and_control_common_webservices.toml │ ├── command_and_control_dns_susp_tld.toml │ ├── command_and_control_dns_tunneling_nslookup.toml │ ├── command_and_control_encrypted_channel_freesslcert.toml │ ├── command_and_control_headless_browser.toml │ ├── command_and_control_iexplore_via_com.toml │ ├── command_and_control_ingress_transfer_bits.toml │ ├── command_and_control_new_terms_commonly_abused_rat_execution.toml │ ├── command_and_control_outlook_home_page.toml │ ├── command_and_control_port_forwarding_added_registry.toml │ ├── command_and_control_rdp_tunnel_plink.toml │ ├── command_and_control_remcos_rat_iocs.toml │ ├── command_and_control_remote_file_copy_desktopimgdownldr.toml │ ├── command_and_control_remote_file_copy_mpcmdrun.toml │ ├── command_and_control_remote_file_copy_powershell.toml │ ├── command_and_control_remote_file_copy_scripts.toml │ ├── command_and_control_rmm_netsupport_susp_path.toml │ ├── command_and_control_screenconnect_childproc.toml │ ├── command_and_control_sunburst_c2_activity_detected.toml │ ├── command_and_control_teamviewer_remote_file_copy.toml │ ├── command_and_control_tool_transfer_via_curl.toml │ ├── command_and_control_tunnel_vscode.toml │ ├── credential_access_adidns_wildcard.toml │ ├── credential_access_adidns_wpad_record.toml │ ├── credential_access_browsers_unusual_parent.toml │ ├── credential_access_bruteforce_admin_account.toml │ ├── credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml │ ├── credential_access_bruteforce_multiple_logon_failure_same_srcip.toml │ ├── credential_access_cmdline_dump_tool.toml │ ├── credential_access_copy_ntds_sam_volshadowcp_cmdline.toml │ ├── credential_access_credential_dumping_msbuild.toml │ ├── credential_access_dcsync_newterm_subjectuser.toml │ ├── credential_access_dcsync_replication_rights.toml │ ├── credential_access_dcsync_user_backdoor.toml │ ├── credential_access_disable_kerberos_preauth.toml │ ├── credential_access_dnsnode_creation.toml │ ├── credential_access_dollar_account_relay.toml │ ├── credential_access_dollar_account_relay_kerberos.toml │ ├── credential_access_dollar_account_relay_ntlm.toml │ ├── credential_access_domain_backup_dpapi_private_keys.toml │ ├── credential_access_dump_registry_hives.toml │ ├── credential_access_generic_localdumps.toml │ ├── credential_access_iis_connectionstrings_dumping.toml │ ├── credential_access_imageload_azureadconnectauthsvc.toml │ ├── credential_access_kerberoasting_unusual_process.toml │ ├── credential_access_kerberos_coerce.toml │ ├── credential_access_kerberos_coerce_dns.toml │ ├── credential_access_kirbi_file.toml │ ├── credential_access_ldap_attributes.toml │ ├── credential_access_lsass_handle_via_malseclogon.toml │ ├── credential_access_lsass_loaded_susp_dll.toml │ ├── credential_access_lsass_memdump_file_created.toml │ ├── credential_access_lsass_memdump_handle_access.toml │ ├── credential_access_lsass_openprocess_api.toml │ ├── credential_access_machine_account_smb_relay.toml │ ├── credential_access_mimikatz_memssp_default_logs.toml │ ├── credential_access_mimikatz_powershell_module.toml │ ├── credential_access_mod_wdigest_security_provider.toml │ ├── credential_access_moving_registry_hive_via_smb.toml │ ├── credential_access_persistence_network_logon_provider_modification.toml │ ├── credential_access_posh_invoke_ninjacopy.toml │ ├── credential_access_posh_kerb_ticket_dump.toml │ ├── credential_access_posh_minidump.toml │ ├── credential_access_posh_relay_tools.toml │ ├── credential_access_posh_request_ticket.toml │ ├── credential_access_posh_veeam_sql.toml │ ├── credential_access_potential_lsa_memdump_via_mirrordump.toml │ ├── credential_access_rare_webdav_destination.toml │ ├── credential_access_regback_sam_security_hives.toml │ ├── credential_access_relay_ntlm_auth_via_http_spoolss.toml │ ├── credential_access_remote_sam_secretsdump.toml │ ├── credential_access_saved_creds_vault_winlog.toml │ ├── credential_access_saved_creds_vaultcmd.toml │ ├── credential_access_seenabledelegationprivilege_assigned_to_user.toml │ ├── credential_access_shadow_credentials.toml │ ├── credential_access_spn_attribute_modified.toml │ ├── credential_access_suspicious_comsvcs_imageload.toml │ ├── credential_access_suspicious_lsass_access_generic.toml │ ├── credential_access_suspicious_lsass_access_memdump.toml │ ├── credential_access_suspicious_lsass_access_via_snapshot.toml │ ├── credential_access_suspicious_winreg_access_via_sebackup_priv.toml │ ├── credential_access_symbolic_link_to_shadow_copy_created.toml │ ├── credential_access_veeam_backup_dll_imageload.toml │ ├── credential_access_veeam_commands.toml │ ├── credential_access_via_snapshot_lsass_clone_creation.toml │ ├── credential_access_wbadmin_ntds.toml │ ├── credential_access_web_config_file_access.toml │ ├── credential_access_wireless_creds_dumping.toml │ ├── defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml │ ├── defense_evasion_amsi_bypass_dllhijack.toml │ ├── defense_evasion_amsi_bypass_powershell.toml │ ├── defense_evasion_amsienable_key_mod.toml │ ├── defense_evasion_audit_policy_disabled_winlog.toml │ ├── defense_evasion_clearing_windows_console_history.toml │ ├── defense_evasion_clearing_windows_event_logs.toml │ ├── defense_evasion_clearing_windows_security_logs.toml │ ├── defense_evasion_code_signing_policy_modification_builtin_tools.toml │ ├── defense_evasion_code_signing_policy_modification_registry.toml │ ├── defense_evasion_communication_apps_suspicious_child_process.toml │ ├── defense_evasion_create_mod_root_certificate.toml │ ├── defense_evasion_cve_2020_0601.toml │ ├── defense_evasion_defender_disabled_via_registry.toml │ ├── defense_evasion_defender_exclusion_via_powershell.toml │ ├── defense_evasion_delete_volume_usn_journal_with_fsutil.toml │ ├── defense_evasion_disable_nla.toml │ ├── defense_evasion_disable_posh_scriptblocklogging.toml │ ├── defense_evasion_disable_windows_firewall_rules_with_netsh.toml │ ├── defense_evasion_disabling_windows_defender_powershell.toml │ ├── defense_evasion_disabling_windows_logs.toml │ ├── defense_evasion_dns_over_https_enabled.toml │ ├── defense_evasion_dotnet_compiler_parent_process.toml │ ├── defense_evasion_enable_inbound_rdp_with_netsh.toml │ ├── defense_evasion_enable_network_discovery_with_netsh.toml │ ├── defense_evasion_execution_control_panel_suspicious_args.toml │ ├── defense_evasion_execution_lolbas_wuauclt.toml │ ├── defense_evasion_execution_msbuild_started_by_office_app.toml │ ├── defense_evasion_execution_msbuild_started_by_script.toml │ ├── defense_evasion_execution_msbuild_started_by_system_process.toml │ ├── defense_evasion_execution_msbuild_started_renamed.toml │ ├── defense_evasion_execution_msbuild_started_unusal_process.toml │ ├── defense_evasion_execution_suspicious_explorer_winword.toml │ ├── defense_evasion_execution_windefend_unusual_path.toml │ ├── defense_evasion_file_creation_mult_extension.toml │ ├── defense_evasion_from_unusual_directory.toml │ ├── defense_evasion_hide_encoded_executable_registry.toml │ ├── defense_evasion_iis_httplogging_disabled.toml │ ├── defense_evasion_indirect_exec_conhost.toml │ ├── defense_evasion_indirect_exec_forfiles.toml │ ├── defense_evasion_indirect_exec_openssh.toml │ ├── defense_evasion_injection_msbuild.toml │ ├── defense_evasion_installutil_beacon.toml │ ├── defense_evasion_lolbas_win_cdb_utility.toml │ ├── defense_evasion_lsass_ppl_disabled_registry.toml │ ├── defense_evasion_masquerading_as_elastic_endpoint_process.toml │ ├── defense_evasion_masquerading_as_svchost.toml │ ├── defense_evasion_masquerading_business_apps_installer.toml │ ├── defense_evasion_masquerading_communication_apps.toml │ ├── defense_evasion_masquerading_renamed_autoit.toml │ ├── defense_evasion_masquerading_suspicious_werfault_childproc.toml │ ├── defense_evasion_masquerading_trusted_directory.toml │ ├── defense_evasion_masquerading_werfault.toml │ ├── defense_evasion_microsoft_defender_tampering.toml │ ├── defense_evasion_misc_lolbin_connecting_to_the_internet.toml │ ├── defense_evasion_modify_ownership_os_files.toml │ ├── defense_evasion_ms_office_suspicious_regmod.toml │ ├── defense_evasion_msbuild_making_network_connections.toml │ ├── defense_evasion_mshta_beacon.toml │ ├── defense_evasion_mshta_susp_child.toml │ ├── defense_evasion_msiexec_child_proc_netcon.toml │ ├── defense_evasion_msiexec_remote_payload.toml │ ├── defense_evasion_msxsl_network.toml │ ├── defense_evasion_network_connection_from_windows_binary.toml │ ├── defense_evasion_ntlm_downgrade.toml │ ├── defense_evasion_obf_args_unicode_modified_letters.toml │ ├── defense_evasion_parent_process_pid_spoofing.toml │ ├── defense_evasion_persistence_account_tokenfilterpolicy.toml │ ├── defense_evasion_posh_assembly_load.toml │ ├── defense_evasion_posh_compressed.toml │ ├── defense_evasion_posh_defender_tampering.toml │ ├── defense_evasion_posh_encryption.toml │ ├── defense_evasion_posh_obfuscation.toml │ ├── defense_evasion_posh_obfuscation_backtick.toml │ ├── defense_evasion_posh_obfuscation_backtick_var.toml │ ├── defense_evasion_posh_obfuscation_char_arrays.toml │ ├── defense_evasion_posh_obfuscation_concat_dynamic.toml │ ├── defense_evasion_posh_obfuscation_high_number_proportion.toml │ ├── defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml │ ├── defense_evasion_posh_obfuscation_iex_string_reconstruction.toml │ ├── defense_evasion_posh_obfuscation_index_reversal.toml │ ├── defense_evasion_posh_obfuscation_reverse_keyword.toml │ ├── defense_evasion_posh_obfuscation_string_concat.toml │ ├── defense_evasion_posh_obfuscation_string_format.toml │ ├── defense_evasion_posh_obfuscation_whitespace_special_proportion.toml │ ├── defense_evasion_posh_process_injection.toml │ ├── defense_evasion_powershell_windows_firewall_disabled.toml │ ├── defense_evasion_process_termination_followed_by_deletion.toml │ ├── defense_evasion_proxy_execution_via_msdt.toml │ ├── defense_evasion_reg_disable_enableglobalqueryblocklist.toml │ ├── defense_evasion_regmod_remotemonologue.toml │ ├── defense_evasion_right_to_left_override.toml │ ├── defense_evasion_root_dir_ads_creation.toml │ ├── defense_evasion_run_virt_windowssandbox.toml │ ├── defense_evasion_rundll32_no_arguments.toml │ ├── defense_evasion_sc_sdset.toml │ ├── defense_evasion_sccm_scnotification_dll.toml │ ├── defense_evasion_scheduledjobs_at_protocol_enabled.toml │ ├── defense_evasion_script_via_html_app.toml │ ├── defense_evasion_sdelete_like_filename_rename.toml │ ├── defense_evasion_sip_provider_mod.toml │ ├── defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml │ ├── defense_evasion_suspicious_certutil_commands.toml │ ├── defense_evasion_suspicious_execution_from_mounted_device.toml │ ├── defense_evasion_suspicious_managedcode_host_process.toml │ ├── defense_evasion_suspicious_process_access_direct_syscall.toml │ ├── defense_evasion_suspicious_process_creation_calltrace.toml │ ├── defense_evasion_suspicious_scrobj_load.toml │ ├── defense_evasion_suspicious_short_program_name.toml │ ├── defense_evasion_suspicious_wmi_script.toml │ ├── defense_evasion_suspicious_zoom_child_process.toml │ ├── defense_evasion_system_critical_proc_abnormal_file_activity.toml │ ├── defense_evasion_timestomp_sysmon.toml │ ├── defense_evasion_unsigned_dll_loaded_from_suspdir.toml │ ├── defense_evasion_untrusted_driver_loaded.toml │ ├── defense_evasion_unusual_ads_file_creation.toml │ ├── defense_evasion_unusual_dir_ads.toml │ ├── defense_evasion_unusual_network_connection_via_dllhost.toml │ ├── defense_evasion_unusual_network_connection_via_rundll32.toml │ ├── defense_evasion_unusual_process_network_connection.toml │ ├── defense_evasion_unusual_system_vp_child_program.toml │ ├── defense_evasion_via_filter_manager.toml │ ├── defense_evasion_wdac_policy_by_unusual_process.toml │ ├── defense_evasion_windows_filtering_platform.toml │ ├── defense_evasion_workfolders_control_execution.toml │ ├── defense_evasion_wsl_bash_exec.toml │ ├── defense_evasion_wsl_child_process.toml │ ├── defense_evasion_wsl_enabled_via_dism.toml │ ├── defense_evasion_wsl_filesystem.toml │ ├── defense_evasion_wsl_kalilinux.toml │ ├── defense_evasion_wsl_registry_modification.toml │ ├── discovery_active_directory_webservice.toml │ ├── discovery_ad_explorer_execution.toml │ ├── discovery_adfind_command_activity.toml │ ├── discovery_admin_recon.toml │ ├── discovery_command_system_account.toml │ ├── discovery_enumerating_domain_trusts_via_dsquery.toml │ ├── discovery_enumerating_domain_trusts_via_nltest.toml │ ├── discovery_group_policy_object_discovery.toml │ ├── discovery_high_number_ad_properties.toml │ ├── discovery_host_public_ip_address_lookup.toml │ ├── discovery_peripheral_device.toml │ ├── discovery_posh_invoke_sharefinder.toml │ ├── discovery_posh_suspicious_api_functions.toml │ ├── discovery_privileged_localgroup_membership.toml │ ├── discovery_signal_unusual_discovery_signal_proc_cmdline.toml │ ├── discovery_signal_unusual_discovery_signal_proc_executable.toml │ ├── discovery_whoami_command_activity.toml │ ├── execution_apt_solarwinds_backdoor_child_cmd_powershell.toml │ ├── execution_apt_solarwinds_backdoor_unusual_child_processes.toml │ ├── execution_com_object_xwizard.toml │ ├── execution_command_prompt_connecting_to_the_internet.toml │ ├── execution_command_shell_started_by_svchost.toml │ ├── execution_command_shell_started_by_unusual_process.toml │ ├── execution_command_shell_via_rundll32.toml │ ├── execution_delayed_via_ping_lolbas_unsigned.toml │ ├── execution_downloaded_shortcut_files.toml │ ├── execution_downloaded_url_file.toml │ ├── execution_enumeration_via_wmiprvse.toml │ ├── execution_from_unusual_path_cmdline.toml │ ├── execution_html_help_executable_program_connecting_to_the_internet.toml │ ├── execution_initial_access_foxmail_exploit.toml │ ├── execution_initial_access_via_msc_file.toml │ ├── execution_initial_access_wps_dll_exploit.toml │ ├── execution_mofcomp.toml │ ├── execution_ms_office_written_file.toml │ ├── execution_nodejs_susp_patterns.toml │ ├── execution_pdf_written_file.toml │ ├── execution_posh_hacktool_authors.toml │ ├── execution_posh_hacktool_functions.toml │ ├── execution_posh_malicious_script_agg.toml │ ├── execution_posh_portable_executable.toml │ ├── execution_posh_psreflect.toml │ ├── execution_powershell_susp_args_via_winscript.toml │ ├── execution_psexec_lateral_movement_command.toml │ ├── execution_register_server_program_connecting_to_the_internet.toml │ ├── execution_revshell_cmd_via_netcat.toml │ ├── execution_scheduled_task_powershell_source.toml │ ├── execution_scripting_remote_webdav.toml │ ├── execution_scripts_archive_file.toml │ ├── execution_shared_modules_local_sxs_dll.toml │ ├── execution_suspicious_cmd_wmi.toml │ ├── execution_suspicious_image_load_wmi_ms_office.toml │ ├── execution_suspicious_pdf_reader.toml │ ├── execution_suspicious_powershell_imgload.toml │ ├── execution_suspicious_psexesvc.toml │ ├── execution_via_compiled_html_file.toml │ ├── execution_via_hidden_shell_conhost.toml │ ├── execution_via_mmc_console_file_unusual_path.toml │ ├── execution_windows_cmd_shell_susp_args.toml │ ├── execution_windows_fakecaptcha_cmd_ps.toml │ ├── execution_windows_phish_clickfix.toml │ ├── execution_windows_powershell_susp_args.toml │ ├── execution_windows_script_from_internet.toml │ ├── exfiltration_smb_rare_destination.toml │ ├── impact_backup_file_deletion.toml │ ├── impact_deleting_backup_catalogs_with_wbadmin.toml │ ├── impact_high_freq_file_renames_by_kernel.toml │ ├── impact_mod_critical_os_files.toml │ ├── impact_modification_of_boot_config.toml │ ├── impact_ransomware_file_rename_smb.toml │ ├── impact_ransomware_note_file_over_smb.toml │ ├── impact_stop_process_service_threshold.toml │ ├── impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml │ ├── impact_volume_shadow_copy_deletion_via_powershell.toml │ ├── impact_volume_shadow_copy_deletion_via_wmic.toml │ ├── initial_access_evasion_suspicious_htm_file_creation.toml │ ├── initial_access_execution_from_inetcache.toml │ ├── initial_access_execution_from_removable_media.toml │ ├── initial_access_execution_remote_via_msiexec.toml │ ├── initial_access_execution_via_office_addins.toml │ ├── initial_access_exfiltration_first_time_seen_usb.toml │ ├── initial_access_exploit_jetbrains_teamcity.toml │ ├── initial_access_rdp_file_mail_attachment.toml │ ├── initial_access_script_executing_powershell.toml │ ├── initial_access_scripts_process_started_via_wmi.toml │ ├── initial_access_suspicious_ms_exchange_files.toml │ ├── initial_access_suspicious_ms_exchange_process.toml │ ├── initial_access_suspicious_ms_exchange_worker_child_process.toml │ ├── initial_access_suspicious_ms_office_child_process.toml │ ├── initial_access_suspicious_ms_outlook_child_process.toml │ ├── initial_access_suspicious_windows_server_update_svc.toml │ ├── initial_access_url_cve_2025_33053.toml │ ├── initial_access_via_explorer_suspicious_child_parent_args.toml │ ├── initial_access_webshell_screenconnect_server.toml │ ├── initial_access_xsl_script_execution_via_com.toml │ ├── lateral_movement_alternate_creds_pth.toml │ ├── lateral_movement_cmd_service.toml │ ├── lateral_movement_credential_access_kerberos_correlation.toml │ ├── lateral_movement_dcom_hta.toml │ ├── lateral_movement_dcom_mmc20.toml │ ├── lateral_movement_dcom_shellwindow_shellbrowserwindow.toml │ ├── lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml │ ├── lateral_movement_direct_outbound_smb_connection.toml │ ├── lateral_movement_evasion_rdp_shadowing.toml │ ├── lateral_movement_executable_tool_transfer_smb.toml │ ├── lateral_movement_execution_from_tsclient_mup.toml │ ├── lateral_movement_execution_via_file_shares_sequence.toml │ ├── lateral_movement_incoming_winrm_shell_execution.toml │ ├── lateral_movement_incoming_wmi.toml │ ├── lateral_movement_mount_hidden_or_webdav_share_net.toml │ ├── lateral_movement_powershell_remoting_target.toml │ ├── lateral_movement_rdp_enabled_registry.toml │ ├── lateral_movement_rdp_sharprdp_target.toml │ ├── lateral_movement_remote_file_copy_hidden_share.toml │ ├── lateral_movement_remote_service_installed_winlog.toml │ ├── lateral_movement_remote_services.toml │ ├── lateral_movement_remote_task_creation_winlog.toml │ ├── lateral_movement_scheduled_task_target.toml │ ├── lateral_movement_suspicious_rdp_client_imageload.toml │ ├── lateral_movement_unusual_dns_service_children.toml │ ├── lateral_movement_unusual_dns_service_file_writes.toml │ ├── lateral_movement_via_startup_folder_rdp_smb.toml │ ├── lateral_movement_via_wsus_update.toml │ ├── persistence_ad_adminsdholder.toml │ ├── persistence_adobe_hijack_persistence.toml │ ├── persistence_app_compat_shim.toml │ ├── persistence_appcertdlls_registry.toml │ ├── persistence_appinitdlls_registry.toml │ ├── persistence_browser_extension_install.toml │ ├── persistence_dontexpirepasswd_account.toml │ ├── persistence_evasion_hidden_local_account_creation.toml │ ├── persistence_evasion_registry_ifeo_injection.toml │ ├── persistence_evasion_registry_startup_shell_folder_modified.toml │ ├── persistence_group_modification_by_system.toml │ ├── persistence_local_scheduled_job_creation.toml │ ├── persistence_local_scheduled_task_creation.toml │ ├── persistence_local_scheduled_task_scripting.toml │ ├── persistence_ms_office_addins_file.toml │ ├── persistence_ms_outlook_vba_template.toml │ ├── persistence_msds_alloweddelegateto_krbtgt.toml │ ├── persistence_msi_installer_task_startup.toml │ ├── persistence_msoffice_startup_registry.toml │ ├── persistence_netsh_helper_dll.toml │ ├── persistence_powershell_exch_mailbox_activesync_add_device.toml │ ├── persistence_powershell_profiles.toml │ ├── persistence_priv_escalation_via_accessibility_features.toml │ ├── persistence_registry_uncommon.toml │ ├── persistence_remote_password_reset.toml │ ├── persistence_run_key_and_startup_broad.toml │ ├── persistence_runtime_run_key_startup_susp_procs.toml │ ├── persistence_scheduled_task_creation_winlog.toml │ ├── persistence_scheduled_task_updated.toml │ ├── persistence_sdprop_exclusion_dsheuristics.toml │ ├── persistence_service_dll_unsigned.toml │ ├── persistence_service_windows_service_winlog.toml │ ├── persistence_services_registry.toml │ ├── persistence_startup_folder_file_written_by_suspicious_process.toml │ ├── persistence_startup_folder_file_written_by_unsigned_process.toml │ ├── persistence_startup_folder_scripts.toml │ ├── persistence_suspicious_com_hijack_registry.toml │ ├── persistence_suspicious_image_load_scheduled_task_ms_office.toml │ ├── persistence_suspicious_scheduled_task_runtime.toml │ ├── persistence_suspicious_service_created_registry.toml │ ├── persistence_sysmon_wmi_event_subscription.toml │ ├── persistence_system_shells_via_services.toml │ ├── persistence_temp_scheduled_task.toml │ ├── persistence_time_provider_mod.toml │ ├── persistence_user_account_added_to_privileged_group_ad.toml │ ├── persistence_user_account_creation.toml │ ├── persistence_via_application_shimming.toml │ ├── persistence_via_bits_job_notify_command.toml │ ├── persistence_via_hidden_run_key_valuename.toml │ ├── persistence_via_lsa_security_support_provider_registry.toml │ ├── persistence_via_telemetrycontroller_scheduledtask_hijack.toml │ ├── persistence_via_update_orchestrator_service_hijack.toml │ ├── persistence_via_windows_management_instrumentation_event_subscription.toml │ ├── persistence_via_wmi_stdregprov_run_services.toml │ ├── persistence_via_xp_cmdshell_mssql_stored_procedure.toml │ ├── persistence_web_shell_aspx_write.toml │ ├── persistence_webshell_detection.toml │ ├── persistence_werfault_reflectdebugger.toml │ ├── privilege_escalation_badsuccessor_dmsa_abuse.toml │ ├── privilege_escalation_create_process_as_different_user.toml │ ├── privilege_escalation_create_process_with_token_unpriv.toml │ ├── privilege_escalation_credroaming_ldap.toml │ ├── privilege_escalation_disable_uac_registry.toml │ ├── privilege_escalation_dmsa_creation_by_unusual_user.toml │ ├── privilege_escalation_dns_serverlevelplugindll.toml │ ├── privilege_escalation_driver_newterm_imphash.toml │ ├── privilege_escalation_expired_driver_loaded.toml │ ├── privilege_escalation_exploit_cve_202238028.toml │ ├── privilege_escalation_gpo_schtask_service_creation.toml │ ├── privilege_escalation_group_policy_iniscript.toml │ ├── privilege_escalation_group_policy_privileged_groups.toml │ ├── privilege_escalation_group_policy_scheduled_task.toml │ ├── privilege_escalation_installertakeover.toml │ ├── privilege_escalation_krbrelayup_service_creation.toml │ ├── privilege_escalation_lsa_auth_package.toml │ ├── privilege_escalation_make_token_local.toml │ ├── privilege_escalation_msi_repair_via_mshelp_link.toml │ ├── privilege_escalation_named_pipe_impersonation.toml │ ├── privilege_escalation_newcreds_logon_rare_process.toml │ ├── privilege_escalation_persistence_phantom_dll.toml │ ├── privilege_escalation_port_monitor_print_pocessor_abuse.toml │ ├── privilege_escalation_posh_token_impersonation.toml │ ├── privilege_escalation_printspooler_registry_copyfiles.toml │ ├── privilege_escalation_printspooler_service_suspicious_file.toml │ ├── privilege_escalation_printspooler_suspicious_file_deletion.toml │ ├── privilege_escalation_printspooler_suspicious_spl_file.toml │ ├── privilege_escalation_reg_service_imagepath_mod.toml │ ├── privilege_escalation_rogue_windir_environment_var.toml │ ├── privilege_escalation_samaccountname_spoofing_attack.toml │ ├── privilege_escalation_service_control_spawned_script_int.toml │ ├── privilege_escalation_suspicious_dnshostname_update.toml │ ├── privilege_escalation_thread_cpu_priority_hijack.toml │ ├── privilege_escalation_tokenmanip_sedebugpriv_enabled.toml │ ├── privilege_escalation_uac_bypass_com_clipup.toml │ ├── privilege_escalation_uac_bypass_com_ieinstal.toml │ ├── privilege_escalation_uac_bypass_com_interface_icmluautil.toml │ ├── privilege_escalation_uac_bypass_diskcleanup_hijack.toml │ ├── privilege_escalation_uac_bypass_dll_sideloading.toml │ ├── privilege_escalation_uac_bypass_event_viewer.toml │ ├── privilege_escalation_uac_bypass_mock_windir.toml │ ├── privilege_escalation_uac_bypass_winfw_mmc_hijack.toml │ ├── privilege_escalation_unquoted_service_path.toml │ ├── privilege_escalation_unusual_parentchild_relationship.toml │ ├── privilege_escalation_unusual_printspooler_childprocess.toml │ ├── privilege_escalation_unusual_svchost_childproc_childless.toml │ ├── privilege_escalation_via_ppid_spoofing.toml │ ├── privilege_escalation_via_rogue_named_pipe.toml │ ├── privilege_escalation_via_token_theft.toml │ └── privilege_escalation_windows_service_via_unusual_client.toml ├── rules_building_block ├── .gitkeep ├── collection_archive_data_zip_imageload.toml ├── collection_common_compressed_archived_file.toml ├── collection_files_staged_in_recycle_bin_root.toml ├── collection_outlook_email_archive.toml ├── collection_posh_compression.toml ├── command_and_control_bitsadmin_activity.toml ├── command_and_control_certutil_network_connection.toml ├── command_and_control_non_standard_http_port.toml ├── credential_access_iis_apppoolsa_pwd_appcmd.toml ├── credential_access_mdmp_file_creation.toml ├── credential_access_mdmp_file_unusual_extension.toml ├── credential_access_win_private_key_access.toml ├── defense_evasion_aws_rds_snapshot_created.toml ├── defense_evasion_cmd_copy_binary_contents.toml ├── defense_evasion_cmstp_execution.toml ├── defense_evasion_collection_masquerading_unusual_archive_file_extension.toml ├── defense_evasion_dll_hijack.toml ├── defense_evasion_dotnet_clickonce_dfsvc_netcon.toml ├── defense_evasion_download_susp_extension.toml ├── defense_evasion_execution_via_visualstudio_prebuildevent.toml ├── defense_evasion_file_permission_modification.toml ├── defense_evasion_generic_deletion.toml ├── defense_evasion_indirect_command_exec_pcalua_forfiles.toml ├── defense_evasion_injection_from_msoffice.toml ├── defense_evasion_installutil_command_activity.toml ├── defense_evasion_invalid_codesign_imageload.toml ├── defense_evasion_masquerading_browsers.toml ├── defense_evasion_masquerading_unusual_exe_file_extension.toml ├── defense_evasion_masquerading_vlc_dll.toml ├── defense_evasion_masquerading_windows_dll.toml ├── defense_evasion_masquerading_windows_system32_exe.toml ├── defense_evasion_msdt_suspicious_diagcab.toml ├── defense_evasion_msiexec_installsource_archive_file.toml ├── defense_evasion_outlook_suspicious_child.toml ├── defense_evasion_posh_obfuscation_proportion_special_chars.toml ├── defense_evasion_powershell_clear_logs_script.toml ├── defense_evasion_processes_with_trailing_spaces.toml ├── defense_evasion_service_disabled_registry.toml ├── defense_evasion_service_path_registry.toml ├── defense_evasion_services_exe_path.toml ├── defense_evasion_suspicious_msiexec_execution.toml ├── defense_evasion_unsigned_bits_client.toml ├── defense_evasion_unusual_process_extension.toml ├── defense_evasion_unusual_process_path_wbem.toml ├── defense_evasion_write_dac_access.toml ├── discovery_capnetraw_capability.toml ├── discovery_files_dir_systeminfo_via_cmd.toml ├── discovery_generic_account_groups.toml ├── discovery_generic_process_discovery.toml ├── discovery_generic_registry_query.toml ├── discovery_getconf_execution.toml ├── discovery_hosts_file_access.toml ├── discovery_internet_capabilities.toml ├── discovery_kernel_module_enumeration_via_proc.toml ├── discovery_kubectl_configuration_discovery.toml ├── discovery_kubectl_workload_and_cluster_discovery.toml ├── discovery_linux_modprobe_enumeration.toml ├── discovery_linux_sysctl_enumeration.toml ├── discovery_linux_system_information_discovery.toml ├── discovery_linux_system_owner_user_discovery.toml ├── discovery_net_share_discovery_winlog.toml ├── discovery_net_view.toml ├── discovery_of_accounts_or_groups_via_builtin_tools.toml ├── discovery_of_domain_groups.toml ├── discovery_posh_generic.toml ├── discovery_posh_password_policy.toml ├── discovery_post_exploitation_external_ip_lookup.toml ├── discovery_potential_memory_seeking_activity.toml ├── discovery_process_discovery_via_builtin_tools.toml ├── discovery_remote_system_discovery_commands_windows.toml ├── discovery_security_software_wmic.toml ├── discovery_signal_unusual_user_host.toml ├── discovery_suspicious_proc_enumeration.toml ├── discovery_system_network_connections.toml ├── discovery_system_service_discovery.toml ├── discovery_system_time_discovery.toml ├── discovery_win_network_connections.toml ├── discovery_windows_system_information_discovery.toml ├── entra_id_identity_protection_risk_detections.toml ├── execution_aws_lambda_function_updated.toml ├── execution_github_new_event_action_for_pat.toml ├── execution_github_new_repo_interaction_for_pat.toml ├── execution_github_new_repo_interaction_for_user.toml ├── execution_github_repo_created.toml ├── execution_github_repo_interaction_from_new_ip.toml ├── execution_linux_segfault.toml ├── execution_settingcontent_ms_file_creation.toml ├── execution_unsigned_service_executable.toml ├── execution_wmi_wbemtest.toml ├── impact_azure_recovery_services_deletion.toml ├── impact_github_member_removed_from_organization.toml ├── impact_github_pat_access_revoked.toml ├── impact_github_user_blocked_from_organization.toml ├── initial_access_aws_signin_token_created.toml ├── initial_access_github_new_ip_address_for_pat.toml ├── initial_access_github_new_ip_address_for_user.toml ├── initial_access_github_new_user_agent_for_pat.toml ├── initial_access_github_new_user_agent_for_user.toml ├── initial_access_potential_rce_via_toolshell.toml ├── initial_access_potential_toolshell_exploit_attempt.toml ├── lateral_movement_at.toml ├── lateral_movement_posh_winrm_activity.toml ├── lateral_movement_rdp_conn_unusual_process.toml ├── lateral_movement_unusual_process_sql_accounts.toml ├── lateral_movement_wmic_remote.toml ├── persistence_aws_iam_login_profile_added_to_user.toml ├── persistence_cap_sys_admin_added_to_new_binary.toml ├── persistence_creation_of_kernel_module.toml ├── persistence_github_new_pat_for_user.toml ├── persistence_github_new_user_added_to_organization.toml ├── persistence_iam_instance_request_to_iam_service.toml ├── persistence_startup_folder_lnk.toml ├── persistence_transport_agent_exchange.toml ├── persistence_web_server_potential_sql_injection.toml ├── persistence_web_server_sus_file_creation.toml ├── privilege_escalation_sts_getsessiontoken_abuse.toml └── privilege_escalation_trap_execution.toml └── tests ├── __init__.py ├── base.py ├── data ├── __init__.py └── command_control_dummy_production_rule.toml ├── kuery ├── __init__.py ├── test_dsl.py ├── test_eql2kql.py ├── test_evaluator.py ├── test_kql2eql.py ├── test_lint.py └── test_parser.py ├── test_all_rules.py ├── test_gh_workflows.py ├── test_hunt_data.py ├── test_packages.py ├── test_python_library.py ├── test_rules_remote.py ├── test_schemas.py ├── test_specific_rules.py ├── test_toml_formatter.py ├── test_transform_fields.py ├── test_utils.py └── test_version_locking.py /.github/CODEOWNERS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/CODEOWNERS -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/bug_report.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/feature_request.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/hunt_tuning.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/hunt_tuning.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new_hunt.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/new_hunt.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new_meta.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/new_meta.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new_rule.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/new_rule.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/rule_deprecation.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/rule_deprecation.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/rule_tuning.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/rule_tuning.yaml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/schema_feature_request.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/ISSUE_TEMPLATE/schema_feature_request.yaml -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/hunt_new_guidelines.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_GUIDELINES/hunt_new_guidelines.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/hunt_tuning_guidelines.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_GUIDELINES/hunt_tuning_guidelines.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/rule_new_guidelines.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_GUIDELINES/rule_new_guidelines.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/rule_tuning_guidelines.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_GUIDELINES/rule_tuning_guidelines.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/PULL_REQUEST_TEMPLATE.md -------------------------------------------------------------------------------- /.github/paths-labeller.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/paths-labeller.yml -------------------------------------------------------------------------------- /.github/release-drafter.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/release-drafter.yml -------------------------------------------------------------------------------- /.github/stale.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/stale.yml -------------------------------------------------------------------------------- /.github/workflows/add-guidelines.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/add-guidelines.yml -------------------------------------------------------------------------------- /.github/workflows/backport.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/backport.yml -------------------------------------------------------------------------------- /.github/workflows/branch-status-checks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/branch-status-checks.yml -------------------------------------------------------------------------------- /.github/workflows/code-checks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/code-checks.yml -------------------------------------------------------------------------------- /.github/workflows/community.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/community.yml -------------------------------------------------------------------------------- /.github/workflows/docs-build.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/docs-build.yml -------------------------------------------------------------------------------- /.github/workflows/docs-cleanup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/docs-cleanup.yml -------------------------------------------------------------------------------- /.github/workflows/esql-validation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/esql-validation.yml -------------------------------------------------------------------------------- /.github/workflows/get-target-branches.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/get-target-branches.yml -------------------------------------------------------------------------------- /.github/workflows/kibana-mitre-update.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/kibana-mitre-update.yml -------------------------------------------------------------------------------- /.github/workflows/lock-versions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/lock-versions.yml -------------------------------------------------------------------------------- /.github/workflows/manual-backport.