├── .codecov.yml ├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── config.yml │ ├── documentation.md │ ├── feature_request.md │ └── office_hours.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── add-untriaged.yml │ ├── backport.yml │ ├── ci.yml │ ├── delete_backport_branch.yml │ ├── maven-publish.yml │ ├── multi-node-test-workflow.yml │ ├── security-test-workflow.yml │ └── version.yml ├── .gitignore ├── .whitesource ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── DEVELOPER_GUIDE.md ├── LICENSE ├── MAINTAINERS.md ├── NOTICE ├── README.md ├── checkstyle └── sun_checks.xml ├── formatter └── formatterConfig.xml ├── gradle ├── formatting.gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── release-notes ├── opensearch-security-analytics.release-notes-2.10.0.0.md ├── opensearch-security-analytics.release-notes-2.11.0.0.md ├── opensearch-security-analytics.release-notes-2.11.1.0.md ├── opensearch-security-analytics.release-notes-2.12.0.0.md ├── opensearch-security-analytics.release-notes-2.14.0.0.md ├── opensearch-security-analytics.release-notes-2.15.0.0.md ├── opensearch-security-analytics.release-notes-2.16.0.0.md ├── opensearch-security-analytics.release-notes-2.17.0.0.md ├── opensearch-security-analytics.release-notes-2.17.1.0.md ├── opensearch-security-analytics.release-notes-2.18.0.0.md ├── opensearch-security-analytics.release-notes-2.19.0.0.md ├── opensearch-security-analytics.release-notes-2.4.0.0.md ├── opensearch-security-analytics.release-notes-2.4.1.0.md ├── opensearch-security-analytics.release-notes-2.5.0.0.md ├── opensearch-security-analytics.release-notes-2.6.0.0.md ├── opensearch-security-analytics.release-notes-2.7.0.0.md ├── opensearch-security-analytics.release-notes-2.8.0.0.md ├── opensearch-security-analytics.release-notes-2.9.0.0.md ├── opensearch-security-analytics.release-notes-3.0.0.0-alpha1.md ├── opensearch-security-analytics.release-notes-3.0.0.0-beta1.md ├── opensearch-security-analytics.release-notes-3.0.0.0.md ├── opensearch-security-analytics.release-notes-3.1.0.0.md ├── opensearch-security-analytics.release-notes-3.2.0.0.md └── opensearch-security-analytics.release-notes-3.3.0.0.md ├── scripts └── build.sh ├── security-analytics-commons-1.0.0.jar ├── settings.gradle └── src ├── main ├── config │ └── rules │ │ ├── ad_ldap │ │ ├── azure_aad_secops_signin_failure_bad_password_threshold.yml │ │ ├── azure_aadhybridhealth_adfs_new_server.yml │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml │ │ ├── azure_ad_bitlocker_key_retrieval.yml │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml │ │ ├── azure_ad_device_registration_policy_changes.yml │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml │ │ ├── azure_ad_user_added_to_admin_role.yml │ │ ├── azure_ad_users_added_to_device_admin_roles.yml │ │ └── win_ldap_recon.yml │ │ ├── apache_access │ │ ├── web_apache_segfault.yml │ │ └── web_apache_threading_error.yml │ │ ├── azure │ │ ├── azure_aad_secops_ca_policy_removedby_bad_actor.yml │ │ ├── azure_aad_secops_ca_policy_updatedby_bad_actor.yml │ │ ├── azure_aad_secops_new_ca_policy_addedby_bad_actor.yml │ │ ├── azure_aad_secops_signin_failure_bad_password_threshold.yml │ │ ├── azure_aadhybridhealth_adfs_new_server.yml │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml │ │ ├── azure_account_lockout.yml │ │ ├── azure_ad_account_created_deleted.yml │ │ ├── azure_ad_auth_failure_increase.yml │ │ ├── azure_ad_auth_sucess_increase.yml │ │ ├── azure_ad_auth_to_important_apps_using_single_factor_auth.yml │ │ ├── azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml │ │ ├── azure_ad_azurehound_discovery.yml │ │ ├── azure_ad_bitlocker_key_retrieval.yml │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml │ │ ├── azure_ad_device_registration_policy_changes.yml │ │ ├── azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml │ │ ├── azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml │ │ ├── azure_ad_only_single_factor_auth_required.yml │ │ ├── azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml │ │ ├── azure_ad_suspicious_signin_bypassing_mfa.yml │ │ ├── azure_ad_user_added_to_admin_role.yml │ │ ├── azure_ad_users_added_to_device_admin_roles.yml │ │ ├── azure_app_appid_uri_changes.yml │ │ ├── azure_app_credential_added.yml │ │ ├── azure_app_credential_modification.yml │ │ ├── azure_app_delegated_permissions_all_users.yml │ │ ├── azure_app_device_code_authentication.yml │ │ ├── azure_app_end_user_consent.yml │ │ ├── azure_app_end_user_consent_blocked.yml │ │ ├── azure_app_owner_added.yml │ │ ├── azure_app_permissions_msft.yml │ │ ├── azure_app_privileged_permissions.yml │ │ ├── azure_app_role_added.yml │ │ ├── azure_app_ropc_authentication.yml │ │ ├── azure_app_uri_modifications.yml │ │ ├── azure_application_deleted.yml │ │ ├── azure_application_gateway_modified_or_deleted.yml │ │ ├── azure_application_security_group_modified_or_deleted.yml │ │ ├── azure_blocked_account_attempt.yml │ │ ├── azure_change_to_authentication_method.yml │ │ ├── azure_conditional_access_failure.yml │ │ ├── azure_container_registry_created_or_deleted.yml │ │ ├── azure_creating_number_of_resources_detection.yml │ │ ├── azure_device_no_longer_managed_or_compliant.yml │ │ ├── azure_device_or_configuration_modified_or_deleted.yml │ │ ├── azure_dns_zone_modified_or_deleted.yml │ │ ├── azure_federation_modified.yml │ │ ├── azure_firewall_modified_or_deleted.yml │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml │ │ ├── azure_granting_permission_detection.yml │ │ ├── azure_group_user_addition_ca_modification.yml │ │ ├── azure_group_user_removal_ca_modification.yml │ │ ├── azure_guest_invite_failure.yml │ │ ├── azure_guest_to_member.yml │ │ ├── azure_identity_protection_anomalous_token.yml │ │ ├── azure_identity_protection_anomalous_user.yml │ │ ├── azure_identity_protection_anonymous_ip_activity.yml │ │ ├── azure_identity_protection_anonymous_ip_address.yml │ │ ├── azure_identity_protection_atypical_travel.yml │ │ ├── azure_identity_protection_impossible_travel.yml │ │ ├── azure_identity_protection_inbox_forwarding_rule.yml │ │ ├── azure_identity_protection_inbox_manipulation.yml │ │ ├── azure_identity_protection_leaked_credentials.yml │ │ ├── azure_identity_protection_malicious_ip_address.yml │ │ ├── azure_identity_protection_malicious_ip_address_suspicious.yml │ │ ├── azure_identity_protection_malware_linked_ip.yml │ │ ├── azure_identity_protection_new_coutry_region.yml │ │ ├── azure_identity_protection_password_spray.yml │ │ ├── azure_identity_protection_prt_access.yml │ │ ├── azure_identity_protection_suspicious_browser.yml │ │ ├── azure_identity_protection_threat_intel.yml │ │ ├── azure_identity_protection_token_issuer_anomaly.yml │ │ ├── azure_identity_protection_unfamilar_sign_in.yml │ │ ├── azure_keyvault_key_modified_or_deleted.yml │ │ ├── azure_keyvault_modified_or_deleted.yml │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml │ │ ├── azure_kubernetes_admission_controller.yml │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml │ │ ├── azure_kubernetes_cronjob.yml │ │ ├── azure_kubernetes_events_deleted.yml │ │ ├── azure_kubernetes_network_policy_change.yml │ │ ├── azure_kubernetes_pods_deleted.yml │ │ ├── azure_kubernetes_role_access.yml │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml │ │ ├── azure_kubernetes_secret_or_config_object_access.yml │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml │ │ ├── azure_legacy_authentication_protocols.yml │ │ ├── azure_login_to_disabled_account.yml │ │ ├── azure_mfa_denies.yml │ │ ├── azure_mfa_disabled.yml │ │ ├── azure_mfa_interrupted.yml │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml │ │ ├── azure_network_security_modified_or_deleted.yml │ │ ├── azure_network_virtual_device_modified_or_deleted.yml │ │ ├── azure_new_cloudshell_created.yml │ │ ├── azure_owner_removed_from_application_or_service_principal.yml │ │ ├── azure_pim_account_stale.yml │ │ ├── azure_pim_activation_approve_deny.yml │ │ ├── azure_pim_alerts_disabled.yml │ │ ├── azure_pim_change_settings.yml │ │ ├── azure_pim_invalid_license.yml │ │ ├── azure_pim_role_assigned_outside_of_pim.yml │ │ ├── azure_pim_role_frequent_activation.yml │ │ ├── azure_pim_role_no_mfa_required.yml │ │ ├── azure_pim_role_not_used.yml │ │ ├── azure_pim_too_many_global_admins.yml │ │ ├── azure_priviledged_role_assignment_add.yml │ │ ├── azure_priviledged_role_assignment_bulk_change.yml │ │ ├── azure_privileged_account_creation.yml │ │ ├── azure_rare_operations.yml │ │ ├── azure_service_principal_created.yml │ │ ├── azure_service_principal_removed.yml │ │ ├── azure_subscription_permissions_elevation_via_activitylogs.yml │ │ ├── azure_subscription_permissions_elevation_via_auditlogs.yml │ │ ├── azure_suppression_rule_created.yml │ │ ├── azure_tap_added.yml │ │ ├── azure_unusual_authentication_interruption.yml │ │ ├── azure_user_login_blocked_by_conditional_access.yml │ │ ├── azure_user_password_change.yml │ │ ├── azure_users_authenticating_to_other_azure_ad_tenants.yml │ │ ├── azure_virtual_network_modified_or_deleted.yml │ │ └── azure_vpn_connection_modified_or_deleted.yml │ │ ├── cloudtrail │ │ ├── aws_attached_malicious_lambda_layer.yml │ │ ├── aws_cloudtrail_disable_logging.yml │ │ ├── aws_config_disable_recording.yml │ │ ├── aws_console_getsignintoken.yml │ │ ├── aws_create_load_balancer_layer.yml │ │ ├── aws_delete_identity.yml │ │ ├── aws_disable_bucket_versioning.yml │ │ ├── aws_ec2_disable_encryption.yml │ │ ├── aws_ec2_download_userdata.yml │ │ ├── aws_ec2_startup_script_change.yml │ │ ├── aws_ec2_vm_export_failure.yml │ │ ├── aws_ecs_task_definition_backdoor.yml │ │ ├── aws_ecs_task_definition_cred_endpoint_query.yml │ │ ├── aws_efs_fileshare_modified_or_deleted.yml │ │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml │ │ ├── aws_eks_cluster_created_or_deleted.yml │ │ ├── aws_elasticache_security_group_created.yml │ │ ├── aws_elasticache_security_group_modified_or_deleted.yml │ │ ├── aws_enum_buckets.yml │ │ ├── aws_enum_listing.yml │ │ ├── aws_guardduty_disruption.yml │ │ ├── aws_iam_backdoor_users_keys.yml │ │ ├── aws_iam_s3browser_loginprofile_creation.yml │ │ ├── aws_iam_s3browser_templated_s3_bucket_policy_creation.yml │ │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml │ │ ├── aws_lambda_function_created_or_invoked.yml │ │ ├── aws_macic_evasion.yml │ │ ├── aws_passed_role_to_glue_development_endpoint.yml │ │ ├── aws_rds_change_master_password.yml │ │ ├── aws_rds_public_db_restore.yml │ │ ├── aws_root_account_usage.yml │ │ ├── aws_route_53_domain_transferred_lock_disabled.yml │ │ ├── aws_route_53_domain_transferred_to_another_account.yml │ │ ├── aws_securityhub_finding_evasion.yml │ │ ├── aws_snapshot_backup_exfiltration.yml │ │ ├── aws_sso_idp_change.yml │ │ ├── aws_sts_assumerole_misuse.yml │ │ ├── aws_sts_getsessiontoken_misuse.yml │ │ ├── aws_susp_saml_activity.yml │ │ └── aws_update_login_profile.yml │ │ ├── dns │ │ ├── net_dns_c2_detection.yml │ │ ├── net_dns_external_service_interaction_domains.yml │ │ ├── net_dns_high_bytes_out.yml │ │ ├── net_dns_high_null_records_requests_rate.yml │ │ ├── net_dns_high_requests_rate.yml │ │ ├── net_dns_high_txt_records_requests_rate.yml │ │ ├── net_dns_mal_cobaltstrike.yml │ │ ├── net_dns_pua_cryptocoin_mining_xmr.yml │ │ ├── net_dns_susp_b64_queries.yml │ │ ├── net_dns_susp_telegram_api.yml │ │ ├── net_dns_susp_txt_exec_strings.yml │ │ └── net_dns_wannacry_killswitch_domain.yml │ │ ├── github │ │ ├── github_delete_action_invoked.yml │ │ ├── github_disable_high_risk_configuration.yml │ │ ├── github_disabled_outdated_dependency_or_vulnerability.yml │ │ ├── github_new_org_member.yml │ │ ├── github_new_secret_created.yml │ │ ├── github_outside_collaborator_detected.yml │ │ ├── github_push_protection_bypass_detected.yml │ │ ├── github_push_protection_disabled.yml │ │ ├── github_secret_scanning_feature_disabled.yml │ │ └── github_self_hosted_runner_changes_detected.yml │ │ ├── gworkspace │ │ ├── gcp_gworkspace_application_access_levels_modified.yml │ │ ├── gcp_gworkspace_application_removed.yml │ │ ├── gcp_gworkspace_granted_domain_api_access.yml │ │ ├── gcp_gworkspace_mfa_disabled.yml │ │ ├── gcp_gworkspace_role_modified_or_deleted.yml │ │ ├── gcp_gworkspace_role_privilege_deleted.yml │ │ └── gcp_gworkspace_user_granted_admin_privileges.yml │ │ ├── linux │ │ ├── auditd │ │ │ ├── lnx_auditd_audio_capture.yml │ │ │ ├── lnx_auditd_auditing_config_change.yml │ │ │ ├── lnx_auditd_binary_padding.yml │ │ │ ├── lnx_auditd_bpfdoor_file_accessed.yml │ │ │ ├── lnx_auditd_bpfdoor_port_redirect.yml │ │ │ ├── lnx_auditd_capabilities_discovery.yml │ │ │ ├── lnx_auditd_change_file_time_attr.yml │ │ │ ├── lnx_auditd_chattr_immutable_removal.yml │ │ │ ├── lnx_auditd_clipboard_collection.yml │ │ │ ├── lnx_auditd_clipboard_image_collection.yml │ │ │ ├── lnx_auditd_coinminer.yml │ │ │ ├── lnx_auditd_create_account.yml │ │ │ ├── lnx_auditd_data_compressed.yml │ │ │ ├── lnx_auditd_data_exfil_wget.yml │ │ │ ├── lnx_auditd_dd_delete_file.yml │ │ │ ├── lnx_auditd_disable_system_firewall.yml │ │ │ ├── lnx_auditd_file_or_folder_permissions.yml │ │ │ ├── lnx_auditd_find_cred_in_files.yml │ │ │ ├── lnx_auditd_hidden_binary_execution.yml │ │ │ ├── lnx_auditd_hidden_files_directories.yml │ │ │ ├── lnx_auditd_hidden_zip_files_steganography.yml │ │ │ ├── lnx_auditd_keylogging_with_pam_d.yml │ │ │ ├── lnx_auditd_ld_so_preload_mod.yml │ │ │ ├── lnx_auditd_load_module_insmod.yml │ │ │ ├── lnx_auditd_logging_config_change.yml │ │ │ ├── lnx_auditd_masquerading_crond.yml │ │ │ ├── lnx_auditd_modify_system_firewall.yml │ │ │ ├── lnx_auditd_network_service_scanning.yml │ │ │ ├── lnx_auditd_network_sniffing.yml │ │ │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml │ │ │ ├── lnx_auditd_password_policy_discovery.yml │ │ │ ├── lnx_auditd_pers_systemd_reload.yml │ │ │ ├── lnx_auditd_screencapture_import.yml │ │ │ ├── lnx_auditd_screencaputre_xwd.yml │ │ │ ├── lnx_auditd_split_file_into_pieces.yml │ │ │ ├── lnx_auditd_steghide_embed_steganography.yml │ │ │ ├── lnx_auditd_steghide_extract_steganography.yml │ │ │ ├── lnx_auditd_susp_c2_commands.yml │ │ │ ├── lnx_auditd_susp_cmds.yml │ │ │ ├── lnx_auditd_susp_exe_folders.yml │ │ │ ├── lnx_auditd_susp_histfile_operations.yml │ │ │ ├── lnx_auditd_system_info_discovery.yml │ │ │ ├── lnx_auditd_system_info_discovery2.yml │ │ │ ├── lnx_auditd_system_shutdown_reboot.yml │ │ │ ├── lnx_auditd_systemd_service_creation.yml │ │ │ ├── lnx_auditd_unix_shell_configuration_modification.yml │ │ │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml │ │ │ ├── lnx_auditd_user_discovery.yml │ │ │ └── lnx_auditd_web_rce.yml │ │ ├── builtin │ │ │ ├── auth │ │ │ │ └── lnx_auth_pwnkit_local_privilege_escalation.yml │ │ │ ├── clamav │ │ │ │ └── lnx_clamav_relevant_message.yml │ │ │ ├── cron │ │ │ │ └── lnx_cron_crontab_file_modification.yml │ │ │ ├── guacamole │ │ │ │ └── lnx_guacamole_susp_guacamole.yml │ │ │ ├── lnx_apt_equationgroup_lnx.yml │ │ │ ├── lnx_buffer_overflows.yml │ │ │ ├── lnx_clear_syslog.yml │ │ │ ├── lnx_file_copy.yml │ │ │ ├── lnx_ldso_preload_injection.yml │ │ │ ├── lnx_nimbuspwn_privilege_escalation_exploit.yml │ │ │ ├── lnx_potential_susp_ebpf_activity.yml │ │ │ ├── lnx_privileged_user_creation.yml │ │ │ ├── lnx_shell_clear_cmd_history.yml │ │ │ ├── lnx_shell_susp_commands.yml │ │ │ ├── lnx_shell_susp_log_entries.yml │ │ │ ├── lnx_shell_susp_rev_shells.yml │ │ │ ├── lnx_shellshock.yml │ │ │ ├── lnx_space_after_filename_.yml │ │ │ ├── lnx_susp_dev_tcp.yml │ │ │ ├── lnx_susp_jexboss.yml │ │ │ ├── lnx_symlink_etc_passwd.yml │ │ │ ├── sshd │ │ │ │ ├── lnx_sshd_ssh_cve_2018_15473.yml │ │ │ │ └── lnx_sshd_susp_ssh.yml │ │ │ ├── sudo │ │ │ │ └── lnx_sudo_cve_2019_14287_user.yml │ │ │ ├── syslog │ │ │ │ ├── lnx_syslog_security_tools_disabling_syslog.yml │ │ │ │ └── lnx_syslog_susp_named.yml │ │ │ └── vsftpd │ │ │ │ └── lnx_vsftpd_susp_error_messages.yml │ │ ├── file_event │ │ │ ├── file_event_lnx_doas_conf_creation.yml │ │ │ ├── file_event_lnx_persistence_cron_files.yml │ │ │ ├── file_event_lnx_persistence_sudoers_files.yml │ │ │ ├── file_event_lnx_susp_shell_script_under_profile_directory.yml │ │ │ ├── file_event_lnx_triple_cross_rootkit_lock_file.yml │ │ │ ├── file_event_lnx_triple_cross_rootkit_persistence.yml │ │ │ └── file_event_lnx_wget_download_file_in_tmp_dir.yml │ │ ├── network_connection │ │ │ ├── net_connection_lnx_back_connect_shell_dev.yml │ │ │ ├── net_connection_lnx_crypto_mining_indicators.yml │ │ │ └── net_connection_lnx_ngrok_tunnel.yml │ │ └── process_creation │ │ │ ├── proc_creation_lnx_at_command.yml │ │ │ ├── proc_creation_lnx_base64_decode.yml │ │ │ ├── proc_creation_lnx_base64_execution.yml │ │ │ ├── proc_creation_lnx_base64_shebang_cli.yml │ │ │ ├── proc_creation_lnx_bash_interactive_shell.yml │ │ │ ├── proc_creation_lnx_bpf_kprob_tracing_enabled.yml │ │ │ ├── proc_creation_lnx_bpftrace_unsafe_option_usage.yml │ │ │ ├── proc_creation_lnx_capa_discovery.yml │ │ │ ├── proc_creation_lnx_cat_sudoers.yml │ │ │ ├── proc_creation_lnx_chattr_immutable_removal.yml │ │ │ ├── proc_creation_lnx_clear_logs.yml │ │ │ ├── proc_creation_lnx_clear_syslog.yml │ │ │ ├── proc_creation_lnx_clipboard_collection.yml │ │ │ ├── proc_creation_lnx_cp_passwd_or_shadow_tmp.yml │ │ │ ├── proc_creation_lnx_crontab_enumeration.yml │ │ │ ├── proc_creation_lnx_crontab_removal.yml │ │ │ ├── proc_creation_lnx_crypto_mining.yml │ │ │ ├── proc_creation_lnx_curl_usage.yml │ │ │ ├── proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml │ │ │ ├── proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml │ │ │ ├── proc_creation_lnx_dd_file_overwrite.yml │ │ │ ├── proc_creation_lnx_dd_process_injection.yml │ │ │ ├── proc_creation_lnx_disable_ufw.yml │ │ │ ├── proc_creation_lnx_doas_execution.yml │ │ │ ├── proc_creation_lnx_esxcli_network_discovery.yml │ │ │ ├── proc_creation_lnx_esxcli_permission_change_admin.yml │ │ │ ├── proc_creation_lnx_esxcli_storage_discovery.yml │ │ │ ├── proc_creation_lnx_esxcli_syslog_config_change.yml │ │ │ ├── proc_creation_lnx_esxcli_system_discovery.yml │ │ │ ├── proc_creation_lnx_esxcli_user_account_creation.yml │ │ │ ├── proc_creation_lnx_esxcli_vm_discovery.yml │ │ │ ├── proc_creation_lnx_esxcli_vm_kill.yml │ │ │ ├── proc_creation_lnx_esxcli_vsan_discovery.yml │ │ │ ├── proc_creation_lnx_file_and_directory_discovery.yml │ │ │ ├── proc_creation_lnx_file_deletion.yml │ │ │ ├── proc_creation_lnx_grep_os_arch_discovery.yml │ │ │ ├── proc_creation_lnx_groupdel.yml │ │ │ ├── proc_creation_lnx_gtfobin_apt.yml │ │ │ ├── proc_creation_lnx_gtfobin_vim.yml │ │ │ ├── proc_creation_lnx_install_root_certificate.yml │ │ │ ├── proc_creation_lnx_install_suspicioua_packages.yml │ │ │ ├── proc_creation_lnx_iptables_flush_ufw.yml │ │ │ ├── proc_creation_lnx_kill_process.yml │ │ │ ├── proc_creation_lnx_local_account.yml │ │ │ ├── proc_creation_lnx_local_groups.yml │ │ │ ├── proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml │ │ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation.yml │ │ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml │ │ │ ├── proc_creation_lnx_mount_hidepid.yml │ │ │ ├── proc_creation_lnx_netcat_reverse_shell.yml │ │ │ ├── proc_creation_lnx_nohup.yml │ │ │ ├── proc_creation_lnx_nohup_susp_execution.yml │ │ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executescript.yml │ │ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml │ │ │ ├── proc_creation_lnx_perl_reverse_shell.yml │ │ │ ├── proc_creation_lnx_php_reverse_shell.yml │ │ │ ├── proc_creation_lnx_process_discovery.yml │ │ │ ├── proc_creation_lnx_proxy_connection.yml │ │ │ ├── proc_creation_lnx_python_pty_spawn.yml │ │ │ ├── proc_creation_lnx_python_reverse_shell.yml │ │ │ ├── proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml │ │ │ ├── proc_creation_lnx_remote_system_discovery.yml │ │ │ ├── proc_creation_lnx_remove_package.yml │ │ │ ├── proc_creation_lnx_ruby_reverse_shell.yml │ │ │ ├── proc_creation_lnx_schedule_task_job_cron.yml │ │ │ ├── proc_creation_lnx_security_software_discovery.yml │ │ │ ├── proc_creation_lnx_security_tools_disabling.yml │ │ │ ├── proc_creation_lnx_services_stop_and_disable.yml │ │ │ ├── proc_creation_lnx_setgid_setuid.yml │ │ │ ├── proc_creation_lnx_ssm_agent_abuse.yml │ │ │ ├── proc_creation_lnx_sudo_cve_2019_14287.yml │ │ │ ├── proc_creation_lnx_susp_chmod_directories.yml │ │ │ ├── proc_creation_lnx_susp_container_residence_discovery.yml │ │ │ ├── proc_creation_lnx_susp_curl_fileupload.yml │ │ │ ├── proc_creation_lnx_susp_curl_useragent.yml │ │ │ ├── proc_creation_lnx_susp_dockerenv_recon.yml │ │ │ ├── proc_creation_lnx_susp_execution_tmp_folder.yml │ │ │ ├── proc_creation_lnx_susp_find_execution.yml │ │ │ ├── proc_creation_lnx_susp_git_clone.yml │ │ │ ├── proc_creation_lnx_susp_history_delete.yml │ │ │ ├── proc_creation_lnx_susp_history_recon.yml │ │ │ ├── proc_creation_lnx_susp_hktl_execution.yml │ │ │ ├── proc_creation_lnx_susp_inod_listing.yml │ │ │ ├── proc_creation_lnx_susp_interactive_bash.yml │ │ │ ├── proc_creation_lnx_susp_java_children.yml │ │ │ ├── proc_creation_lnx_susp_network_utilities_execution.yml │ │ │ ├── proc_creation_lnx_susp_pipe_shell.yml │ │ │ ├── proc_creation_lnx_susp_recon_indicators.yml │ │ │ ├── proc_creation_lnx_susp_sensitive_file_access.yml │ │ │ ├── proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml │ │ │ ├── proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml │ │ │ ├── proc_creation_lnx_system_info_discovery.yml │ │ │ ├── proc_creation_lnx_system_network_connections_discovery.yml │ │ │ ├── proc_creation_lnx_system_network_discovery.yml │ │ │ ├── proc_creation_lnx_touch_susp.yml │ │ │ ├── proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml │ │ │ ├── proc_creation_lnx_triple_cross_rootkit_install.yml │ │ │ ├── proc_creation_lnx_userdel.yml │ │ │ ├── proc_creation_lnx_usermod_susp_group.yml │ │ │ ├── proc_creation_lnx_webshell_detection.yml │ │ │ ├── proc_creation_lnx_wget_download_suspicious_directory.yml │ │ │ └── proc_creation_lnx_xterm_reverse_shell.yml │ │ ├── m365 │ │ ├── microsoft365_activity_by_terminated_user.yml │ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml │ │ ├── microsoft365_activity_from_infrequent_country.yml │ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml │ │ ├── microsoft365_disabling_mfa.yml │ │ ├── microsoft365_from_susp_ip_addresses.yml │ │ ├── microsoft365_impossible_travel_activity.yml │ │ ├── microsoft365_logon_from_risky_ip_address.yml │ │ ├── microsoft365_new_federated_domain_added.yml │ │ ├── microsoft365_new_federated_domain_added_audit.yml │ │ ├── microsoft365_new_federated_domain_added_exchange.yml │ │ ├── microsoft365_potential_ransomware_activity.yml │ │ ├── microsoft365_pst_export_alert.yml │ │ ├── microsoft365_pst_export_alert_using_new_compliancesearchaction.yml │ │ ├── microsoft365_susp_inbox_forwarding.yml │ │ ├── microsoft365_susp_oauth_app_file_download_activities.yml │ │ ├── microsoft365_unusual_volume_of_file_deletion.yml │ │ └── microsoft365_user_restricted_from_sending_email.yml │ │ ├── network │ │ ├── cisco │ │ │ ├── aaa │ │ │ │ ├── cisco_cli_clear_logs.yml │ │ │ │ ├── cisco_cli_collect_data.yml │ │ │ │ ├── cisco_cli_crypto_actions.yml │ │ │ │ ├── cisco_cli_disable_logging.yml │ │ │ │ ├── cisco_cli_discovery.yml │ │ │ │ ├── cisco_cli_dos.yml │ │ │ │ ├── cisco_cli_file_deletion.yml │ │ │ │ ├── cisco_cli_input_capture.yml │ │ │ │ ├── cisco_cli_local_accounts.yml │ │ │ │ ├── cisco_cli_modify_config.yml │ │ │ │ ├── cisco_cli_moving_data.yml │ │ │ │ └── cisco_cli_net_sniff.yml │ │ │ ├── bgp │ │ │ │ └── cisco_bgp_md5_auth_failed.yml │ │ │ └── ldp │ │ │ │ └── cisco_ldp_md5_auth_failed.yml │ │ ├── firewall │ │ │ ├── net_firewall_cleartext_protocols.yml │ │ │ ├── net_firewall_high_dns_bytes_out.yml │ │ │ ├── net_firewall_high_dns_requests_rate.yml │ │ │ ├── net_firewall_susp_network_scan_by_ip.yml │ │ │ └── net_firewall_susp_network_scan_by_port.yml │ │ └── zeek │ │ │ ├── zeek_dce_rpc_domain_user_enumeration.yml │ │ │ ├── zeek_dce_rpc_mitre_bzar_execution.yml │ │ │ ├── zeek_dce_rpc_mitre_bzar_persistence.yml │ │ │ ├── zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml │ │ │ ├── zeek_dce_rpc_printnightmare_print_driver_install.yml │ │ │ ├── zeek_dce_rpc_smb_spoolss_named_pipe.yml │ │ │ ├── zeek_default_cobalt_strike_certificate.yml │ │ │ ├── zeek_dns_mining_pools.yml │ │ │ ├── zeek_dns_nkn.yml │ │ │ ├── zeek_dns_susp_zbit_flag.yml │ │ │ ├── zeek_dns_torproxy.yml │ │ │ ├── zeek_http_executable_download_from_webdav.yml │ │ │ ├── zeek_http_omigod_no_auth_rce.yml │ │ │ ├── zeek_http_webdav_put_request.yml │ │ │ ├── zeek_rdp_public_listener.yml │ │ │ ├── zeek_smb_converted_win_atsvc_task.yml │ │ │ ├── zeek_smb_converted_win_impacket_secretdump.yml │ │ │ ├── zeek_smb_converted_win_lm_namedpipe.yml │ │ │ ├── zeek_smb_converted_win_susp_psexec.yml │ │ │ ├── zeek_smb_converted_win_susp_raccess_sensitive_fext.yml │ │ │ ├── zeek_smb_converted_win_transferring_files_with_credential_data.yml │ │ │ └── zeek_susp_kerberos_rc4.yml │ │ ├── okta │ │ ├── okta_admin_role_assigned_to_user_or_group.yml │ │ ├── okta_admin_role_assignment_created.yml │ │ ├── okta_api_token_created.yml │ │ ├── okta_api_token_revoked.yml │ │ ├── okta_application_modified_or_deleted.yml │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml │ │ ├── okta_mfa_reset_or_deactivated.yml │ │ ├── okta_network_zone_deactivated_or_deleted.yml │ │ ├── okta_policy_modified_or_deleted.yml │ │ ├── okta_policy_rule_modified_or_deleted.yml │ │ ├── okta_security_threat_detected.yml │ │ ├── okta_unauthorized_access_to_app.yml │ │ └── okta_user_account_locked_out.yml │ │ ├── others_application │ │ ├── antivirus │ │ │ ├── av_exploiting.yml │ │ │ ├── av_hacktool.yml │ │ │ ├── av_password_dumper.yml │ │ │ ├── av_printernightmare_cve_2021_34527.yml │ │ │ ├── av_ransomware.yml │ │ │ ├── av_relevant_files.yml │ │ │ └── av_webshell.yml │ │ ├── django │ │ │ └── appframework_django_exceptions.yml │ │ ├── python │ │ │ └── app_python_sql_exceptions.yml │ │ ├── rpc_firewall │ │ │ ├── rpc_firewall_atsvc_lateral_movement.yml │ │ │ ├── rpc_firewall_atsvc_recon.yml │ │ │ ├── rpc_firewall_dcsync_attack.yml │ │ │ ├── rpc_firewall_efs_abuse.yml │ │ │ ├── rpc_firewall_eventlog_recon.yml │ │ │ ├── rpc_firewall_itaskschedulerservice_lateral_movement.yml │ │ │ ├── rpc_firewall_itaskschedulerservice_recon.yml │ │ │ ├── rpc_firewall_printing_lateral_movement.yml │ │ │ ├── rpc_firewall_remote_dcom_or_wmi.yml │ │ │ ├── rpc_firewall_remote_registry_lateral_movement.yml │ │ │ ├── rpc_firewall_remote_registry_recon.yml │ │ │ ├── rpc_firewall_remote_server_service_abuse.yml │ │ │ ├── rpc_firewall_remote_service_lateral_movement.yml │ │ │ ├── rpc_firewall_sasec_lateral_movement.yml │ │ │ ├── rpc_firewall_sasec_recon.yml │ │ │ ├── rpc_firewall_sharphound_recon_account.yml │ │ │ └── rpc_firewall_sharphound_recon_sessions.yml │ │ ├── ruby │ │ │ └── appframework_ruby_on_rails_exceptions.yml │ │ ├── spring │ │ │ └── appframework_spring_exceptions.yml │ │ └── sql │ │ │ └── app_sqlinjection_errors.yml │ │ ├── others_apt │ │ ├── apt_silence_downloader_v3.yml │ │ └── apt_silence_eda.yml │ │ ├── others_cloud │ │ ├── azure │ │ │ ├── azure_aad_secops_signin_failure_bad_password_threshold.yml │ │ │ ├── azure_aadhybridhealth_adfs_new_server.yml │ │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml │ │ │ ├── azure_account_lockout.yml │ │ │ ├── azure_ad_bitlocker_key_retrieval.yml │ │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml │ │ │ ├── azure_ad_device_registration_policy_changes.yml │ │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml │ │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml │ │ │ ├── azure_ad_user_added_to_admin_role.yml │ │ │ ├── azure_ad_users_added_to_device_admin_roles.yml │ │ │ ├── azure_app_appid_uri_changes.yml │ │ │ ├── azure_app_credential_added.yml │ │ │ ├── azure_app_credential_modification.yml │ │ │ ├── azure_app_device_code_authentication.yml │ │ │ ├── azure_app_owner_added.yml │ │ │ ├── azure_app_ropc_authentication.yml │ │ │ ├── azure_app_uri_modifications.yml │ │ │ ├── azure_application_deleted.yml │ │ │ ├── azure_application_gateway_modified_or_deleted.yml │ │ │ ├── azure_application_security_group_modified_or_deleted.yml │ │ │ ├── azure_blocked_account_attempt.yml │ │ │ ├── azure_change_to_authentication_method.yml │ │ │ ├── azure_conditional_access_failure.yml │ │ │ ├── azure_container_registry_created_or_deleted.yml │ │ │ ├── azure_creating_number_of_resources_detection.yml │ │ │ ├── azure_device_no_longer_managed_or_compliant.yml │ │ │ ├── azure_device_or_configuration_modified_or_deleted.yml │ │ │ ├── azure_dns_zone_modified_or_deleted.yml │ │ │ ├── azure_federation_modified.yml │ │ │ ├── azure_firewall_modified_or_deleted.yml │ │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml │ │ │ ├── azure_granting_permission_detection.yml │ │ │ ├── azure_keyvault_key_modified_or_deleted.yml │ │ │ ├── azure_keyvault_modified_or_deleted.yml │ │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml │ │ │ ├── azure_kubernetes_admission_controller.yml │ │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml │ │ │ ├── azure_kubernetes_cronjob.yml │ │ │ ├── azure_kubernetes_events_deleted.yml │ │ │ ├── azure_kubernetes_network_policy_change.yml │ │ │ ├── azure_kubernetes_pods_deleted.yml │ │ │ ├── azure_kubernetes_role_access.yml │ │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml │ │ │ ├── azure_kubernetes_secret_or_config_object_access.yml │ │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml │ │ │ ├── azure_login_to_disabled_account.yml │ │ │ ├── azure_mfa_denies.yml │ │ │ ├── azure_mfa_disabled.yml │ │ │ ├── azure_mfa_interrupted.yml │ │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml │ │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml │ │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml │ │ │ ├── azure_network_security_modified_or_deleted.yml │ │ │ ├── azure_network_virtual_device_modified_or_deleted.yml │ │ │ ├── azure_new_cloudshell_created.yml │ │ │ ├── azure_owner_removed_from_application_or_service_principal.yml │ │ │ ├── azure_rare_operations.yml │ │ │ ├── azure_service_principal_created.yml │ │ │ ├── azure_service_principal_removed.yml │ │ │ ├── azure_subscription_permissions_elevation_via_activitylogs.yml │ │ │ ├── azure_subscription_permissions_elevation_via_auditlogs.yml │ │ │ ├── azure_suppression_rule_created.yml │ │ │ ├── azure_unusual_authentication_interruption.yml │ │ │ ├── azure_user_login_blocked_by_conditional_access.yml │ │ │ ├── azure_virtual_network_modified_or_deleted.yml │ │ │ └── azure_vpn_connection_modified_or_deleted.yml │ │ ├── gcp │ │ │ ├── gcp_bucket_enumeration.yml │ │ │ ├── gcp_bucket_modified_or_deleted.yml │ │ │ ├── gcp_dlp_re_identifies_sensitive_information.yml │ │ │ ├── gcp_dns_zone_modified_or_deleted.yml │ │ │ ├── gcp_firewall_rule_modified_or_deleted.yml │ │ │ ├── gcp_full_network_traffic_packet_capture.yml │ │ │ ├── gcp_kubernetes_admission_controller.yml │ │ │ ├── gcp_kubernetes_cronjob.yml │ │ │ ├── gcp_kubernetes_rolebinding.yml │ │ │ ├── gcp_kubernetes_secrets_modified_or_deleted.yml │ │ │ ├── gcp_service_account_disabled_or_deleted.yml │ │ │ ├── gcp_service_account_modified.yml │ │ │ ├── gcp_sql_database_modified_or_deleted.yml │ │ │ └── gcp_vpn_tunnel_modified_or_deleted.yml │ │ ├── gworkspace │ │ │ ├── gworkspace_application_removed.yml │ │ │ ├── gworkspace_granted_domain_api_access.yml │ │ │ ├── gworkspace_mfa_disabled.yml │ │ │ ├── gworkspace_role_modified_or_deleted.yml │ │ │ ├── gworkspace_role_privilege_deleted.yml │ │ │ └── gworkspace_user_granted_admin_privileges.yml │ │ ├── m365 │ │ │ ├── microsoft365_activity_by_terminated_user.yml │ │ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml │ │ │ ├── microsoft365_activity_from_infrequent_country.yml │ │ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml │ │ │ ├── microsoft365_from_susp_ip_addresses.yml │ │ │ ├── microsoft365_impossible_travel_activity.yml │ │ │ ├── microsoft365_logon_from_risky_ip_address.yml │ │ │ ├── microsoft365_new_federated_domain_added.yml │ │ │ ├── microsoft365_potential_ransomware_activity.yml │ │ │ ├── microsoft365_susp_inbox_forwarding.yml │ │ │ ├── microsoft365_susp_oauth_app_file_download_activities.yml │ │ │ ├── microsoft365_unusual_volume_of_file_deletion.yml │ │ │ └── microsoft365_user_restricted_from_sending_email.yml │ │ ├── okta │ │ │ ├── okta_admin_role_assigned_to_user_or_group.yml │ │ │ ├── okta_api_token_created.yml │ │ │ ├── okta_api_token_revoked.yml │ │ │ ├── okta_application_modified_or_deleted.yml │ │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml │ │ │ ├── okta_mfa_reset_or_deactivated.yml │ │ │ ├── okta_network_zone_deactivated_or_deleted.yml │ │ │ ├── okta_policy_modified_or_deleted.yml │ │ │ ├── okta_policy_rule_modified_or_deleted.yml │ │ │ ├── okta_security_threat_detected.yml │ │ │ ├── okta_unauthorized_access_to_app.yml │ │ │ └── okta_user_account_locked_out.yml │ │ └── onelogin │ │ │ ├── onelogin_assumed_another_user.yml │ │ │ └── onelogin_user_account_locked.yml │ │ ├── others_compliance │ │ ├── default_credentials_usage.yml │ │ ├── firewall_cleartext_protocols.yml │ │ ├── group_modification_logging.yml │ │ ├── host_without_firewall.yml │ │ ├── netflow_cleartext_protocols.yml │ │ └── workstation_was_locked.yml │ │ ├── others_macos │ │ ├── file_event │ │ │ ├── file_event_macos_emond_launch_daemon.yml │ │ │ └── file_event_macos_startup_items.yml │ │ └── process_creation │ │ │ ├── proc_creation_macos_applescript.yml │ │ │ ├── proc_creation_macos_base64_decode.yml │ │ │ ├── proc_creation_macos_binary_padding.yml │ │ │ ├── proc_creation_macos_change_file_time_attr.yml │ │ │ ├── proc_creation_macos_clear_system_logs.yml │ │ │ ├── proc_creation_macos_create_account.yml │ │ │ ├── proc_creation_macos_create_hidden_account.yml │ │ │ ├── proc_creation_macos_creds_from_keychain.yml │ │ │ ├── proc_creation_macos_disable_security_tools.yml │ │ │ ├── proc_creation_macos_file_and_directory_discovery.yml │ │ │ ├── proc_creation_macos_find_cred_in_files.yml │ │ │ ├── proc_creation_macos_gui_input_capture.yml │ │ │ ├── proc_creation_macos_local_account.yml │ │ │ ├── proc_creation_macos_local_groups.yml │ │ │ ├── proc_creation_macos_network_service_scanning.yml │ │ │ ├── proc_creation_macos_network_sniffing.yml │ │ │ ├── proc_creation_macos_remote_system_discovery.yml │ │ │ ├── proc_creation_macos_schedule_task_job_cron.yml │ │ │ ├── proc_creation_macos_screencapture.yml │ │ │ ├── proc_creation_macos_security_software_discovery.yml │ │ │ ├── proc_creation_macos_space_after_filename.yml │ │ │ ├── proc_creation_macos_split_file_into_pieces.yml │ │ │ ├── proc_creation_macos_susp_histfile_operations.yml │ │ │ ├── proc_creation_macos_susp_macos_firmware_activity.yml │ │ │ ├── proc_creation_macos_system_network_connections_discovery.yml │ │ │ ├── proc_creation_macos_system_network_discovery.yml │ │ │ ├── proc_creation_macos_system_shutdown_reboot.yml │ │ │ └── proc_creation_macos_xattr_gatekeeper_bypass.yml │ │ ├── others_proxy │ │ ├── proxy_apt40.yml │ │ ├── proxy_apt_domestic_kitten.yml │ │ ├── proxy_baby_shark.yml │ │ ├── proxy_chafer_malware.yml │ │ ├── proxy_cobalt_amazon.yml │ │ ├── proxy_cobalt_malformed_uas.yml │ │ ├── proxy_cobalt_ocsp.yml │ │ ├── proxy_cobalt_onedrive.yml │ │ ├── proxy_download_susp_dyndns.yml │ │ ├── proxy_download_susp_tlds_blacklist.yml │ │ ├── proxy_download_susp_tlds_whitelist.yml │ │ ├── proxy_downloadcradle_webdav.yml │ │ ├── proxy_empire_ua_uri_combos.yml │ │ ├── proxy_empty_ua.yml │ │ ├── proxy_ios_implant.yml │ │ ├── proxy_java_class_download.yml │ │ ├── proxy_powershell_ua.yml │ │ ├── proxy_pwndrop.yml │ │ ├── proxy_raw_paste_service_access.yml │ │ ├── proxy_susp_flash_download_loc.yml │ │ ├── proxy_telegram_api.yml │ │ ├── proxy_turla_comrat.yml │ │ ├── proxy_ua_apt.yml │ │ ├── proxy_ua_bitsadmin_susp_ip.yml │ │ ├── proxy_ua_bitsadmin_susp_tld.yml │ │ ├── proxy_ua_cryptominer.yml │ │ ├── proxy_ua_frameworks.yml │ │ ├── proxy_ua_hacktool.yml │ │ ├── proxy_ua_malware.yml │ │ ├── proxy_ua_susp.yml │ │ ├── proxy_ursnif_malware_c2_url.yml │ │ └── proxy_ursnif_malware_download_url.yml │ │ ├── others_web │ │ ├── web_apache_segfault.yml │ │ ├── web_apache_threading_error.yml │ │ ├── web_cve_2010_5278_exploitation_attempt.yml │ │ ├── web_cve_2018_13379_fortinet_preauth_read_exploit.yml │ │ ├── web_cve_2018_2894_weblogic_exploit.yml │ │ ├── web_cve_2019_11510_pulsesecure_exploit.yml │ │ ├── web_cve_2019_19781_citrix_exploit.yml │ │ ├── web_cve_2019_3398_confluence.yml │ │ ├── web_cve_2020_0688_exchange_exploit.yml │ │ ├── web_cve_2020_0688_msexchange.yml │ │ ├── web_cve_2020_10148_solarwinds_exploit.yml │ │ ├── web_cve_2020_14882_weblogic_exploit.yml │ │ ├── web_cve_2020_28188_terramaster_rce_exploit.yml │ │ ├── web_cve_2020_3452_cisco_asa_ftd.yml │ │ ├── web_cve_2020_5902_f5_bigip.yml │ │ ├── web_cve_2020_8193_8195_citrix_exploit.yml │ │ ├── web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml │ │ ├── web_cve_2021_2109_weblogic_rce_exploit.yml │ │ ├── web_cve_2021_21972_vsphere_unauth_rce_exploit.yml │ │ ├── web_cve_2021_21978_vmware_view_planner_exploit.yml │ │ ├── web_cve_2021_22005_vmware_file_upload.yml │ │ ├── web_cve_2021_22123_fortinet_exploit.yml │ │ ├── web_cve_2021_22893_pulse_secure_rce_exploit.yml │ │ ├── web_cve_2021_26814_wzuh_rce.yml │ │ ├── web_cve_2021_26858_iis_rce.yml │ │ ├── web_cve_2021_28480_exchange_exploit.yml │ │ ├── web_cve_2021_33766_msexchange_proxytoken.yml │ │ ├── web_cve_2021_40539_adselfservice.yml │ │ ├── web_cve_2021_40539_manageengine_adselfservice_exploit.yml │ │ ├── web_cve_2021_41773_apache_path_traversal.yml │ │ ├── web_cve_2021_42237_sitecore_report_ashx.yml │ │ ├── web_cve_2021_43798_grafana.yml │ │ ├── web_cve_2021_44228_log4j.yml │ │ ├── web_cve_2021_44228_log4j_fields.yml │ │ ├── web_exchange_exploitation_hafnium.yml │ │ ├── web_exchange_proxyshell.yml │ │ ├── web_exchange_proxyshell_successful.yml │ │ ├── web_iis_tilt_shortname_scan.yml │ │ ├── web_java_payload_in_access_logs.yml │ │ ├── web_jndi_exploit.yml │ │ ├── web_multiple_susp_resp_codes_single_source.yml │ │ ├── web_nginx_core_dump.yml │ │ ├── web_path_traversal_exploitation_attempt.yml │ │ ├── web_solarwinds_supernova_webshell.yml │ │ ├── web_sonicwall_jarrewrite_exploit.yml │ │ ├── web_source_code_enumeration.yml │ │ ├── web_sql_injection_in_access_logs.yml │ │ ├── web_ssti_in_access_logs.yml │ │ ├── web_susp_windows_path_uri.yml │ │ ├── web_unc2546_dewmode_php_webshell.yml │ │ ├── web_webshell_regeorg.yml │ │ ├── web_win_webshells_in_access_logs.yml │ │ └── web_xss_in_access_logs.yml │ │ ├── rule_categories.json │ │ ├── s3 │ │ └── aws_s3_data_management_tampering.yml │ │ ├── test_windows │ │ ├── dns_query_win_regsvr32_network_activity.yml │ │ ├── net_connection_win_regsvr32_network_activity.yml │ │ ├── proc_creation_win_susp_regsvr32_no_dll.yml │ │ ├── proc_creation_win_system_exe_anomaly.yml │ │ └── win_sample_rule.yml │ │ ├── waf │ │ ├── aws_waf │ │ │ └── aws_waf_web_susp_useragents.yml │ │ ├── web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml │ │ ├── web_sql_injection_in_access_logs.yml │ │ ├── web_susp_useragents.yml │ │ └── web_xss_in_access_logs.yml │ │ └── windows │ │ ├── builtin │ │ ├── application │ │ │ ├── win_audit_cve.yml │ │ │ ├── win_av_relevant_match.yml │ │ │ ├── win_builtin_remove_application.yml │ │ │ ├── win_software_atera_rmm_agent_install.yml │ │ │ ├── win_susp_backup_delete.yml │ │ │ ├── win_susp_msmpeng_crash.yml │ │ │ ├── win_vul_cve_2020_0688.yml │ │ │ └── win_vul_cve_2021_41379.yml │ │ ├── applocker │ │ │ └── win_applocker_file_was_not_allowed_to_run.yml │ │ ├── bits_client │ │ │ ├── win_bits_client_susp_domain.yml │ │ │ ├── win_bits_client_susp_local_file.yml │ │ │ ├── win_bits_client_susp_local_folder.yml │ │ │ ├── win_bits_client_susp_powershell_job.yml │ │ │ ├── win_bits_client_susp_use_bitsadmin.yml │ │ │ └── win_bits_client_uncommon_domain.yml │ │ ├── code_integrity │ │ │ └── win_codeintegrity_failed_driver_load.yml │ │ ├── dns_server │ │ │ ├── win_apt_gallium.yml │ │ │ └── win_susp_dns_config.yml │ │ ├── driverframeworks │ │ │ └── win_usb_device_plugged.yml │ │ ├── firewall_as │ │ │ ├── win_firewall_as_add_rule.yml │ │ │ ├── win_firewall_as_change_rule.yml │ │ │ ├── win_firewall_as_delete_rule.yml │ │ │ ├── win_firewall_as_failed.yml │ │ │ ├── win_firewall_as_reset.yml │ │ │ └── win_firewall_as_setting_change.yml │ │ ├── ldap │ │ │ └── win_ldap_recon.yml │ │ ├── msexchange │ │ │ ├── win_exchange_cve_2021_42321.yml │ │ │ ├── win_exchange_proxylogon_oabvirtualdir.yml │ │ │ ├── win_exchange_proxyshell_certificate_generation.yml │ │ │ ├── win_exchange_proxyshell_mailbox_export.yml │ │ │ ├── win_exchange_proxyshell_remove_mailbox_export.yml │ │ │ ├── win_exchange_transportagent.yml │ │ │ ├── win_exchange_transportagent_failed.yml │ │ │ └── win_set_oabvirtualdirectory_externalurl.yml │ │ ├── ntlm │ │ │ ├── win_susp_ntlm_auth.yml │ │ │ ├── win_susp_ntlm_brute_force.yml │ │ │ └── win_susp_ntlm_rdp.yml │ │ ├── printservice │ │ │ ├── win_exploit_cve_2021_1675_printspooler.yml │ │ │ └── win_exploit_cve_2021_1675_printspooler_operational.yml │ │ ├── security │ │ │ ├── win_aadhealth_mon_agent_regkey_access.yml │ │ │ ├── win_aadhealth_svc_agent_regkey_access.yml │ │ │ ├── win_account_backdoor_dcsync_rights.yml │ │ │ ├── win_account_discovery.yml │ │ │ ├── win_ad_object_writedac_access.yml │ │ │ ├── win_ad_replication_non_machine_account.yml │ │ │ ├── win_ad_user_enumeration.yml │ │ │ ├── win_adcs_certificate_template_configuration_vulnerability.yml │ │ │ ├── win_adcs_certificate_template_configuration_vulnerability_eku.yml │ │ │ ├── win_admin_rdp_login.yml │ │ │ ├── win_admin_share_access.yml │ │ │ ├── win_alert_active_directory_user_control.yml │ │ │ ├── win_alert_ad_user_backdoors.yml │ │ │ ├── win_alert_enable_weak_encryption.yml │ │ │ ├── win_alert_ruler.yml │ │ │ ├── win_apt_chafer_mar18_security.yml │ │ │ ├── win_apt_slingshot.yml │ │ │ ├── win_apt_wocao.yml │ │ │ ├── win_atsvc_task.yml │ │ │ ├── win_camera_microphone_access.yml │ │ │ ├── win_dce_rpc_smb_spoolss_named_pipe.yml │ │ │ ├── win_dcom_iertutil_dll_hijack.yml │ │ │ ├── win_dcsync.yml │ │ │ ├── win_defender_bypass.yml │ │ │ ├── win_disable_event_logging.yml │ │ │ ├── win_dpapi_domain_backupkey_extraction.yml │ │ │ ├── win_dpapi_domain_masterkey_backup_attempt.yml │ │ │ ├── win_etw_modification.yml │ │ │ ├── win_event_log_cleared.yml │ │ │ ├── win_exploit_cve_2021_1675_printspooler_security.yml │ │ │ ├── win_external_device.yml │ │ │ ├── win_global_catalog_enumeration.yml │ │ │ ├── win_gpo_scheduledtasks.yml │ │ │ ├── win_hidden_user_creation.yml │ │ │ ├── win_hybridconnectionmgr_svc_installation.yml │ │ │ ├── win_impacket_psexec.yml │ │ │ ├── win_impacket_secretdump.yml │ │ │ ├── win_invoke_obfuscation_clip_services_security.yml │ │ │ ├── win_invoke_obfuscation_obfuscated_iex_services_security.yml │ │ │ ├── win_invoke_obfuscation_stdin_services_security.yml │ │ │ ├── win_invoke_obfuscation_var_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_compress_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_rundll_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_stdin_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_use_clip_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_use_mshta_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_use_rundll32_services_security.yml │ │ │ ├── win_invoke_obfuscation_via_var_services_security.yml │ │ │ ├── win_iso_mount.yml │ │ │ ├── win_lm_namedpipe.yml │ │ │ ├── win_lolbas_execution_of_nltest.yml │ │ │ ├── win_lsass_access_non_system_account.yml │ │ │ ├── win_mal_wceaux_dll.yml │ │ │ ├── win_metasploit_authentication.yml │ │ │ ├── win_net_ntlm_downgrade.yml │ │ │ ├── win_net_share_obj_susp_desktop_ini.yml │ │ │ ├── win_new_or_renamed_user_account_with_dollar_sign.yml │ │ │ ├── win_not_allowed_rdp_access.yml │ │ │ ├── win_overpass_the_hash.yml │ │ │ ├── win_pass_the_hash.yml │ │ │ ├── win_pass_the_hash_2.yml │ │ │ ├── win_petitpotam_network_share.yml │ │ │ ├── win_petitpotam_susp_tgt_request.yml │ │ │ ├── win_possible_dc_shadow.yml │ │ │ ├── win_privesc_cve_2020_1472.yml │ │ │ ├── win_protected_storage_service_access.yml │ │ │ ├── win_rare_schtasks_creations.yml │ │ │ ├── win_rdp_bluekeep_poc_scanner.yml │ │ │ ├── win_rdp_localhost_login.yml │ │ │ ├── win_rdp_reverse_tunnel.yml │ │ │ ├── win_register_new_logon_process_by_rubeus.yml │ │ │ ├── win_remote_powershell_session.yml │ │ │ ├── win_remote_registry_management_using_reg_utility.yml │ │ │ ├── win_sam_registry_hive_handle_request.yml │ │ │ ├── win_samaccountname_spoofing_cve_2021_42287.yml │ │ │ ├── win_scheduled_task_deletion.yml │ │ │ ├── win_scm_database_handle_failure.yml │ │ │ ├── win_scm_database_privileged_operation.yml │ │ │ ├── win_scrcons_remote_wmi_scripteventconsumer.yml │ │ │ ├── win_security_cobaltstrike_service_installs.yml │ │ │ ├── win_security_mal_creddumper.yml │ │ │ ├── win_security_mal_service_installs.yml │ │ │ ├── win_security_metasploit_or_impacket_smb_psexec_service_install.yml │ │ │ ├── win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml │ │ │ ├── win_security_powershell_script_installed_as_service.yml │ │ │ ├── win_security_tap_driver_installation.yml │ │ │ ├── win_security_wmi_persistence.yml │ │ │ ├── win_smb_file_creation_admin_shares.yml │ │ │ ├── win_susp_add_domain_trust.yml │ │ │ ├── win_susp_add_sid_history.yml │ │ │ ├── win_susp_codeintegrity_check_failure.yml │ │ │ ├── win_susp_dsrm_password_change.yml │ │ │ ├── win_susp_eventlog_cleared.yml │ │ │ ├── win_susp_failed_logon_reasons.yml │ │ │ ├── win_susp_failed_logon_source.yml │ │ │ ├── win_susp_failed_logons_explicit_credentials.yml │ │ │ ├── win_susp_failed_logons_single_process.yml │ │ │ ├── win_susp_failed_logons_single_source.yml │ │ │ ├── win_susp_failed_logons_single_source2.yml │ │ │ ├── win_susp_failed_logons_single_source_kerberos.yml │ │ │ ├── win_susp_failed_logons_single_source_kerberos2.yml │ │ │ ├── win_susp_failed_logons_single_source_kerberos3.yml │ │ │ ├── win_susp_failed_logons_single_source_ntlm.yml │ │ │ ├── win_susp_failed_logons_single_source_ntlm2.yml │ │ │ ├── win_susp_failed_remote_logons_single_source.yml │ │ │ ├── win_susp_interactive_logons.yml │ │ │ ├── win_susp_kerberos_manipulation.yml │ │ │ ├── win_susp_krbrelayup.yml │ │ │ ├── win_susp_ldap_dataexchange.yml │ │ │ ├── win_susp_local_anon_logon_created.yml │ │ │ ├── win_susp_logon_explicit_credentials.yml │ │ │ ├── win_susp_lsass_dump.yml │ │ │ ├── win_susp_lsass_dump_generic.yml │ │ │ ├── win_susp_multiple_files_renamed_or_deleted.yml │ │ │ ├── win_susp_net_recon_activity.yml │ │ │ ├── win_susp_opened_encrypted_zip.yml │ │ │ ├── win_susp_opened_encrypted_zip_filename.yml │ │ │ ├── win_susp_opened_encrypted_zip_outlook.yml │ │ │ ├── win_susp_outbound_kerberos_connection.yml │ │ │ ├── win_susp_psexec.yml │ │ │ ├── win_susp_raccess_sensitive_fext.yml │ │ │ ├── win_susp_rc4_kerberos.yml │ │ │ ├── win_susp_rottenpotato.yml │ │ │ ├── win_susp_samr_pwset.yml │ │ │ ├── win_susp_sdelete.yml │ │ │ ├── win_susp_time_modification.yml │ │ │ ├── win_susp_wmi_login.yml │ │ │ ├── win_svcctl_remote_service.yml │ │ │ ├── win_syskey_registry_access.yml │ │ │ ├── win_sysmon_channel_reference_deletion.yml │ │ │ ├── win_transferring_files_with_credential_data_via_network_shares.yml │ │ │ ├── win_user_added_to_local_administrators.yml │ │ │ ├── win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml │ │ │ ├── win_user_creation.yml │ │ │ ├── win_user_driver_loaded.yml │ │ │ ├── win_vssaudit_secevent_source_registration.yml │ │ │ └── win_wmiprvse_wbemcomn_dll_hijack.yml │ │ ├── servicebus │ │ │ └── win_hybridconnectionmgr_svc_running.yml │ │ ├── smbclient │ │ │ └── win_susp_failed_guest_logon.yml │ │ ├── system │ │ │ ├── win_apt_carbonpaper_turla.yml │ │ │ ├── win_apt_chafer_mar18_system.yml │ │ │ ├── win_apt_stonedrill.yml │ │ │ ├── win_apt_turla_service_png.yml │ │ │ ├── win_cobaltstrike_service_installs.yml │ │ │ ├── win_eventlog_cleared.yml │ │ │ ├── win_hack_smbexec.yml │ │ │ ├── win_invoke_obfuscation_clip_services.yml │ │ │ ├── win_invoke_obfuscation_obfuscated_iex_services.yml │ │ │ ├── win_invoke_obfuscation_stdin_services.yml │ │ │ ├── win_invoke_obfuscation_var_services.yml │ │ │ ├── win_invoke_obfuscation_via_compress_services.yml │ │ │ ├── win_invoke_obfuscation_via_rundll_services.yml │ │ │ ├── win_invoke_obfuscation_via_stdin_services.yml │ │ │ ├── win_invoke_obfuscation_via_use_clip_services.yml │ │ │ ├── win_invoke_obfuscation_via_use_mshta_services.yml │ │ │ ├── win_invoke_obfuscation_via_use_rundll32_services.yml │ │ │ ├── win_invoke_obfuscation_via_var_services.yml │ │ │ ├── win_lsasrv_ntlmv1.yml │ │ │ ├── win_mal_creddumper.yml │ │ │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ │ │ ├── win_moriya_rootkit.yml │ │ │ ├── win_ntfs_vuln_exploit.yml │ │ │ ├── win_pcap_drivers.yml │ │ │ ├── win_possible_zerologon_exploitation_using_wellknown_tools.yml │ │ │ ├── win_powershell_script_installed_as_service.yml │ │ │ ├── win_quarkspwdump_clearing_hive_access_history.yml │ │ │ ├── win_rare_service_installs.yml │ │ │ ├── win_rdp_potential_cve_2019_0708.yml │ │ │ ├── win_sample_rule.yml │ │ │ ├── win_security_krbrelayup_service_installation.yml │ │ │ ├── win_service_hacktools.yml │ │ │ ├── win_service_install_susp_double_ampersand.yml │ │ │ ├── win_susp_dhcp_config.yml │ │ │ ├── win_susp_dhcp_config_failed.yml │ │ │ ├── win_susp_proceshacker.yml │ │ │ ├── win_susp_sam_dump.yml │ │ │ ├── win_susp_service_installation.yml │ │ │ ├── win_susp_service_installation_folder.yml │ │ │ ├── win_susp_service_installation_folder_pattern.yml │ │ │ ├── win_susp_service_installation_script.yml │ │ │ ├── win_susp_system_update_error.yml │ │ │ ├── win_system_application_sysmon_crash.yml │ │ │ ├── win_system_defender_disabled.yml │ │ │ ├── win_system_susp_eventlog_cleared.yml │ │ │ ├── win_tap_driver_installation.yml │ │ │ ├── win_tool_psexec.yml │ │ │ ├── win_volume_shadow_copy_mount.yml │ │ │ ├── win_vul_cve_2020_1472.yml │ │ │ └── win_vul_cve_2021_42278_or_cve_2021_42287.yml │ │ ├── taskscheduler │ │ │ └── win_rare_schtask_creation.yml │ │ ├── terminalservices │ │ │ └── win_terminalservices_rdp_ngrok.yml │ │ ├── win_alert_mimikatz_keywords.yml │ │ ├── win_susp_logon_newcredentials.yml │ │ ├── windefend │ │ │ ├── win_alert_lsass_access.yml │ │ │ ├── win_defender_amsi_trigger.yml │ │ │ ├── win_defender_disabled.yml │ │ │ ├── win_defender_exclusions.yml │ │ │ ├── win_defender_history_delete.yml │ │ │ ├── win_defender_psexec_wmi_asr.yml │ │ │ ├── win_defender_tamper_protection_trigger.yml │ │ │ └── win_defender_threat.yml │ │ └── wmi │ │ │ └── win_wmi_persistence.yml │ │ ├── create_remote_thread │ │ ├── create_remote_thread_win_susp_targets.yml │ │ ├── create_remote_thread_win_ttdinjec.yml │ │ ├── sysmon_cactustorch.yml │ │ ├── sysmon_cobaltstrike_process_injection.yml │ │ ├── sysmon_createremotethread_loadlibrary.yml │ │ ├── sysmon_password_dumper_keepass.yml │ │ ├── sysmon_password_dumper_lsass.yml │ │ ├── sysmon_powershell_code_injection.yml │ │ ├── sysmon_susp_powershell_rundll32.yml │ │ └── sysmon_susp_remote_thread.yml │ │ ├── create_stream_hash │ │ ├── sysmon_ads_executable.yml │ │ └── sysmon_regedit_export_to_ads.yml │ │ ├── dns_query │ │ ├── dns_query_win_ammyy.yml │ │ ├── dns_query_win_gotoopener.yml │ │ ├── dns_query_win_hybridconnectionmgr_servicebus.yml │ │ ├── dns_query_win_lobas_appinstaller.yml │ │ ├── dns_query_win_logmein.yml │ │ ├── dns_query_win_mal_cobaltstrike.yml │ │ ├── dns_query_win_mega_nz.yml │ │ ├── dns_query_win_possible_dns_rebinding.yml │ │ ├── dns_query_win_regsvr32_network_activity.yml │ │ ├── dns_query_win_susp_ipify.yml │ │ ├── dns_query_win_susp_teamviewer.yml │ │ ├── dns_query_win_tor_onion.yml │ │ └── dns_query_win_ufile_io.yml │ │ ├── driver_load │ │ ├── driver_load_mal_creddumper.yml │ │ ├── driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ │ ├── driver_load_powershell_script_installed_as_service.yml │ │ ├── driver_load_susp_temp_use.yml │ │ ├── driver_load_vuln_dell_driver.yml │ │ └── driver_load_windivert.yml │ │ ├── file_access │ │ └── file_access_win_browser_credential_stealing.yml │ │ ├── file_delete │ │ ├── file_delete_win_cve_2021_1675_printspooler_del.yml │ │ ├── file_delete_win_delete_appli_log.yml │ │ ├── file_delete_win_delete_backup_file.yml │ │ ├── file_delete_win_delete_prefetch.yml │ │ └── file_delete_win_sysinternals_sdelete_file_deletion.yml │ │ ├── file_event │ │ ├── file_event_win_access_susp_unattend_xml.yml │ │ ├── file_event_win_advanced_ip_scanner.yml │ │ ├── file_event_win_anydesk_artefact.yml │ │ ├── file_event_win_apt_unidentified_nov_18.yml │ │ ├── file_event_win_crackmapexec_patterns.yml │ │ ├── file_event_win_creation_new_shim_database.yml │ │ ├── file_event_win_creation_scr_binary_file.yml │ │ ├── file_event_win_creation_system_file.yml │ │ ├── file_event_win_creation_unquoted_service_path.yml │ │ ├── file_event_win_cred_dump_tools_dropped_files.yml │ │ ├── file_event_win_csharp_compile_artefact.yml │ │ ├── file_event_win_cve_2021_1675_printspooler.yml │ │ ├── file_event_win_cve_2021_26858_msexchange.yml │ │ ├── file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml │ │ ├── file_event_win_cve_2021_41379_msi_lpe.yml │ │ ├── file_event_win_cve_2021_44077_poc_default_files.yml │ │ ├── file_event_win_cve_2022_24527_lpe.yml │ │ ├── file_event_win_detect_powerup_dllhijacking.yml │ │ ├── file_event_win_ghostpack_safetykatz.yml │ │ ├── file_event_win_gotoopener_artefact.yml │ │ ├── file_event_win_hack_dumpert.yml │ │ ├── file_event_win_hivenightmare_file_exports.yml │ │ ├── file_event_win_hktl_nppspy.yml │ │ ├── file_event_win_install_teamviewer_desktop.yml │ │ ├── file_event_win_iso_file_recent.yml │ │ ├── file_event_win_lsass_dump.yml │ │ ├── file_event_win_lsass_memory_dump_file_creation.yml │ │ ├── file_event_win_lsass_werfault_dump.yml │ │ ├── file_event_win_macro_file.yml │ │ ├── file_event_win_mal_adwind.yml │ │ ├── file_event_win_mal_octopus_scanner.yml │ │ ├── file_event_win_mal_vhd_download.yml │ │ ├── file_event_win_mimikatz_kirbi_file_creation.yml │ │ ├── file_event_win_mimimaktz_memssp_log_file.yml │ │ ├── file_event_win_moriya_rootkit.yml │ │ ├── file_event_win_new_src_file.yml │ │ ├── file_event_win_notepad_plus_plus_persistence.yml │ │ ├── file_event_win_ntds_dit.yml │ │ ├── file_event_win_ntds_exfil_tools.yml │ │ ├── file_event_win_office_persistence.yml │ │ ├── file_event_win_outlook_c2_macro_creation.yml │ │ ├── file_event_win_outlook_newform.yml │ │ ├── file_event_win_pcre_net_temp_file.yml │ │ ├── file_event_win_pingback_backdoor.yml │ │ ├── file_event_win_powershell_exploit_scripts.yml │ │ ├── file_event_win_powershell_startup_shortcuts.yml │ │ ├── file_event_win_quarkspw_filedump.yml │ │ ├── file_event_win_rclone_exec_file.yml │ │ ├── file_event_win_redmimicry_winnti_filedrop.yml │ │ ├── file_event_win_sam_dump.yml │ │ ├── file_event_win_screenconnect_artefact.yml │ │ ├── file_event_win_script_creation_by_office_using_file_ext.yml │ │ ├── file_event_win_startup_folder_file_write.yml │ │ ├── file_event_win_susp_adsi_cache_usage.yml │ │ ├── file_event_win_susp_clr_logs.yml │ │ ├── file_event_win_susp_colorcpl.yml │ │ ├── file_event_win_susp_creation_by_mobsync.yml │ │ ├── file_event_win_susp_default_gpo_dir_write.yml │ │ ├── file_event_win_susp_desktop_ini.yml │ │ ├── file_event_win_susp_desktop_txt.yml │ │ ├── file_event_win_susp_desktopimgdownldr_file.yml │ │ ├── file_event_win_susp_diagcab.yml │ │ ├── file_event_win_susp_dropper.yml │ │ ├── file_event_win_susp_exchange_aspx_write.yml │ │ ├── file_event_win_susp_get_variable.yml │ │ ├── file_event_win_susp_ntds_dit.yml │ │ ├── file_event_win_susp_pfx_file_creation.yml │ │ ├── file_event_win_susp_powershell_profile_create.yml │ │ ├── file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml │ │ ├── file_event_win_susp_system_interactive_powershell.yml │ │ ├── file_event_win_susp_task_write.yml │ │ ├── file_event_win_susp_teamviewer_remote_session.yml │ │ ├── file_event_win_susp_winword_startup.yml │ │ ├── file_event_win_tool_psexec.yml │ │ ├── file_event_win_tsclient_filewrite_startup.yml │ │ ├── file_event_win_uac_bypass_consent_comctl32.yml │ │ ├── file_event_win_uac_bypass_dotnet_profiler.yml │ │ ├── file_event_win_uac_bypass_eventvwr.yml │ │ ├── file_event_win_uac_bypass_idiagnostic_profile.yml │ │ ├── file_event_win_uac_bypass_ieinstal.yml │ │ ├── file_event_win_uac_bypass_msconfig_gui.yml │ │ ├── file_event_win_uac_bypass_ntfs_reparse_point.yml │ │ ├── file_event_win_uac_bypass_winsat.yml │ │ ├── file_event_win_uac_bypass_wmp.yml │ │ ├── file_event_win_webshell_creation_detect.yml │ │ ├── file_event_win_werfault_dll_hijacking.yml │ │ ├── file_event_win_win_cscript_wscript_dropper.yml │ │ ├── file_event_win_win_shell_write_susp_directory.yml │ │ ├── file_event_win_winrm_awl_bypass.yml │ │ ├── file_event_win_winword_cve_2021_40444.yml │ │ ├── file_event_win_wmi_persistence_script_event_consumer_write.yml │ │ ├── file_event_win_wmiprvse_wbemcomn_dll_hijack.yml │ │ ├── file_event_win_word_template_creation.yml │ │ └── file_event_win_writing_local_admin_share.yml │ │ ├── file_rename │ │ └── file_rename_win_not_dll_to_dll.yml │ │ ├── image_load │ │ ├── image_load_abusing_azure_browser_sso.yml │ │ ├── image_load_alternate_powershell_hosts_moduleload.yml │ │ ├── image_load_foggyweb_nobelium.yml │ │ ├── image_load_in_memory_powershell.yml │ │ ├── image_load_mimikatz_inmemory_detection.yml │ │ ├── image_load_msdt_sdiageng.yml │ │ ├── image_load_pcre_net_load.yml │ │ ├── image_load_pingback_backdoor.yml │ │ ├── image_load_scrcons_imageload_wmi_scripteventconsumer.yml │ │ ├── image_load_silenttrinity_stage_use.yml │ │ ├── image_load_spoolsv_dll_load.yml │ │ ├── image_load_susp_advapi32_dll.yml │ │ ├── image_load_susp_dbghelp_dbgcore_load.yml │ │ ├── image_load_susp_fax_dll.yml │ │ ├── image_load_susp_image_load.yml │ │ ├── image_load_susp_office_dotnet_assembly_dll_load.yml │ │ ├── image_load_susp_office_dotnet_clr_dll_load.yml │ │ ├── image_load_susp_office_dotnet_gac_dll_load.yml │ │ ├── image_load_susp_office_dsparse_dll_load.yml │ │ ├── image_load_susp_office_kerberos_dll_load.yml │ │ ├── image_load_susp_python_image_load.yml │ │ ├── image_load_susp_script_dotnet_clr_dll_load.yml │ │ ├── image_load_susp_system_drawing_load.yml │ │ ├── image_load_susp_vss_ps_load.yml │ │ ├── image_load_susp_winword_vbadll_load.yml │ │ ├── image_load_svchost_dll_search_order_hijack.yml │ │ ├── image_load_tttracer_mod_load.yml │ │ ├── image_load_uac_bypass_via_dism.yml │ │ ├── image_load_uipromptforcreds_dlls.yml │ │ ├── image_load_unsigned_image_loaded_into_lsass.yml │ │ ├── image_load_usp_svchost_clfsw32.yml │ │ ├── image_load_wmi_module_load.yml │ │ ├── image_load_wmi_persistence_commandline_event_consumer.yml │ │ ├── image_load_wmic_remote_xsl_scripting_dlls.yml │ │ ├── image_load_wmiprvse_wbemcomn_dll_hijack.yml │ │ └── image_load_wsman_provider_image_load.yml │ │ ├── network_connection │ │ ├── net_connection_susp_win_binary_no_cmdline.yml │ │ ├── net_connection_win_binary_github_com.yml │ │ ├── net_connection_win_binary_susp_com.yml │ │ ├── net_connection_win_crypto_mining.yml │ │ ├── net_connection_win_dllhost_net_connections.yml │ │ ├── net_connection_win_eqnedt.yml │ │ ├── net_connection_win_excel_outbound_network_connection.yml │ │ ├── net_connection_win_imewdbld.yml │ │ ├── net_connection_win_malware_backconnect_ports.yml │ │ ├── net_connection_win_mega_nz.yml │ │ ├── net_connection_win_msiexec.yml │ │ ├── net_connection_win_notepad_network_connection.yml │ │ ├── net_connection_win_powershell_network_connection.yml │ │ ├── net_connection_win_python.yml │ │ ├── net_connection_win_rdp_reverse_tunnel.yml │ │ ├── net_connection_win_rdp_to_http.yml │ │ ├── net_connection_win_regsvr32_network_activity.yml │ │ ├── net_connection_win_remote_powershell_session_network.yml │ │ ├── net_connection_win_rundll32_net_connections.yml │ │ ├── net_connection_win_silenttrinity_stager_msbuild_activity.yml │ │ ├── net_connection_win_susp_dropbox_api.yml │ │ ├── net_connection_win_susp_outbound_kerberos_connection.yml │ │ ├── net_connection_win_susp_outbound_mobsync_connection.yml │ │ ├── net_connection_win_susp_outbound_smtp_connections.yml │ │ ├── net_connection_win_susp_prog_location_network_connection.yml │ │ ├── net_connection_win_susp_rdp.yml │ │ └── net_connection_win_wuauclt_network_connection.yml │ │ ├── pipe_created │ │ ├── pipe_created_alternate_powershell_hosts_pipe.yml │ │ ├── pipe_created_apt_turla_namedpipes.yml │ │ ├── pipe_created_cred_dump_tools_named_pipes.yml │ │ ├── pipe_created_efspotato_namedpipe.yml │ │ ├── pipe_created_mal_cobaltstrike.yml │ │ ├── pipe_created_mal_cobaltstrike_re.yml │ │ ├── pipe_created_mal_namedpipes.yml │ │ ├── pipe_created_powershell_execution_pipe.yml │ │ ├── pipe_created_psexec_pipes_artifacts.yml │ │ ├── pipe_created_susp_adfs_namedpipe_connection.yml │ │ ├── pipe_created_susp_cobaltstrike_pipe_patterns.yml │ │ ├── pipe_created_susp_wmi_consumer_namedpipe.yml │ │ └── pipe_created_tool_psexec.yml │ │ ├── powershell │ │ ├── powershell_classic │ │ │ ├── posh_pc_alternate_powershell_hosts.yml │ │ │ ├── posh_pc_delete_volume_shadow_copies.yml │ │ │ ├── posh_pc_downgrade_attack.yml │ │ │ ├── posh_pc_exe_calling_ps.yml │ │ │ ├── posh_pc_powercat.yml │ │ │ ├── posh_pc_remote_powershell_session.yml │ │ │ ├── posh_pc_renamed_powershell.yml │ │ │ ├── posh_pc_susp_athremotefxvgpudisablementcommand.yml │ │ │ ├── posh_pc_susp_download.yml │ │ │ ├── posh_pc_susp_get_nettcpconnection.yml │ │ │ ├── posh_pc_susp_zip_compress.yml │ │ │ ├── posh_pc_tamper_with_windows_defender.yml │ │ │ ├── posh_pc_wsman_com_provider_no_powershell.yml │ │ │ └── posh_pc_xor_commandline.yml │ │ ├── powershell_module │ │ │ ├── posh_pm_alternate_powershell_hosts.yml │ │ │ ├── posh_pm_bad_opsec_artifacts.yml │ │ │ ├── posh_pm_clear_powershell_history.yml │ │ │ ├── posh_pm_decompress_commands.yml │ │ │ ├── posh_pm_get_addbaccount.yml │ │ │ ├── posh_pm_get_clipboard.yml │ │ │ ├── posh_pm_invoke_obfuscation_clip.yml │ │ │ ├── posh_pm_invoke_obfuscation_obfuscated_iex.yml │ │ │ ├── posh_pm_invoke_obfuscation_stdin.yml │ │ │ ├── posh_pm_invoke_obfuscation_var.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_compress.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_rundll.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_stdin.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_clip.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_mhsta.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_rundll32.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_var.yml │ │ │ ├── posh_pm_powercat.yml │ │ │ ├── posh_pm_remote_powershell_session.yml │ │ │ ├── posh_pm_susp_ad_group_reco.yml │ │ │ ├── posh_pm_susp_athremotefxvgpudisablementcommand.yml │ │ │ ├── posh_pm_susp_download.yml │ │ │ ├── posh_pm_susp_get_nettcpconnection.yml │ │ │ ├── posh_pm_susp_invocation_generic.yml │ │ │ ├── posh_pm_susp_invocation_specific.yml │ │ │ ├── posh_pm_susp_local_group_reco.yml │ │ │ ├── posh_pm_susp_reset_computermachinepassword.yml │ │ │ ├── posh_pm_susp_smb_share_reco.yml │ │ │ ├── posh_pm_susp_zip_compress.yml │ │ │ └── posh_pm_syncappvpublishingserver_exe.yml │ │ └── powershell_script │ │ │ ├── posh_ps_access_to_browser_login_data.yml │ │ │ ├── posh_ps_accessing_win_api.yml │ │ │ ├── posh_ps_adrecon_execution.yml │ │ │ ├── posh_ps_as_rep_roasting.yml │ │ │ ├── posh_ps_automated_collection.yml │ │ │ ├── posh_ps_azurehound_commands.yml │ │ │ ├── posh_ps_capture_screenshots.yml │ │ │ ├── posh_ps_cl_invocation_lolscript.yml │ │ │ ├── posh_ps_cl_invocation_lolscript_count.yml │ │ │ ├── posh_ps_cl_mutexverifiers_lolscript.yml │ │ │ ├── posh_ps_cl_mutexverifiers_lolscript_count.yml │ │ │ ├── posh_ps_clear_powershell_history.yml │ │ │ ├── posh_ps_clearing_windows_console_history.yml │ │ │ ├── posh_ps_cmdlet_scheduled_task.yml │ │ │ ├── posh_ps_copy_item_system32.yml │ │ │ ├── posh_ps_cor_profiler.yml │ │ │ ├── posh_ps_create_local_user.yml │ │ │ ├── posh_ps_create_volume_shadow_copy.yml │ │ │ ├── posh_ps_data_compressed.yml │ │ │ ├── posh_ps_detect_vm_env.yml │ │ │ ├── posh_ps_directorysearcher.yml │ │ │ ├── posh_ps_directoryservices_accountmanagement.yml │ │ │ ├── posh_ps_dnscat_execution.yml │ │ │ ├── posh_ps_dump_password_windows_credential_manager.yml │ │ │ ├── posh_ps_enable_psremoting.yml │ │ │ ├── posh_ps_enumerate_password_windows_credential_manager.yml │ │ │ ├── posh_ps_etw_trace_evasion.yml │ │ │ ├── posh_ps_file_and_directory_discovery.yml │ │ │ ├── posh_ps_get_acl_service.yml │ │ │ ├── posh_ps_get_adreplaccount.yml │ │ │ ├── posh_ps_get_childitem_bookmarks.yml │ │ │ ├── posh_ps_hotfix_enum.yml │ │ │ ├── posh_ps_icmp_exfiltration.yml │ │ │ ├── posh_ps_invoke_command_remote.yml │ │ │ ├── posh_ps_invoke_dnsexfiltration.yml │ │ │ ├── posh_ps_invoke_nightmare.yml │ │ │ ├── posh_ps_invoke_obfuscation_clip.yml │ │ │ ├── posh_ps_invoke_obfuscation_obfuscated_iex.yml │ │ │ ├── posh_ps_invoke_obfuscation_stdin.yml │ │ │ ├── posh_ps_invoke_obfuscation_var.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_compress.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_rundll.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_stdin.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_use_clip.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_use_mhsta.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_use_rundll32.yml │ │ │ ├── posh_ps_invoke_obfuscation_via_var.yml │ │ │ ├── posh_ps_keylogging.yml │ │ │ ├── posh_ps_localuser.yml │ │ │ ├── posh_ps_malicious_commandlets.yml │ │ │ ├── posh_ps_malicious_keywords.yml │ │ │ ├── posh_ps_memorydump_getstoragediagnosticinfo.yml │ │ │ ├── posh_ps_msxml_com.yml │ │ │ ├── posh_ps_nishang_malicious_commandlets.yml │ │ │ ├── posh_ps_ntfs_ads_access.yml │ │ │ ├── posh_ps_office_comobject_registerxll.yml │ │ │ ├── posh_ps_powerview_malicious_commandlets.yml │ │ │ ├── posh_ps_prompt_credentials.yml │ │ │ ├── posh_ps_psattack.yml │ │ │ ├── posh_ps_remote_session_creation.yml │ │ │ ├── posh_ps_remove_item_path.yml │ │ │ ├── posh_ps_request_kerberos_ticket.yml │ │ │ ├── posh_ps_root_certificate_installed.yml │ │ │ ├── posh_ps_run_from_mount_diskimage.yml │ │ │ ├── posh_ps_security_software_discovery.yml │ │ │ ├── posh_ps_send_mailmessage.yml │ │ │ ├── posh_ps_set_policies_to_unsecure_level.yml │ │ │ ├── posh_ps_shellcode_b64.yml │ │ │ ├── posh_ps_shellintel_malicious_commandlets.yml │ │ │ ├── posh_ps_software_discovery.yml │ │ │ ├── posh_ps_store_file_in_alternate_data_stream.yml │ │ │ ├── posh_ps_susp_ad_group_reco.yml │ │ │ ├── posh_ps_susp_directory_enum.yml │ │ │ ├── posh_ps_susp_download.yml │ │ │ ├── posh_ps_susp_execute_batch_script.yml │ │ │ ├── posh_ps_susp_export_pfxcertificate.yml │ │ │ ├── posh_ps_susp_extracting.yml │ │ │ ├── posh_ps_susp_follina_execution.yml │ │ │ ├── posh_ps_susp_get_adcomputer.yml │ │ │ ├── posh_ps_susp_get_addefaultdomainpasswordpolicy.yml │ │ │ ├── posh_ps_susp_get_adgroup.yml │ │ │ ├── posh_ps_susp_get_current_user.yml │ │ │ ├── posh_ps_susp_get_gpo.yml │ │ │ ├── posh_ps_susp_get_process.yml │ │ │ ├── posh_ps_susp_getprocess_lsass.yml │ │ │ ├── posh_ps_susp_gettypefromclsid.yml │ │ │ ├── posh_ps_susp_gwmi.yml │ │ │ ├── posh_ps_susp_hyper_v_condlet.yml │ │ │ ├── posh_ps_susp_invocation_generic.yml │ │ │ ├── posh_ps_susp_invocation_specific.yml │ │ │ ├── posh_ps_susp_invoke_webrequest_useragent.yml │ │ │ ├── posh_ps_susp_iofilestream.yml │ │ │ ├── posh_ps_susp_keywords.yml │ │ │ ├── posh_ps_susp_local_group_reco.yml │ │ │ ├── posh_ps_susp_mail_acces.yml │ │ │ ├── posh_ps_susp_mount_diskimage.yml │ │ │ ├── posh_ps_susp_mounted_share_deletion.yml │ │ │ ├── posh_ps_susp_networkcredential.yml │ │ │ ├── posh_ps_susp_new_psdrive.yml │ │ │ ├── posh_ps_susp_recon_export.yml │ │ │ ├── posh_ps_susp_remove_adgroupmember.yml │ │ │ ├── posh_ps_susp_smb_share_reco.yml │ │ │ ├── posh_ps_susp_ssl_keyword.yml │ │ │ ├── posh_ps_susp_start_process.yml │ │ │ ├── posh_ps_susp_unblock_file.yml │ │ │ ├── posh_ps_susp_wallpaper.yml │ │ │ ├── posh_ps_susp_win32_pnpentity.yml │ │ │ ├── posh_ps_susp_win32_shadowcopy.yml │ │ │ ├── posh_ps_susp_windowstyle.yml │ │ │ ├── posh_ps_susp_zip_compress.yml │ │ │ ├── posh_ps_syncappvpublishingserver_exe.yml │ │ │ ├── posh_ps_tamper_defender.yml │ │ │ ├── posh_ps_test_netconnection.yml │ │ │ ├── posh_ps_timestomp.yml │ │ │ ├── posh_ps_trigger_profiles.yml │ │ │ ├── posh_ps_upload.yml │ │ │ ├── posh_ps_web_request.yml │ │ │ ├── posh_ps_win32_product_install_msi.yml │ │ │ ├── posh_ps_windows_firewall_profile_disabled.yml │ │ │ ├── posh_ps_winlogon_helper_dll.yml │ │ │ ├── posh_ps_wmi_persistence.yml │ │ │ ├── posh_ps_wmimplant.yml │ │ │ └── posh_ps_xml_iex.yml │ │ ├── process_access │ │ ├── proc_access_win_cmstp_execution_by_access.yml │ │ ├── proc_access_win_cobaltstrike_bof_injection_pattern.yml │ │ ├── proc_access_win_cred_dump_lsass_access.yml │ │ ├── proc_access_win_direct_syscall_ntopenprocess.yml │ │ ├── proc_access_win_handlekatz_lsass_access.yml │ │ ├── proc_access_win_in_memory_assembly_execution.yml │ │ ├── proc_access_win_invoke_phantom.yml │ │ ├── proc_access_win_lazagne_cred_dump_lsass_access.yml │ │ ├── proc_access_win_littlecorporal_generated_maldoc.yml │ │ ├── proc_access_win_load_undocumented_autoelevated_com_interface.yml │ │ ├── proc_access_win_lsass_dump_comsvcs_dll.yml │ │ ├── proc_access_win_lsass_memdump.yml │ │ ├── proc_access_win_lsass_memdump_evasion.yml │ │ ├── proc_access_win_lsass_memdump_indicators.yml │ │ ├── proc_access_win_lsass_werfault.yml │ │ ├── proc_access_win_malware_verclsid_shellcode.yml │ │ ├── proc_access_win_mimikatz_trough_winrm.yml │ │ ├── proc_access_win_pypykatz_cred_dump_lsass_access.yml │ │ ├── proc_access_win_rare_proc_access_lsass.yml │ │ ├── proc_access_win_susp_proc_access_lsass.yml │ │ ├── proc_access_win_susp_proc_access_lsass_susp_source.yml │ │ ├── proc_access_win_svchost_cred_dump.yml │ │ ├── proc_access_win_uac_bypass_wow64_logger.yml │ │ ├── process_access_win_shellcode_inject_msf_empire.yml │ │ └── process_access_win_susp_seclogon.yml │ │ ├── process_creation │ │ ├── proc_creation_win_7zip_cve_2022_29072.yml │ │ ├── proc_creation_win_abusing_debug_privilege.yml │ │ ├── proc_creation_win_abusing_windows_telemetry_for_persistence.yml │ │ ├── proc_creation_win_accesschk_usage_after_priv_escalation.yml │ │ ├── proc_creation_win_ad_find_discovery.yml │ │ ├── proc_creation_win_advanced_ip_scanner.yml │ │ ├── proc_creation_win_advanced_port_scanner.yml │ │ ├── proc_creation_win_alternate_data_streams.yml │ │ ├── proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml │ │ ├── proc_creation_win_always_install_elevated_windows_installer.yml │ │ ├── proc_creation_win_anydesk.yml │ │ ├── proc_creation_win_anydesk_silent_install.yml │ │ ├── proc_creation_win_anydesk_susp_folder.yml │ │ ├── proc_creation_win_apt_actinium_persistence.yml │ │ ├── proc_creation_win_apt_apt29_thinktanks.yml │ │ ├── proc_creation_win_apt_babyshark.yml │ │ ├── proc_creation_win_apt_bear_activity_gtr19.yml │ │ ├── proc_creation_win_apt_bluemashroom.yml │ │ ├── proc_creation_win_apt_chafer_mar18.yml │ │ ├── proc_creation_win_apt_cloudhopper.yml │ │ ├── proc_creation_win_apt_dragonfly.yml │ │ ├── proc_creation_win_apt_elise.yml │ │ ├── proc_creation_win_apt_emissarypanda_sep19.yml │ │ ├── proc_creation_win_apt_empiremonkey.yml │ │ ├── proc_creation_win_apt_equationgroup_dll_u_load.yml │ │ ├── proc_creation_win_apt_evilnum_jul20.yml │ │ ├── proc_creation_win_apt_gallium.yml │ │ ├── proc_creation_win_apt_gallium_sha1.yml │ │ ├── proc_creation_win_apt_gamaredon_ultravnc.yml │ │ ├── proc_creation_win_apt_greenbug_may20.yml │ │ ├── proc_creation_win_apt_hafnium.yml │ │ ├── proc_creation_win_apt_hurricane_panda.yml │ │ ├── proc_creation_win_apt_judgement_panda_gtr19.yml │ │ ├── proc_creation_win_apt_ke3chang_regadd.yml │ │ ├── proc_creation_win_apt_lazarus_activity_apr21.yml │ │ ├── proc_creation_win_apt_lazarus_activity_dec20.yml │ │ ├── proc_creation_win_apt_lazarus_loader.yml │ │ ├── proc_creation_win_apt_lazarus_session_highjack.yml │ │ ├── proc_creation_win_apt_muddywater_dnstunnel.yml │ │ ├── proc_creation_win_apt_mustangpanda.yml │ │ ├── proc_creation_win_apt_revil_kaseya.yml │ │ ├── proc_creation_win_apt_slingshot.yml │ │ ├── proc_creation_win_apt_sofacy.yml │ │ ├── proc_creation_win_apt_sourgrum.yml │ │ ├── proc_creation_win_apt_ta17_293a_ps.yml │ │ ├── proc_creation_win_apt_ta505_dropper.yml │ │ ├── proc_creation_win_apt_taidoor.yml │ │ ├── proc_creation_win_apt_tropictrooper.yml │ │ ├── proc_creation_win_apt_turla_commands_critical.yml │ │ ├── proc_creation_win_apt_turla_commands_medium.yml │ │ ├── proc_creation_win_apt_turla_comrat_may20.yml │ │ ├── proc_creation_win_apt_unc2452_cmds.yml │ │ ├── proc_creation_win_apt_unc2452_ps.yml │ │ ├── proc_creation_win_apt_unidentified_nov_18.yml │ │ ├── proc_creation_win_apt_winnti_mal_hk_jan20.yml │ │ ├── proc_creation_win_apt_winnti_pipemon.yml │ │ ├── proc_creation_win_apt_wocao.yml │ │ ├── proc_creation_win_apt_zxshell.yml │ │ ├── proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml │ │ ├── proc_creation_win_archiver_iso_phishing.yml │ │ ├── proc_creation_win_asr_bypass_via_appvlp_re.yml │ │ ├── proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml │ │ ├── proc_creation_win_attrib_hiding_files.yml │ │ ├── proc_creation_win_attrib_system.yml │ │ ├── proc_creation_win_attrib_system_susp_paths.yml │ │ ├── proc_creation_win_automated_collection.yml │ │ ├── proc_creation_win_bad_opsec_sacrificial_processes.yml │ │ ├── proc_creation_win_base64_invoke_susp_cmdlets.yml │ │ ├── proc_creation_win_base64_listing_shadowcopy.yml │ │ ├── proc_creation_win_base64_reflective_assembly_load.yml │ │ ├── proc_creation_win_bitsadmin_download.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_domain.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_ext.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_ip.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder.yml │ │ ├── proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml │ │ ├── proc_creation_win_bootconf_mod.yml │ │ ├── proc_creation_win_bypass_squiblytwo.yml │ │ ├── proc_creation_win_c3_load_by_rundll32.yml │ │ ├── proc_creation_win_certoc_execution.yml │ │ ├── proc_creation_win_change_default_file_assoc_susp.yml │ │ ├── proc_creation_win_change_default_file_association.yml │ │ ├── proc_creation_win_chrome_load_extension.yml │ │ ├── proc_creation_win_cleanwipe.yml │ │ ├── proc_creation_win_clip.yml │ │ ├── proc_creation_win_cmd_delete.yml │ │ ├── proc_creation_win_cmd_dosfuscation.yml │ │ ├── proc_creation_win_cmd_redirect.yml │ │ ├── proc_creation_win_cmdkey_recon.yml │ │ ├── proc_creation_win_cmstp_com_object_access.yml │ │ ├── proc_creation_win_cmstp_execution_by_creation.yml │ │ ├── proc_creation_win_cobaltstrike_bloopers_cmd.yml │ │ ├── proc_creation_win_cobaltstrike_bloopers_modules.yml │ │ ├── proc_creation_win_cobaltstrike_load_by_rundll32.yml │ │ ├── proc_creation_win_cobaltstrike_process_patterns.yml │ │ ├── proc_creation_win_commandline_path_traversal.yml │ │ ├── proc_creation_win_commandline_path_traversal_evasion.yml │ │ ├── proc_creation_win_conhost_path_traversal.yml │ │ ├── proc_creation_win_conti_cmd_ransomware.yml │ │ ├── proc_creation_win_conti_sqlcmd.yml │ │ ├── proc_creation_win_control_panel_item.yml │ │ ├── proc_creation_win_copying_sensitive_files_with_credential_data.yml │ │ ├── proc_creation_win_crackmapexec_patterns.yml │ │ ├── proc_creation_win_creation_mavinject_dll.yml │ │ ├── proc_creation_win_creative_cloud_node_abuse.yml │ │ ├── proc_creation_win_credential_access_via_password_filter.yml │ │ ├── proc_creation_win_crime_fireball.yml │ │ ├── proc_creation_win_crime_maze_ransomware.yml │ │ ├── proc_creation_win_crime_snatch_ransomware.yml │ │ ├── proc_creation_win_crypto_mining_monero.yml │ │ ├── proc_creation_win_curl_download.yml │ │ ├── proc_creation_win_cve_2021_26857_msexchange.yml │ │ ├── proc_creation_win_data_compressed_with_rar.yml │ │ ├── proc_creation_win_delete_systemstatebackup.yml │ │ ├── proc_creation_win_detecting_fake_instances_of_hxtsr.yml │ │ ├── proc_creation_win_dinjector.yml │ │ ├── proc_creation_win_discover_private_keys.yml │ │ ├── proc_creation_win_dns_exfiltration_tools_execution.yml │ │ ├── proc_creation_win_dns_serverlevelplugindll.yml │ │ ├── proc_creation_win_dnscat2_powershell_implementation.yml │ │ ├── proc_creation_win_dotnet.yml │ │ ├── proc_creation_win_dsacls_abuse_permissions.yml │ │ ├── proc_creation_win_dsacls_password_spray.yml │ │ ├── proc_creation_win_dsim_remove.yml │ │ ├── proc_creation_win_dumpstack_log_evasion.yml │ │ ├── proc_creation_win_embed_exe_lnk.yml │ │ ├── proc_creation_win_encoded_frombase64string.yml │ │ ├── proc_creation_win_encoded_iex.yml │ │ ├── proc_creation_win_enumeration_for_credentials_cli.yml │ │ ├── proc_creation_win_enumeration_for_credentials_in_registry.yml │ │ ├── proc_creation_win_esentutl_webcache.yml │ │ ├── proc_creation_win_etw_modification_cmdline.yml │ │ ├── proc_creation_win_etw_trace_evasion.yml │ │ ├── proc_creation_win_evil_winrm.yml │ │ ├── proc_creation_win_exfiltration_and_tunneling_tools_execution.yml │ │ ├── proc_creation_win_expand_cabinet_files.yml │ │ ├── proc_creation_win_exploit_cve_2015_1641.yml │ │ ├── proc_creation_win_exploit_cve_2017_0261.yml │ │ ├── proc_creation_win_exploit_cve_2017_11882.yml │ │ ├── proc_creation_win_exploit_cve_2017_8759.yml │ │ ├── proc_creation_win_exploit_cve_2019_1378.yml │ │ ├── proc_creation_win_exploit_cve_2019_1388.yml │ │ ├── proc_creation_win_exploit_cve_2020_10189.yml │ │ ├── proc_creation_win_exploit_cve_2020_1048.yml │ │ ├── proc_creation_win_exploit_cve_2020_1350.yml │ │ ├── proc_creation_win_exploit_lpe_cve_2021_41379.yml │ │ ├── proc_creation_win_exploit_systemnightmare.yml │ │ ├── proc_creation_win_false_sysinternalsuite.yml │ │ ├── proc_creation_win_file_permission_modifications.yml │ │ ├── proc_creation_win_findstr_gpp_passwords.yml │ │ ├── proc_creation_win_fsutil_drive_enumeration.yml │ │ ├── proc_creation_win_fsutil_symlinkevaluation.yml │ │ ├── proc_creation_win_gotoopener.yml │ │ ├── proc_creation_win_grabbing_sensitive_hives_via_reg.yml │ │ ├── proc_creation_win_hack_adcspwn.yml │ │ ├── proc_creation_win_hack_bloodhound.yml │ │ ├── proc_creation_win_hack_cube0x0_tools.yml │ │ ├── proc_creation_win_hack_dumpert.yml │ │ ├── proc_creation_win_hack_hydra.yml │ │ ├── proc_creation_win_hack_koadic.yml │ │ ├── proc_creation_win_hack_krbrelay.yml │ │ ├── proc_creation_win_hack_krbrelayup.yml │ │ ├── proc_creation_win_hack_rubeus.yml │ │ ├── proc_creation_win_hack_secutyxploded.yml │ │ ├── proc_creation_win_hack_wce.yml │ │ ├── proc_creation_win_hacktool_imphashes.yml │ │ ├── proc_creation_win_hashcat.yml │ │ ├── proc_creation_win_headless_browser_file_download.yml │ │ ├── proc_creation_win_hh_chm.yml │ │ ├── proc_creation_win_hiding_malware_in_fonts_folder.yml │ │ ├── proc_creation_win_high_integrity_sdclt.yml │ │ ├── proc_creation_win_hktl_createminidump.yml │ │ ├── proc_creation_win_hktl_uacme_uac_bypass.yml │ │ ├── proc_creation_win_html_help_spawn.yml │ │ ├── proc_creation_win_hwp_exploits.yml │ │ ├── proc_creation_win_iis_http_logging.yml │ │ ├── proc_creation_win_impacket_compiled_tools.yml │ │ ├── proc_creation_win_impacket_lateralization.yml │ │ ├── proc_creation_win_indirect_cmd.yml │ │ ├── proc_creation_win_infdefaultinstall.yml │ │ ├── proc_creation_win_install_reg_debugger_backdoor.yml │ │ ├── proc_creation_win_interactive_at.yml │ │ ├── proc_creation_win_invoke_obfuscation_clip.yml │ │ ├── proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml │ │ ├── proc_creation_win_invoke_obfuscation_stdin.yml │ │ ├── proc_creation_win_invoke_obfuscation_var.