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/manual-backport.yml -------------------------------------------------------------------------------- /.github/workflows/pythonpackage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/pythonpackage.yml -------------------------------------------------------------------------------- /.github/workflows/react-tests-dispatcher.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/react-tests-dispatcher.yml -------------------------------------------------------------------------------- /.github/workflows/release-docs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/release-docs.yml -------------------------------------------------------------------------------- /.github/workflows/release-fleet.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/release-fleet.yml -------------------------------------------------------------------------------- /.github/workflows/version-code-and-release.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.github/workflows/version-code-and-release.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.gitignore -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/.pre-commit-config.yaml -------------------------------------------------------------------------------- /CLI.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/CLI.md -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/LICENSE.txt -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/Makefile -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/NOTICE.txt -------------------------------------------------------------------------------- /PHILOSOPHY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/PHILOSOPHY.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/README.md -------------------------------------------------------------------------------- /Troubleshooting.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/Troubleshooting.md -------------------------------------------------------------------------------- /catalog-info.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/catalog-info.yaml -------------------------------------------------------------------------------- /detection_rules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/__init__.py -------------------------------------------------------------------------------- /detection_rules/__main__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/__main__.py -------------------------------------------------------------------------------- /detection_rules/action.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/action.py -------------------------------------------------------------------------------- /detection_rules/action_connector.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/action_connector.py -------------------------------------------------------------------------------- /detection_rules/attack.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/attack.py -------------------------------------------------------------------------------- /detection_rules/beats.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/beats.py -------------------------------------------------------------------------------- /detection_rules/cli_utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/cli_utils.py -------------------------------------------------------------------------------- /detection_rules/config.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/config.py -------------------------------------------------------------------------------- /detection_rules/custom_rules.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/custom_rules.py -------------------------------------------------------------------------------- /detection_rules/custom_schemas.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/custom_schemas.py -------------------------------------------------------------------------------- /detection_rules/devtools.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/devtools.py -------------------------------------------------------------------------------- /detection_rules/docs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/docs.py -------------------------------------------------------------------------------- /detection_rules/ecs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/ecs.py -------------------------------------------------------------------------------- /detection_rules/endgame.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/endgame.py -------------------------------------------------------------------------------- /detection_rules/esql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/esql.py -------------------------------------------------------------------------------- /detection_rules/esql_errors.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/esql_errors.py -------------------------------------------------------------------------------- /detection_rules/eswrap.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/eswrap.py -------------------------------------------------------------------------------- /detection_rules/etc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/__init__.py -------------------------------------------------------------------------------- /detection_rules/etc/_config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/_config.yaml -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.10/7.10.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.10/7.10.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.10/7.10.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.10/7.10.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.10/7.10.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.10/7.10.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.10/7.10.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.10/7.10.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.11/7.11.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.11/7.11.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.11/7.11.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.11/7.11.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.11/7.11.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.11/7.11.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.11/7.11.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.11/7.11.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.12/7.12.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.12/7.12.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.12/7.12.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.12/7.12.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.12/7.12.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.12/7.12.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.12/7.12.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.12/7.12.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.13/7.13.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.13/7.13.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.13/7.13.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.13/7.13.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.13/7.13.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.13/7.13.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.13/7.13.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.13/7.13.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.14/7.14.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.14/7.14.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.14/7.14.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.14/7.14.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.14/7.14.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.14/7.14.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.14/7.14.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.14/7.14.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.15/7.15.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.15/7.15.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.15/7.15.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.15/7.15.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.15/7.15.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.15/7.15.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.15/7.15.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.15/7.15.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.16/7.16.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.16/7.16.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.16/7.16.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.16/7.16.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.16/7.16.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.16/7.16.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.16/7.16.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.16/7.16.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.8/7.8.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.8/7.8.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.8/7.8.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.8/7.8.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.8/7.8.saved_query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.8/7.8.saved_query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.9/7.9.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.9/7.9.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.9/7.9.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.9/7.9.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.9/7.9.saved_query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.9/7.9.saved_query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/7.9/7.9.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/7.9/7.9.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.0/8.0.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.0/8.0.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.0/8.0.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.0/8.0.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.0/8.0.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.0/8.0.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.0/8.0.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.0/8.0.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.0/8.0.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.0/8.0.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.1/8.1.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.1/8.1.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.1/8.1.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.1/8.1.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.1/8.1.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.1/8.1.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.1/8.1.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.1/8.1.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.1/8.1.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.1/8.1.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.10/8.10.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.10/8.10.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.10/8.10.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.10/8.10.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.10/8.10.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.10/8.10.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.10/8.10.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.10/8.10.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.10/8.10.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.10/8.10.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.11/8.11.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.11/8.11.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.11/8.11.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.11/8.11.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.11/8.11.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.11/8.11.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.11/8.11.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.11/8.11.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.11/8.11.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.11/8.11.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.12/8.12.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.12/8.12.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.12/8.12.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.12/8.12.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.12/8.12.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.12/8.12.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.12/8.12.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.12/8.12.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.12/8.12.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.12/8.12.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.13/8.13.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.13/8.13.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.13/8.13.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.13/8.13.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.13/8.13.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.13/8.13.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.13/8.13.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.13/8.13.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.13/8.13.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.13/8.13.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.13/8.13.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.13/8.13.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.14/master/8.14.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.14/master/8.14.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.15/8.15.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.15/8.15.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.15/8.15.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.15/8.15.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.15/8.15.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.15/8.15.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.15/8.15.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.15/8.15.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.15/8.15.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.15/8.15.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.15/8.15.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.16/8.16.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.16/8.16.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.16/8.16.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.16/8.16.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.16/8.16.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.16/8.16.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.16/8.16.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.16/8.16.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.16/8.16.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.16/8.16.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.16/8.16.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.16/8.16.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.17/8.17.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.17/8.17.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.17/8.17.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.17/8.17.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.17/8.17.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.17/8.17.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.17/8.17.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.17/8.17.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.17/8.17.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.17/8.17.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.17/8.17.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.18/8.18.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.18/8.18.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.18/8.18.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.18/8.18.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.18/8.18.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.18/8.18.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.18/8.18.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.18/8.18.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.18/8.18.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.18/8.18.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.18/8.18.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.18/8.18.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.19/8.19.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.19/8.19.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.19/8.19.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.19/8.19.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.19/8.19.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.19/8.19.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.19/8.19.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.19/8.19.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.19/8.19.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.19/8.19.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.19/8.19.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.19/8.19.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.2/8.2.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.2/8.2.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.2/8.2.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.2/8.2.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.2/8.2.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.2/8.2.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.2/8.2.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.2/8.2.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.2/8.2.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.2/8.2.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.3/8.3.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.3/8.3.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.3/8.3.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.3/8.3.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.3/8.3.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.3/8.3.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.3/8.3.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.3/8.3.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.3/8.3.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.3/8.3.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.4/8.4.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.4/8.4.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.4/8.4.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.4/8.4.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.4/8.4.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.4/8.4.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.4/8.4.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.4/8.4.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.4/8.4.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.4/8.4.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.5/8.5.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.5/8.5.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.5/8.5.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.5/8.5.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.5/8.5.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.5/8.5.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.5/8.5.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.5/8.5.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.5/8.5.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.5/8.5.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.6/8.6.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.6/8.6.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.6/8.6.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.6/8.6.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.6/8.6.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.6/8.6.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.6/8.6.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.6/8.6.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.6/8.6.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.6/8.6.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.7/8.7.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.7/8.7.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.7/8.7.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.7/8.7.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.7/8.7.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.7/8.7.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.7/8.7.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.7/8.7.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.7/8.7.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.7/8.7.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.7/8.7.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.7/8.7.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.8/8.8.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.8/8.8.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.8/8.8.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.8/8.8.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.8/8.8.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.8/8.8.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.8/8.8.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.8/8.8.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.8/8.8.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.8/8.8.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.8/8.8.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.8/8.8.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.9/8.9.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.9/8.9.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.9/8.9.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.9/8.9.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.9/8.9.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.9/8.9.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.9/8.9.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.9/8.9.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.9/8.9.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.9/8.9.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/8.9/8.9.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/8.9/8.9.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.0/9.0.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.0/9.0.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.1/9.1.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.1/9.1.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.new_terms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.new_terms.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.query.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.threat_match.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.threat_match.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/9.2/9.2.threshold.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/9.2/9.2.threshold.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/master/master.base.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/master/master.base.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/master/master.eql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/master/master.eql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/master/master.esql.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/master/master.esql.json -------------------------------------------------------------------------------- /detection_rules/etc/api_schemas/master/master.query.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/api_schemas/master/master.query.json -------------------------------------------------------------------------------- /detection_rules/etc/attack-crosswalk.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/attack-crosswalk.json -------------------------------------------------------------------------------- /detection_rules/etc/attack-technique-redirects.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/attack-technique-redirects.json -------------------------------------------------------------------------------- /detection_rules/etc/attack-v18.0.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/attack-v18.0.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/main.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/main.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.10.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.10.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.11.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.11.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.12.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.12.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.13.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.13.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.14.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.14.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.15.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.15.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.16.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.16.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.7.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.7.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.8.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.8.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.9.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v7.9.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.0.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.0.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.1.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.1.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.10.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.10.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.11.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.11.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.12.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.12.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.13.4.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.13.4.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.14.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.14.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.15.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.15.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.15.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.15.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.15.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.15.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.16.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.16.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.17.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.17.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.17.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.17.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.18.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.18.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.18.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.18.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.2.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.2.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.2.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.2.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.3.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.3.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.4.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.4.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.4.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.4.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.4.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.4.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.5.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.5.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.5.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.5.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.5.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.5.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.6.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.6.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.7.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.7.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.8.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.8.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.9.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v8.9.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.0.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v9.0.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.0.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v9.0.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.1.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v9.1.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.1.5.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v9.1.5.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.2.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/beats_schemas/v9.2.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/commit-and-push.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/commit-and-push.sh -------------------------------------------------------------------------------- /detection_rules/etc/custom-consolidated-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/custom-consolidated-rules.ndjson -------------------------------------------------------------------------------- /detection_rules/etc/deprecated_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/deprecated_rules.json -------------------------------------------------------------------------------- /detection_rules/etc/downloadable_updates.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/downloadable_updates.json -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.0.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.0.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.0.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.0.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.1.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.1.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.1.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.1.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.2.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.2.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.2.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.2.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.3.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.3.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.3.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.3.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.4.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.4.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.4.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.4.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/example_test_config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/example_test_config.yaml -------------------------------------------------------------------------------- /detection_rules/etc/integration-manifests.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/integration-manifests.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/integration-schemas.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/integration-schemas.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/lock-multiple.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/lock-multiple.sh -------------------------------------------------------------------------------- /detection_rules/etc/non-ecs-schema.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/non-ecs-schema.json -------------------------------------------------------------------------------- /detection_rules/etc/packages.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/packages.yaml -------------------------------------------------------------------------------- /detection_rules/etc/security-logo-color-64px.svg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/security-logo-color-64px.svg -------------------------------------------------------------------------------- /detection_rules/etc/stack-schema-map.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/stack-schema-map.yaml -------------------------------------------------------------------------------- /detection_rules/etc/test_cli.bash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/test_cli.bash -------------------------------------------------------------------------------- /detection_rules/etc/test_hunting_cli.bash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/test_hunting_cli.bash -------------------------------------------------------------------------------- /detection_rules/etc/test_remote_cli.bash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/test_remote_cli.bash -------------------------------------------------------------------------------- /detection_rules/etc/test_toml.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/test_toml.json -------------------------------------------------------------------------------- /detection_rules/etc/version.lock.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/etc/version.lock.json -------------------------------------------------------------------------------- /detection_rules/exception.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/exception.py -------------------------------------------------------------------------------- /detection_rules/generic_loader.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/generic_loader.py -------------------------------------------------------------------------------- /detection_rules/ghwrap.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/ghwrap.py -------------------------------------------------------------------------------- /detection_rules/index_mappings.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/index_mappings.py -------------------------------------------------------------------------------- /detection_rules/integrations.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/integrations.py -------------------------------------------------------------------------------- /detection_rules/kbwrap.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/kbwrap.py -------------------------------------------------------------------------------- /detection_rules/main.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/main.py -------------------------------------------------------------------------------- /detection_rules/misc.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/misc.py -------------------------------------------------------------------------------- /detection_rules/mixins.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/mixins.py -------------------------------------------------------------------------------- /detection_rules/ml.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/ml.py -------------------------------------------------------------------------------- /detection_rules/navigator.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/navigator.py -------------------------------------------------------------------------------- /detection_rules/packaging.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/packaging.py -------------------------------------------------------------------------------- /detection_rules/remote_validation.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/remote_validation.py -------------------------------------------------------------------------------- /detection_rules/rule.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/rule.py -------------------------------------------------------------------------------- /detection_rules/rule_formatter.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/rule_formatter.py -------------------------------------------------------------------------------- /detection_rules/rule_loader.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/rule_loader.py -------------------------------------------------------------------------------- /detection_rules/rule_validators.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/rule_validators.py -------------------------------------------------------------------------------- /detection_rules/schemas/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/schemas/__init__.py -------------------------------------------------------------------------------- /detection_rules/schemas/definitions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/schemas/definitions.py -------------------------------------------------------------------------------- /detection_rules/schemas/registry_package.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/schemas/registry_package.py -------------------------------------------------------------------------------- /detection_rules/schemas/stack_compat.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/schemas/stack_compat.py -------------------------------------------------------------------------------- /detection_rules/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/utils.py -------------------------------------------------------------------------------- /detection_rules/version_lock.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/detection_rules/version_lock.py -------------------------------------------------------------------------------- /docs-dev/ATT&CK-coverage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/ATT&CK-coverage.md -------------------------------------------------------------------------------- /docs-dev/custom-rules-management.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/custom-rules-management.md -------------------------------------------------------------------------------- /docs-dev/deprecating.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/deprecating.md -------------------------------------------------------------------------------- /docs-dev/detections-as-code.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/detections-as-code.md -------------------------------------------------------------------------------- /docs-dev/developing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/developing.md -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/DGA.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/experimental-machine-learning/DGA.md -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/beaconing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/experimental-machine-learning/beaconing.md -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/experimental-machine-learning/readme.md -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/url-spoof.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/experimental-machine-learning/url-spoof.md -------------------------------------------------------------------------------- /docs-dev/rule-insights.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/rule-insights.md -------------------------------------------------------------------------------- /docs-dev/typosquatting_rule.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/typosquatting_rule.md -------------------------------------------------------------------------------- /docs-dev/versioning.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs-dev/versioning.md -------------------------------------------------------------------------------- /docs/audit_policies/windows/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs/audit_policies/windows/README.md -------------------------------------------------------------------------------- /docs/audit_policies/windows/audit_logon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs/audit_policies/windows/audit_logon.md -------------------------------------------------------------------------------- /docs/audit_policies/windows/audit_policy_change.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs/audit_policies/windows/audit_policy_change.md -------------------------------------------------------------------------------- /docs/audit_policies/windows/audit_special_logon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs/audit_policies/windows/audit_special_logon.md -------------------------------------------------------------------------------- /docs/docset.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/docs/docset.yml -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | # Detection rules 2 | 3 | Landing / overview page 4 | -------------------------------------------------------------------------------- /hunting/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/README.md -------------------------------------------------------------------------------- /hunting/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/__init__.py -------------------------------------------------------------------------------- /hunting/__main__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/__main__.py -------------------------------------------------------------------------------- /hunting/aws/docs/sns_topic_created_by_rare_user.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/aws/docs/sns_topic_created_by_rare_user.md -------------------------------------------------------------------------------- /hunting/definitions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/definitions.py -------------------------------------------------------------------------------- /hunting/index.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/index.md -------------------------------------------------------------------------------- /hunting/index.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/index.yml -------------------------------------------------------------------------------- /hunting/linux/docs/login_activity_by_source_address.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/login_activity_by_source_address.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_reverse_bind_shells.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_reverse_bind_shells.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_cron.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_cron.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_desktop_bus.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_desktop_bus.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_git_hook_pager.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_git_hook_pager.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_grub_bootloader.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_grub_bootloader.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_initramfs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_initramfs.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_package_manager.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_package_manager.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_policykit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_policykit.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_rc_local.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_rc_local.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_systemd_timers.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_systemd_timers.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_sysv_init.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_sysv_init.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_udev.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_udev.md -------------------------------------------------------------------------------- /hunting/linux/docs/persistence_via_web_shell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/docs/persistence_via_web_shell.md -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_cron.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_cron.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_desktop_bus.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_desktop_bus.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_initramfs.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_initramfs.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_policykit.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_policykit.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_rc_local.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_rc_local.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_sysv_init.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_sysv_init.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_udev.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_udev.toml -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_web_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/linux/queries/persistence_via_web_shell.toml -------------------------------------------------------------------------------- /hunting/llm/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/llm/README.md -------------------------------------------------------------------------------- /hunting/markdown.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/markdown.py -------------------------------------------------------------------------------- /hunting/run.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/run.py -------------------------------------------------------------------------------- /hunting/search.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/search.py -------------------------------------------------------------------------------- /hunting/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/hunting/utils.py -------------------------------------------------------------------------------- /lib/kibana/kibana/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kibana/kibana/__init__.py -------------------------------------------------------------------------------- /lib/kibana/kibana/connector.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kibana/kibana/connector.py -------------------------------------------------------------------------------- /lib/kibana/kibana/definitions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kibana/kibana/definitions.py -------------------------------------------------------------------------------- /lib/kibana/kibana/resources.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kibana/kibana/resources.py -------------------------------------------------------------------------------- /lib/kibana/pyproject.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kibana/pyproject.toml -------------------------------------------------------------------------------- /lib/kql/kql/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/__init__.py -------------------------------------------------------------------------------- /lib/kql/kql/ast.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/ast.py -------------------------------------------------------------------------------- /lib/kql/kql/dsl.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/dsl.py -------------------------------------------------------------------------------- /lib/kql/kql/eql2kql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/eql2kql.py -------------------------------------------------------------------------------- /lib/kql/kql/errors.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/errors.py -------------------------------------------------------------------------------- /lib/kql/kql/evaluator.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/evaluator.py -------------------------------------------------------------------------------- /lib/kql/kql/kql.g: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/kql.g -------------------------------------------------------------------------------- /lib/kql/kql/kql2eql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/kql2eql.py -------------------------------------------------------------------------------- /lib/kql/kql/optimizer.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/optimizer.py -------------------------------------------------------------------------------- /lib/kql/kql/parser.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/parser.py -------------------------------------------------------------------------------- /lib/kql/kql/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/kql/utils.py -------------------------------------------------------------------------------- /lib/kql/pyproject.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/lib/kql/pyproject.toml -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/pyproject.toml -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/renovate.json -------------------------------------------------------------------------------- /rules/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/README.md -------------------------------------------------------------------------------- /rules/_deprecated/apm_null_user_agent.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/apm_null_user_agent.toml -------------------------------------------------------------------------------- /rules/_deprecated/container_workload_protection.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/container_workload_protection.toml -------------------------------------------------------------------------------- /rules/_deprecated/discovery_file_dir_discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/discovery_file_dir_discovery.toml -------------------------------------------------------------------------------- /rules/_deprecated/discovery_whoami_commmand.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/discovery_whoami_commmand.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_apt_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_apt_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_awk_binary_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_awk_binary_shell.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_busybox_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_busybox_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_c89_c99_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_c89_c99_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_cpulimit_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_cpulimit_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_crash_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_crash_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_env_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_env_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_expect_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_expect_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_find_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_find_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_flock_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_flock_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_gcc_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_gcc_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_mysql_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_mysql_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_ssh_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_ssh_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/execution_vi_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/execution_vi_binary.toml -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_failures.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/initial_access_login_failures.toml -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_location.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/initial_access_login_location.toml -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_sessions.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/initial_access_login_sessions.toml -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_time.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/initial_access_login_time.toml -------------------------------------------------------------------------------- /rules/_deprecated/linux_mknod_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/linux_mknod_activity.toml -------------------------------------------------------------------------------- /rules/_deprecated/linux_nmap_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/linux_nmap_activity.toml -------------------------------------------------------------------------------- /rules/_deprecated/linux_socat_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/linux_socat_activity.toml -------------------------------------------------------------------------------- /rules/_deprecated/persistence_etc_file_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/persistence_etc_file_creation.toml -------------------------------------------------------------------------------- /rules/_deprecated/threat_intel_filebeat7x.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/threat_intel_filebeat7x.toml -------------------------------------------------------------------------------- /rules/_deprecated/threat_intel_filebeat8x.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/threat_intel_filebeat8x.toml -------------------------------------------------------------------------------- /rules/_deprecated/threat_intel_fleet_integrations.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/_deprecated/threat_intel_fleet_integrations.toml -------------------------------------------------------------------------------- /rules/apm/apm_403_response_to_a_post.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/apm/apm_403_response_to_a_post.toml -------------------------------------------------------------------------------- /rules/apm/apm_405_response_method_not_allowed.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/apm/apm_405_response_method_not_allowed.toml -------------------------------------------------------------------------------- /rules/apm/apm_sqlmap_user_agent.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/apm/apm_sqlmap_user_agent.toml -------------------------------------------------------------------------------- /rules/cross-platform/impact_hosts_file_modified.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/cross-platform/impact_hosts_file_modified.toml -------------------------------------------------------------------------------- /rules/integrations/aws/NOTICE.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/aws/NOTICE.txt -------------------------------------------------------------------------------- /rules/integrations/aws/impact_iam_group_deletion.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/aws/impact_iam_group_deletion.toml -------------------------------------------------------------------------------- /rules/integrations/aws/impact_rds_group_deletion.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/aws/impact_rds_group_deletion.toml -------------------------------------------------------------------------------- /rules/integrations/azure/ml_azure_event_failures.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/azure/ml_azure_event_failures.toml -------------------------------------------------------------------------------- /rules/integrations/gcp/ml_gcp_error_message_spike.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/gcp/ml_gcp_error_message_spike.toml -------------------------------------------------------------------------------- /rules/integrations/gcp/ml_gcp_rare_error_code.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/gcp/ml_gcp_rare_error_code.toml -------------------------------------------------------------------------------- /rules/integrations/gcp/ml_gcp_rare_method_by_city.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml -------------------------------------------------------------------------------- /rules/integrations/gcp/ml_gcp_rare_method_by_user.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml -------------------------------------------------------------------------------- /rules/linux/collection_linux_clipboard_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/collection_linux_clipboard_activity.toml -------------------------------------------------------------------------------- /rules/linux/credential_access_credential_dumping.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/credential_access_credential_dumping.toml -------------------------------------------------------------------------------- /rules/linux/credential_access_gdb_process_hooking.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/credential_access_gdb_process_hooking.toml -------------------------------------------------------------------------------- /rules/linux/credential_access_gh_auth_via_nodejs.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/credential_access_gh_auth_via_nodejs.toml -------------------------------------------------------------------------------- /rules/linux/credential_access_ssh_backdoor_log.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/credential_access_ssh_backdoor_log.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_chattr_immutable_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_chattr_immutable_file.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_file_mod_writable_dir.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_file_mod_writable_dir.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_hidden_file_dir_tmp.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_hidden_file_dir_tmp.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_hidden_shared_object.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_hidden_shared_object.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_journalctl_clear_logs.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_journalctl_clear_logs.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_kernel_module_removal.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_kernel_module_removal.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_kill_command_executed.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_kill_command_executed.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_kthreadd_masquerading.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_kthreadd_masquerading.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_ld_preload_cmdline.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_ld_preload_cmdline.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_ld_so_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_ld_so_creation.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_log_files_deleted.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_log_files_deleted.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_mount_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_mount_execution.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_rename_esxi_files.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_rename_esxi_files.toml -------------------------------------------------------------------------------- /rules/linux/defense_evasion_unsual_kill_signal.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/defense_evasion_unsual_kill_signal.toml -------------------------------------------------------------------------------- /rules/linux/discovery_docker_socket_discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_docker_socket_discovery.toml -------------------------------------------------------------------------------- /rules/linux/discovery_dynamic_linker_via_od.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_dynamic_linker_via_od.toml -------------------------------------------------------------------------------- /rules/linux/discovery_esxi_software_via_find.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_esxi_software_via_find.toml -------------------------------------------------------------------------------- /rules/linux/discovery_esxi_software_via_grep.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_esxi_software_via_grep.toml -------------------------------------------------------------------------------- /rules/linux/discovery_kernel_module_enumeration.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_kernel_module_enumeration.toml -------------------------------------------------------------------------------- /rules/linux/discovery_kernel_seeking.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_kernel_seeking.toml -------------------------------------------------------------------------------- /rules/linux/discovery_kernel_unpacking.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_kernel_unpacking.toml -------------------------------------------------------------------------------- /rules/linux/discovery_kubeconfig_file_discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_kubeconfig_file_discovery.toml -------------------------------------------------------------------------------- /rules/linux/discovery_linux_hping_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_linux_hping_activity.toml -------------------------------------------------------------------------------- /rules/linux/discovery_linux_nping_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_linux_nping_activity.toml -------------------------------------------------------------------------------- /rules/linux/discovery_pam_version_discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_pam_version_discovery.toml -------------------------------------------------------------------------------- /rules/linux/discovery_ping_sweep_detected.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_ping_sweep_detected.toml -------------------------------------------------------------------------------- /rules/linux/discovery_polkit_version_discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_polkit_version_discovery.toml -------------------------------------------------------------------------------- /rules/linux/discovery_proc_maps_read.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_proc_maps_read.toml -------------------------------------------------------------------------------- /rules/linux/discovery_process_capabilities.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_process_capabilities.toml -------------------------------------------------------------------------------- /rules/linux/discovery_suid_sguid_enumeration.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_suid_sguid_enumeration.toml -------------------------------------------------------------------------------- /rules/linux/discovery_yum_dnf_plugin_detection.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/discovery_yum_dnf_plugin_detection.toml -------------------------------------------------------------------------------- /rules/linux/execution_executable_stack_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_executable_stack_execution.toml -------------------------------------------------------------------------------- /rules/linux/execution_interpreter_tty_upgrade.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_interpreter_tty_upgrade.toml -------------------------------------------------------------------------------- /rules/linux/execution_kubectl_apply_pod_from_url.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_kubectl_apply_pod_from_url.toml -------------------------------------------------------------------------------- /rules/linux/execution_nc_listener_via_rlwrap.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_nc_listener_via_rlwrap.toml -------------------------------------------------------------------------------- /rules/linux/execution_perl_tty_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_perl_tty_shell.toml -------------------------------------------------------------------------------- /rules/linux/execution_python_tty_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_python_tty_shell.toml -------------------------------------------------------------------------------- /rules/linux/execution_python_webserver_spawned.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_python_webserver_spawned.toml -------------------------------------------------------------------------------- /rules/linux/execution_shell_evasion_linux_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_shell_evasion_linux_binary.toml -------------------------------------------------------------------------------- /rules/linux/execution_shell_via_meterpreter_linux.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_shell_via_meterpreter_linux.toml -------------------------------------------------------------------------------- /rules/linux/execution_shell_via_suspicious_binary.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_shell_via_suspicious_binary.toml -------------------------------------------------------------------------------- /rules/linux/execution_suspicious_mkfifo_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_suspicious_mkfifo_execution.toml -------------------------------------------------------------------------------- /rules/linux/execution_tc_bpf_filter.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_tc_bpf_filter.toml -------------------------------------------------------------------------------- /rules/linux/execution_unix_socket_communication.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_unix_socket_communication.toml -------------------------------------------------------------------------------- /rules/linux/execution_unusual_kthreadd_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_unusual_kthreadd_execution.toml -------------------------------------------------------------------------------- /rules/linux/execution_unusual_pkexec_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/execution_unusual_pkexec_execution.toml -------------------------------------------------------------------------------- /rules/linux/impact_data_encrypted_via_openssl.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/impact_data_encrypted_via_openssl.toml -------------------------------------------------------------------------------- /rules/linux/impact_esxi_process_kill.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/impact_esxi_process_kill.toml -------------------------------------------------------------------------------- /rules/linux/impact_memory_swap_modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/impact_memory_swap_modification.toml -------------------------------------------------------------------------------- /rules/linux/impact_process_kill_threshold.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/impact_process_kill_threshold.toml -------------------------------------------------------------------------------- /rules/linux/lateral_movement_ssh_it_worm_download.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/lateral_movement_ssh_it_worm_download.toml -------------------------------------------------------------------------------- /rules/linux/persistence_at_job_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_at_job_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_boot_file_copy.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_boot_file_copy.toml -------------------------------------------------------------------------------- /rules/linux/persistence_bpf_probe_write_user.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_bpf_probe_write_user.toml -------------------------------------------------------------------------------- /rules/linux/persistence_chkconfig_service_add.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_chkconfig_service_add.toml -------------------------------------------------------------------------------- /rules/linux/persistence_cron_job_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_cron_job_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_dbus_service_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_dbus_service_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_dpkg_unusual_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_dpkg_unusual_execution.toml -------------------------------------------------------------------------------- /rules/linux/persistence_dracut_module_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_dracut_module_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_dynamic_linker_backup.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_dynamic_linker_backup.toml -------------------------------------------------------------------------------- /rules/linux/persistence_git_hook_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_git_hook_execution.toml -------------------------------------------------------------------------------- /rules/linux/persistence_git_hook_file_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_git_hook_file_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_git_hook_netcon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_git_hook_netcon.toml -------------------------------------------------------------------------------- /rules/linux/persistence_grub_makeconfig.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_grub_makeconfig.toml -------------------------------------------------------------------------------- /rules/linux/persistence_init_d_file_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_init_d_file_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_insmod_kernel_module_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_insmod_kernel_module_load.toml -------------------------------------------------------------------------------- /rules/linux/persistence_kernel_driver_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_kernel_driver_load.toml -------------------------------------------------------------------------------- /rules/linux/persistence_kworker_file_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_kworker_file_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_linux_group_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_linux_group_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_manual_dracut_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_manual_dracut_execution.toml -------------------------------------------------------------------------------- /rules/linux/persistence_polkit_policy_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_polkit_policy_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_pth_file_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_pth_file_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_rc_local_error_via_syslog.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_rc_local_error_via_syslog.toml -------------------------------------------------------------------------------- /rules/linux/persistence_rc_script_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_rc_script_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_shadow_file_modification.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_shadow_file_modification.toml -------------------------------------------------------------------------------- /rules/linux/persistence_shared_object_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_shared_object_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_ssh_key_generation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_ssh_key_generation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_ssh_netcon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_ssh_netcon.toml -------------------------------------------------------------------------------- /rules/linux/persistence_systemd_netcon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_systemd_netcon.toml -------------------------------------------------------------------------------- /rules/linux/persistence_systemd_service_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_systemd_service_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_systemd_service_started.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_systemd_service_started.toml -------------------------------------------------------------------------------- /rules/linux/persistence_systemd_shell_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_systemd_shell_execution.toml -------------------------------------------------------------------------------- /rules/linux/persistence_udev_rule_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_udev_rule_creation.toml -------------------------------------------------------------------------------- /rules/linux/persistence_unusual_pam_grantor.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_unusual_pam_grantor.toml -------------------------------------------------------------------------------- /rules/linux/persistence_xdg_autostart_netcon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/persistence_xdg_autostart_netcon.toml -------------------------------------------------------------------------------- /rules/linux/privilege_escalation_dac_permissions.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/privilege_escalation_dac_permissions.toml -------------------------------------------------------------------------------- /rules/linux/privilege_escalation_shadow_file_read.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/privilege_escalation_shadow_file_read.toml -------------------------------------------------------------------------------- /rules/linux/privilege_escalation_sudo_hijacking.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/linux/privilege_escalation_sudo_hijacking.toml -------------------------------------------------------------------------------- /rules/macos/credential_access_kerberosdump_kcc.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/credential_access_kerberosdump_kcc.toml -------------------------------------------------------------------------------- /rules/macos/credential_access_systemkey_dumping.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/credential_access_systemkey_dumping.toml -------------------------------------------------------------------------------- /rules/macos/defense_evasion_safari_config_change.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/defense_evasion_safari_config_change.toml -------------------------------------------------------------------------------- /rules/macos/lateral_movement_mounting_smb_share.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/lateral_movement_mounting_smb_share.toml -------------------------------------------------------------------------------- /rules/macos/persistence_crontab_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/persistence_crontab_creation.toml -------------------------------------------------------------------------------- /rules/macos/persistence_emond_rules_file_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/persistence_emond_rules_file_creation.toml -------------------------------------------------------------------------------- /rules/macos/persistence_enable_root_account.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/macos/persistence_enable_root_account.toml -------------------------------------------------------------------------------- /rules/ml/discovery_ml_linux_system_user_discovery.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/discovery_ml_linux_system_user_discovery.toml -------------------------------------------------------------------------------- /rules/ml/execution_ml_windows_anomalous_script.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/execution_ml_windows_anomalous_script.toml -------------------------------------------------------------------------------- /rules/ml/initial_access_ml_auth_rare_user_logon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/initial_access_ml_auth_rare_user_logon.toml -------------------------------------------------------------------------------- /rules/ml/ml_high_count_events_for_a_host_name.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_high_count_events_for_a_host_name.toml -------------------------------------------------------------------------------- /rules/ml/ml_high_count_network_denies.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_high_count_network_denies.toml -------------------------------------------------------------------------------- /rules/ml/ml_high_count_network_events.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_high_count_network_events.toml -------------------------------------------------------------------------------- /rules/ml/ml_linux_anomalous_network_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_linux_anomalous_network_activity.toml -------------------------------------------------------------------------------- /rules/ml/ml_linux_anomalous_network_port_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_linux_anomalous_network_port_activity.toml -------------------------------------------------------------------------------- /rules/ml/ml_low_count_events_for_a_host_name.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_low_count_events_for_a_host_name.toml -------------------------------------------------------------------------------- /rules/ml/ml_packetbeat_rare_server_domain.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_packetbeat_rare_server_domain.toml -------------------------------------------------------------------------------- /rules/ml/ml_rare_destination_country.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_rare_destination_country.toml -------------------------------------------------------------------------------- /rules/ml/ml_spike_in_traffic_to_a_country.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_spike_in_traffic_to_a_country.toml -------------------------------------------------------------------------------- /rules/ml/ml_windows_anomalous_network_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/ml_windows_anomalous_network_activity.toml -------------------------------------------------------------------------------- /rules/ml/persistence_ml_windows_anomalous_service.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/ml/persistence_ml_windows_anomalous_service.toml -------------------------------------------------------------------------------- /rules/promotions/crowdstrike_external_alerts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/crowdstrike_external_alerts.toml -------------------------------------------------------------------------------- /rules/promotions/elastic_security_external_alerts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/elastic_security_external_alerts.toml -------------------------------------------------------------------------------- /rules/promotions/endgame_malware_detected.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/endgame_malware_detected.toml -------------------------------------------------------------------------------- /rules/promotions/endgame_malware_prevented.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/endgame_malware_prevented.toml -------------------------------------------------------------------------------- /rules/promotions/endgame_ransomware_detected.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/endgame_ransomware_detected.toml -------------------------------------------------------------------------------- /rules/promotions/endgame_ransomware_prevented.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/endgame_ransomware_prevented.toml -------------------------------------------------------------------------------- /rules/promotions/external_alerts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/external_alerts.toml -------------------------------------------------------------------------------- /rules/promotions/google_secops_external_alerts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/google_secops_external_alerts.toml -------------------------------------------------------------------------------- /rules/promotions/splunk_external_alerts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/promotions/splunk_external_alerts.toml -------------------------------------------------------------------------------- /rules/windows/collection_mailbox_export_winlog.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_mailbox_export_winlog.toml -------------------------------------------------------------------------------- /rules/windows/collection_posh_audio_capture.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_posh_audio_capture.toml -------------------------------------------------------------------------------- /rules/windows/collection_posh_clipboard_capture.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_posh_clipboard_capture.toml -------------------------------------------------------------------------------- /rules/windows/collection_posh_keylogger.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_posh_keylogger.toml -------------------------------------------------------------------------------- /rules/windows/collection_posh_mailbox.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_posh_mailbox.toml -------------------------------------------------------------------------------- /rules/windows/collection_posh_screen_grabber.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_posh_screen_grabber.toml -------------------------------------------------------------------------------- /rules/windows/collection_winrar_encryption.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/collection_winrar_encryption.toml -------------------------------------------------------------------------------- /rules/windows/command_and_control_dns_susp_tld.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/command_and_control_dns_susp_tld.toml -------------------------------------------------------------------------------- /rules/windows/command_and_control_remcos_rat_iocs.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/command_and_control_remcos_rat_iocs.toml -------------------------------------------------------------------------------- /rules/windows/command_and_control_tunnel_vscode.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/command_and_control_tunnel_vscode.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_adidns_wildcard.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_adidns_wildcard.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_cmdline_dump_tool.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_cmdline_dump_tool.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_dnsnode_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_dnsnode_creation.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_kerberos_coerce.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_kerberos_coerce.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_kirbi_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_kirbi_file.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_ldap_attributes.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_ldap_attributes.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_posh_minidump.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_posh_minidump.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_posh_relay_tools.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_posh_relay_tools.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_posh_veeam_sql.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_posh_veeam_sql.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_veeam_commands.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_veeam_commands.toml -------------------------------------------------------------------------------- /rules/windows/credential_access_wbadmin_ntds.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/credential_access_wbadmin_ntds.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_amsienable_key_mod.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_amsienable_key_mod.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_cve_2020_0601.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_cve_2020_0601.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_disable_nla.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_disable_nla.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_injection_msbuild.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_injection_msbuild.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_installutil_beacon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_installutil_beacon.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_mshta_beacon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_mshta_beacon.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_mshta_susp_child.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_mshta_susp_child.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_msxsl_network.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_msxsl_network.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_ntlm_downgrade.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_ntlm_downgrade.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_posh_assembly_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_posh_assembly_load.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_posh_compressed.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_posh_compressed.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_posh_encryption.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_posh_encryption.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_posh_obfuscation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_posh_obfuscation.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_sc_sdset.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_sc_sdset.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_script_via_html_app.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_script_via_html_app.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_sip_provider_mod.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_sip_provider_mod.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_timestomp_sysmon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_timestomp_sysmon.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_unusual_dir_ads.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_unusual_dir_ads.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_via_filter_manager.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_via_filter_manager.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_wsl_bash_exec.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_wsl_bash_exec.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_wsl_child_process.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_wsl_child_process.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_wsl_filesystem.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_wsl_filesystem.toml -------------------------------------------------------------------------------- /rules/windows/defense_evasion_wsl_kalilinux.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/defense_evasion_wsl_kalilinux.toml -------------------------------------------------------------------------------- /rules/windows/discovery_ad_explorer_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_ad_explorer_execution.toml -------------------------------------------------------------------------------- /rules/windows/discovery_adfind_command_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_adfind_command_activity.toml -------------------------------------------------------------------------------- /rules/windows/discovery_admin_recon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_admin_recon.toml -------------------------------------------------------------------------------- /rules/windows/discovery_command_system_account.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_command_system_account.toml -------------------------------------------------------------------------------- /rules/windows/discovery_high_number_ad_properties.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_high_number_ad_properties.toml -------------------------------------------------------------------------------- /rules/windows/discovery_peripheral_device.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_peripheral_device.toml -------------------------------------------------------------------------------- /rules/windows/discovery_posh_invoke_sharefinder.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_posh_invoke_sharefinder.toml -------------------------------------------------------------------------------- /rules/windows/discovery_whoami_command_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/discovery_whoami_command_activity.toml -------------------------------------------------------------------------------- /rules/windows/execution_com_object_xwizard.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_com_object_xwizard.toml -------------------------------------------------------------------------------- /rules/windows/execution_downloaded_shortcut_files.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_downloaded_shortcut_files.toml -------------------------------------------------------------------------------- /rules/windows/execution_downloaded_url_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_downloaded_url_file.toml -------------------------------------------------------------------------------- /rules/windows/execution_enumeration_via_wmiprvse.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_enumeration_via_wmiprvse.toml -------------------------------------------------------------------------------- /rules/windows/execution_from_unusual_path_cmdline.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_from_unusual_path_cmdline.toml -------------------------------------------------------------------------------- /rules/windows/execution_mofcomp.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_mofcomp.toml -------------------------------------------------------------------------------- /rules/windows/execution_ms_office_written_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_ms_office_written_file.toml -------------------------------------------------------------------------------- /rules/windows/execution_nodejs_susp_patterns.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_nodejs_susp_patterns.toml -------------------------------------------------------------------------------- /rules/windows/execution_pdf_written_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_pdf_written_file.toml -------------------------------------------------------------------------------- /rules/windows/execution_posh_hacktool_authors.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_posh_hacktool_authors.toml -------------------------------------------------------------------------------- /rules/windows/execution_posh_hacktool_functions.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_posh_hacktool_functions.toml -------------------------------------------------------------------------------- /rules/windows/execution_posh_malicious_script_agg.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_posh_malicious_script_agg.toml -------------------------------------------------------------------------------- /rules/windows/execution_posh_portable_executable.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_posh_portable_executable.toml -------------------------------------------------------------------------------- /rules/windows/execution_posh_psreflect.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_posh_psreflect.toml -------------------------------------------------------------------------------- /rules/windows/execution_revshell_cmd_via_netcat.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_revshell_cmd_via_netcat.toml -------------------------------------------------------------------------------- /rules/windows/execution_scripting_remote_webdav.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_scripting_remote_webdav.toml -------------------------------------------------------------------------------- /rules/windows/execution_scripts_archive_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_scripts_archive_file.toml -------------------------------------------------------------------------------- /rules/windows/execution_suspicious_cmd_wmi.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_suspicious_cmd_wmi.toml -------------------------------------------------------------------------------- /rules/windows/execution_suspicious_pdf_reader.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_suspicious_pdf_reader.toml -------------------------------------------------------------------------------- /rules/windows/execution_suspicious_psexesvc.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_suspicious_psexesvc.toml -------------------------------------------------------------------------------- /rules/windows/execution_via_compiled_html_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_via_compiled_html_file.toml -------------------------------------------------------------------------------- /rules/windows/execution_via_hidden_shell_conhost.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_via_hidden_shell_conhost.toml -------------------------------------------------------------------------------- /rules/windows/execution_windows_phish_clickfix.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/execution_windows_phish_clickfix.toml -------------------------------------------------------------------------------- /rules/windows/exfiltration_smb_rare_destination.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/exfiltration_smb_rare_destination.toml -------------------------------------------------------------------------------- /rules/windows/impact_backup_file_deletion.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/impact_backup_file_deletion.toml -------------------------------------------------------------------------------- /rules/windows/impact_mod_critical_os_files.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/impact_mod_critical_os_files.toml -------------------------------------------------------------------------------- /rules/windows/impact_modification_of_boot_config.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/impact_modification_of_boot_config.toml -------------------------------------------------------------------------------- /rules/windows/impact_ransomware_file_rename_smb.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/impact_ransomware_file_rename_smb.toml -------------------------------------------------------------------------------- /rules/windows/initial_access_url_cve_2025_33053.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/initial_access_url_cve_2025_33053.toml -------------------------------------------------------------------------------- /rules/windows/lateral_movement_cmd_service.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/lateral_movement_cmd_service.toml -------------------------------------------------------------------------------- /rules/windows/lateral_movement_dcom_hta.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/lateral_movement_dcom_hta.toml -------------------------------------------------------------------------------- /rules/windows/lateral_movement_dcom_mmc20.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/lateral_movement_dcom_mmc20.toml -------------------------------------------------------------------------------- /rules/windows/lateral_movement_incoming_wmi.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/lateral_movement_incoming_wmi.toml -------------------------------------------------------------------------------- /rules/windows/lateral_movement_remote_services.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/lateral_movement_remote_services.toml -------------------------------------------------------------------------------- /rules/windows/lateral_movement_via_wsus_update.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/lateral_movement_via_wsus_update.toml -------------------------------------------------------------------------------- /rules/windows/persistence_ad_adminsdholder.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_ad_adminsdholder.toml -------------------------------------------------------------------------------- /rules/windows/persistence_app_compat_shim.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_app_compat_shim.toml -------------------------------------------------------------------------------- /rules/windows/persistence_appcertdlls_registry.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_appcertdlls_registry.toml -------------------------------------------------------------------------------- /rules/windows/persistence_appinitdlls_registry.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_appinitdlls_registry.toml -------------------------------------------------------------------------------- /rules/windows/persistence_ms_office_addins_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_ms_office_addins_file.toml -------------------------------------------------------------------------------- /rules/windows/persistence_ms_outlook_vba_template.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_ms_outlook_vba_template.toml -------------------------------------------------------------------------------- /rules/windows/persistence_netsh_helper_dll.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_netsh_helper_dll.toml -------------------------------------------------------------------------------- /rules/windows/persistence_powershell_profiles.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_powershell_profiles.toml -------------------------------------------------------------------------------- /rules/windows/persistence_registry_uncommon.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_registry_uncommon.toml -------------------------------------------------------------------------------- /rules/windows/persistence_remote_password_reset.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_remote_password_reset.toml -------------------------------------------------------------------------------- /rules/windows/persistence_scheduled_task_updated.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_scheduled_task_updated.toml -------------------------------------------------------------------------------- /rules/windows/persistence_service_dll_unsigned.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_service_dll_unsigned.toml -------------------------------------------------------------------------------- /rules/windows/persistence_services_registry.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_services_registry.toml -------------------------------------------------------------------------------- /rules/windows/persistence_startup_folder_scripts.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_startup_folder_scripts.toml -------------------------------------------------------------------------------- /rules/windows/persistence_temp_scheduled_task.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_temp_scheduled_task.toml -------------------------------------------------------------------------------- /rules/windows/persistence_time_provider_mod.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_time_provider_mod.toml -------------------------------------------------------------------------------- /rules/windows/persistence_user_account_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_user_account_creation.toml -------------------------------------------------------------------------------- /rules/windows/persistence_web_shell_aspx_write.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_web_shell_aspx_write.toml -------------------------------------------------------------------------------- /rules/windows/persistence_webshell_detection.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules/windows/persistence_webshell_detection.toml -------------------------------------------------------------------------------- /rules_building_block/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /rules_building_block/collection_posh_compression.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/collection_posh_compression.toml -------------------------------------------------------------------------------- /rules_building_block/defense_evasion_dll_hijack.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/defense_evasion_dll_hijack.toml -------------------------------------------------------------------------------- /rules_building_block/discovery_getconf_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/discovery_getconf_execution.toml -------------------------------------------------------------------------------- /rules_building_block/discovery_hosts_file_access.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/discovery_hosts_file_access.toml -------------------------------------------------------------------------------- /rules_building_block/discovery_net_view.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/discovery_net_view.toml -------------------------------------------------------------------------------- /rules_building_block/discovery_of_domain_groups.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/discovery_of_domain_groups.toml -------------------------------------------------------------------------------- /rules_building_block/discovery_posh_generic.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/discovery_posh_generic.toml -------------------------------------------------------------------------------- /rules_building_block/execution_linux_segfault.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/execution_linux_segfault.toml -------------------------------------------------------------------------------- /rules_building_block/execution_wmi_wbemtest.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/execution_wmi_wbemtest.toml -------------------------------------------------------------------------------- /rules_building_block/lateral_movement_at.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/lateral_movement_at.toml -------------------------------------------------------------------------------- /rules_building_block/lateral_movement_wmic_remote.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/rules_building_block/lateral_movement_wmic_remote.toml -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/__init__.py -------------------------------------------------------------------------------- /tests/base.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/base.py -------------------------------------------------------------------------------- /tests/data/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/data/__init__.py -------------------------------------------------------------------------------- /tests/data/command_control_dummy_production_rule.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/data/command_control_dummy_production_rule.toml -------------------------------------------------------------------------------- /tests/kuery/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/__init__.py -------------------------------------------------------------------------------- /tests/kuery/test_dsl.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/test_dsl.py -------------------------------------------------------------------------------- /tests/kuery/test_eql2kql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/test_eql2kql.py -------------------------------------------------------------------------------- /tests/kuery/test_evaluator.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/test_evaluator.py -------------------------------------------------------------------------------- /tests/kuery/test_kql2eql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/test_kql2eql.py -------------------------------------------------------------------------------- /tests/kuery/test_lint.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/test_lint.py -------------------------------------------------------------------------------- /tests/kuery/test_parser.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/kuery/test_parser.py -------------------------------------------------------------------------------- /tests/test_all_rules.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_all_rules.py -------------------------------------------------------------------------------- /tests/test_gh_workflows.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_gh_workflows.py -------------------------------------------------------------------------------- /tests/test_hunt_data.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_hunt_data.py -------------------------------------------------------------------------------- /tests/test_packages.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_packages.py -------------------------------------------------------------------------------- /tests/test_python_library.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_python_library.py -------------------------------------------------------------------------------- /tests/test_rules_remote.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_rules_remote.py -------------------------------------------------------------------------------- /tests/test_schemas.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_schemas.py -------------------------------------------------------------------------------- /tests/test_specific_rules.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_specific_rules.py -------------------------------------------------------------------------------- /tests/test_toml_formatter.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_toml_formatter.py -------------------------------------------------------------------------------- /tests/test_transform_fields.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_transform_fields.py -------------------------------------------------------------------------------- /tests/test_utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_utils.py -------------------------------------------------------------------------------- /tests/test_version_locking.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/HEAD/tests/test_version_locking.py --------------------------------------------------------------------------------