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_compress.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_rundll.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_stdin.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_use_clip.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_use_mhsta.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_use_rundll32.yml │ │ ├── proc_creation_win_invoke_obfuscation_via_var.yml │ │ ├── proc_creation_win_jlaive_batch_execution.yml │ │ ├── proc_creation_win_lethalhta.yml │ │ ├── proc_creation_win_local_system_owner_account_discovery.yml │ │ ├── proc_creation_win_logmein.yml │ │ ├── proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml │ │ ├── proc_creation_win_lolbin_adplus.yml │ │ ├── proc_creation_win_lolbin_aspnet_compiler.yml │ │ ├── proc_creation_win_lolbin_bash.yml │ │ ├── proc_creation_win_lolbin_certoc_download.yml │ │ ├── proc_creation_win_lolbin_cl_invocation.yml │ │ ├── proc_creation_win_lolbin_cl_loadassembly.yml │ │ ├── proc_creation_win_lolbin_cl_mutexverifiers.yml │ │ ├── proc_creation_win_lolbin_class_exec_xwizard.yml │ │ ├── proc_creation_win_lolbin_cmdl32.yml │ │ ├── proc_creation_win_lolbin_configsecuritypolicy.yml │ │ ├── proc_creation_win_lolbin_cscript_gathernetworkinfo.yml │ │ ├── proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml │ │ ├── proc_creation_win_lolbin_diantz_ads.yml │ │ ├── proc_creation_win_lolbin_diantz_remote_cab.yml │ │ ├── proc_creation_win_lolbin_dll_sideload_xwizard.yml │ │ ├── proc_creation_win_lolbin_dump64.yml │ │ ├── proc_creation_win_lolbin_execution_via_winget.yml │ │ ├── proc_creation_win_lolbin_extexport.yml │ │ ├── proc_creation_win_lolbin_extrac32.yml │ │ ├── proc_creation_win_lolbin_extrac32_ads.yml │ │ ├── proc_creation_win_lolbin_findstr.yml │ │ ├── proc_creation_win_lolbin_forfiles.yml │ │ ├── proc_creation_win_lolbin_fsharp_interpreters.yml │ │ ├── proc_creation_win_lolbin_gpscript.yml │ │ ├── proc_creation_win_lolbin_ie4uinit.yml │ │ ├── proc_creation_win_lolbin_ieexec_download.yml │ │ ├── proc_creation_win_lolbin_ilasm.yml │ │ ├── proc_creation_win_lolbin_jsc.yml │ │ ├── proc_creation_win_lolbin_mftrace.yml │ │ ├── proc_creation_win_lolbin_msdt_answer_file.yml │ │ ├── proc_creation_win_lolbin_offlinescannershell.yml │ │ ├── proc_creation_win_lolbin_openconsole.yml │ │ ├── proc_creation_win_lolbin_pcalua.yml │ │ ├── proc_creation_win_lolbin_pcwrun.yml │ │ ├── proc_creation_win_lolbin_pcwrun_follina.yml │ │ ├── proc_creation_win_lolbin_pktmon.yml │ │ ├── proc_creation_win_lolbin_presentationhost.yml │ │ ├── proc_creation_win_lolbin_printbrm.yml │ │ ├── proc_creation_win_lolbin_pubprn.yml │ │ ├── proc_creation_win_lolbin_rasautou_dll_execution.yml │ │ ├── proc_creation_win_lolbin_remote.yml │ │ ├── proc_creation_win_lolbin_replace.yml │ │ ├── proc_creation_win_lolbin_rundll32_installscreensaver.yml │ │ ├── proc_creation_win_lolbin_scriptrunner.yml │ │ ├── proc_creation_win_lolbin_squirrel.yml │ │ ├── proc_creation_win_lolbin_susp_acccheckconsole.yml │ │ ├── proc_creation_win_lolbin_susp_atbroker.yml │ │ ├── proc_creation_win_lolbin_susp_certreq_download.yml │ │ ├── proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml │ │ ├── proc_creation_win_lolbin_susp_dxcap.yml │ │ ├── proc_creation_win_lolbin_susp_grpconv.yml │ │ ├── proc_creation_win_lolbin_susp_mpcmdrun_download.yml │ │ ├── proc_creation_win_lolbin_susp_sqldumper_activity.yml │ │ ├── proc_creation_win_lolbin_susp_wsl.yml │ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml │ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml │ │ ├── proc_creation_win_lolbin_ttdinject.yml │ │ ├── proc_creation_win_lolbin_tttracer_mod_load.yml │ │ ├── proc_creation_win_lolbin_utilityfunctions.yml │ │ ├── proc_creation_win_lolbin_visual_basic_compiler.yml │ │ ├── proc_creation_win_lolbin_visualuiaverifynative.yml │ │ ├── proc_creation_win_lolbin_vsiisexelauncher.yml │ │ ├── proc_creation_win_lolbin_wfc.yml │ │ ├── proc_creation_win_lolbin_winword.yml │ │ ├── proc_creation_win_lolbin_wlrmdr.yml │ │ ├── proc_creation_win_lolbins_by_office_applications.yml │ │ ├── proc_creation_win_lolbins_with_wmiprvse_parent_process.yml │ │ ├── proc_creation_win_long_powershell_commandline.yml │ │ ├── proc_creation_win_lsass_dump.yml │ │ ├── proc_creation_win_mailboxexport_share.yml │ │ ├── proc_creation_win_mal_adwind.yml │ │ ├── proc_creation_win_mal_blue_mockingbird.yml │ │ ├── proc_creation_win_mal_darkside_ransomware.yml │ │ ├── proc_creation_win_mal_hermetic_wiper_activity.yml │ │ ├── proc_creation_win_mal_lockergoga_ransomware.yml │ │ ├── proc_creation_win_mal_ryuk.yml │ │ ├── proc_creation_win_malware_conti.yml │ │ ├── proc_creation_win_malware_conti_7zip.yml │ │ ├── proc_creation_win_malware_conti_shadowcopy.yml │ │ ├── proc_creation_win_malware_dridex.yml │ │ ├── proc_creation_win_malware_dtrack.yml │ │ ├── proc_creation_win_malware_emotet.yml │ │ ├── proc_creation_win_malware_formbook.yml │ │ ├── proc_creation_win_malware_notpetya.yml │ │ ├── proc_creation_win_malware_qbot.yml │ │ ├── proc_creation_win_malware_ryuk.yml │ │ ├── proc_creation_win_malware_script_dropper.yml │ │ ├── proc_creation_win_malware_trickbot_recon_activity.yml │ │ ├── proc_creation_win_malware_trickbot_wermgr.yml │ │ ├── proc_creation_win_malware_wannacry.yml │ │ ├── proc_creation_win_manage_bde_lolbas.yml │ │ ├── proc_creation_win_mavinject_proc_inj.yml │ │ ├── proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml │ │ ├── proc_creation_win_mimikatz_command_line.yml │ │ ├── proc_creation_win_mmc20_lateral_movement.yml │ │ ├── proc_creation_win_mmc_spawn_shell.yml │ │ ├── proc_creation_win_modif_of_services_for_via_commandline.yml │ │ ├── proc_creation_win_monitoring_for_persistence_via_bits.yml │ │ ├── proc_creation_win_mouse_lock.yml │ │ ├── proc_creation_win_msdeploy.yml │ │ ├── proc_creation_win_msdt.yml │ │ ├── proc_creation_win_msdt_diagcab.yml │ │ ├── proc_creation_win_msdt_susp_cab_options.yml │ │ ├── proc_creation_win_msdt_susp_parent.yml │ │ ├── proc_creation_win_msedge_minimized_download.yml │ │ ├── proc_creation_win_mshta_javascript.yml │ │ ├── proc_creation_win_mshta_spawn_shell.yml │ │ ├── proc_creation_win_msiexec_dll.yml │ │ ├── proc_creation_win_msiexec_embedding.yml │ │ ├── proc_creation_win_msiexec_execute_dll.yml │ │ ├── proc_creation_win_msiexec_install_quiet.yml │ │ ├── proc_creation_win_msra_process_injection.yml │ │ ├── proc_creation_win_mstsc.yml │ │ ├── proc_creation_win_multiple_susp_cli.yml │ │ ├── proc_creation_win_net_enum.yml │ │ ├── proc_creation_win_net_use_admin_share.yml │ │ ├── proc_creation_win_net_user_add.yml │ │ ├── proc_creation_win_netcat_execution.yml │ │ ├── proc_creation_win_netsh_allow_port_rdp.yml │ │ ├── proc_creation_win_netsh_fw_add.yml │ │ ├── proc_creation_win_netsh_fw_add_susp_image.yml │ │ ├── proc_creation_win_netsh_fw_enable_group_rule.yml │ │ ├── proc_creation_win_netsh_packet_capture.yml │ │ ├── proc_creation_win_netsh_port_fwd.yml │ │ ├── proc_creation_win_netsh_port_fwd_3389.yml │ │ ├── proc_creation_win_netsh_wifi_credential_harvesting.yml │ │ ├── proc_creation_win_network_scan_loop.yml │ │ ├── proc_creation_win_network_sniffing.yml │ │ ├── proc_creation_win_new_service_creation.yml │ │ ├── proc_creation_win_nltest_recon.yml │ │ ├── proc_creation_win_non_interactive_powershell.yml │ │ ├── proc_creation_win_non_priv_reg_or_ps.yml │ │ ├── proc_creation_win_office_applications_spawning_wmi_commandline.yml │ │ ├── proc_creation_win_office_dir_traversal_cli.yml │ │ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml │ │ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml │ │ ├── proc_creation_win_office_shell.yml │ │ ├── proc_creation_win_office_spawn_exe_from_users_directory.yml │ │ ├── proc_creation_win_office_spawning_wmi_commandline.yml │ │ ├── proc_creation_win_outlook_shell.yml │ │ ├── proc_creation_win_pingback_backdoor.yml │ │ ├── proc_creation_win_plugx_susp_exe_locations.yml │ │ ├── proc_creation_win_possible_applocker_bypass.yml │ │ ├── proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml │ │ ├── proc_creation_win_powershell_amsi_bypass.yml │ │ ├── proc_creation_win_powershell_audio_capture.yml │ │ ├── proc_creation_win_powershell_b64_shellcode.yml │ │ ├── proc_creation_win_powershell_bitsjob.yml │ │ ├── proc_creation_win_powershell_cmdline_reversed_strings.yml │ │ ├── proc_creation_win_powershell_cmdline_special_characters.yml │ │ ├── proc_creation_win_powershell_cmdline_specific_comb_methods.yml │ │ ├── proc_creation_win_powershell_defender_base64.yml │ │ ├── proc_creation_win_powershell_defender_disable_feature.yml │ │ ├── proc_creation_win_powershell_defender_exclusion.yml │ │ ├── proc_creation_win_powershell_disable_windef_av.yml │ │ ├── proc_creation_win_powershell_dll_execution.yml │ │ ├── proc_creation_win_powershell_downgrade_attack.yml │ │ ├── proc_creation_win_powershell_download.yml │ │ ├── proc_creation_win_powershell_download_patterns.yml │ │ ├── proc_creation_win_powershell_frombase64string.yml │ │ ├── proc_creation_win_powershell_get_clipboard.yml │ │ ├── proc_creation_win_powershell_public_folder.yml │ │ ├── proc_creation_win_powershell_reverse_shell_connection.yml │ │ ├── proc_creation_win_powershell_snapins_hafnium.yml │ │ ├── proc_creation_win_powershell_susp_parameter_variation.yml │ │ ├── proc_creation_win_powershell_xor_commandline.yml │ │ ├── proc_creation_win_powersploit_empire_schtasks.yml │ │ ├── proc_creation_win_proc_dump_createdump.yml │ │ ├── proc_creation_win_proc_dump_dumpminitool.yml │ │ ├── proc_creation_win_proc_dump_rdrleakdiag.yml │ │ ├── proc_creation_win_proc_dump_susp_dumpminitool.yml │ │ ├── proc_creation_win_proc_wrong_parent.yml │ │ ├── proc_creation_win_procdump.yml │ │ ├── proc_creation_win_procdump_evasion.yml │ │ ├── proc_creation_win_process_dump_rdrleakdiag.yml │ │ ├── proc_creation_win_process_dump_rundll32_comsvcs.yml │ │ ├── proc_creation_win_protocolhandler_susp_file.yml │ │ ├── proc_creation_win_proxy_execution_wuauclt.yml │ │ ├── proc_creation_win_psexesvc_start.yml │ │ ├── proc_creation_win_public_folder_parent.yml │ │ ├── proc_creation_win_purplesharp_indicators.yml │ │ ├── proc_creation_win_pypykatz.yml │ │ ├── proc_creation_win_python_pty_spawn.yml │ │ ├── proc_creation_win_query_registry.yml │ │ ├── proc_creation_win_ransom_blackbyte.yml │ │ ├── proc_creation_win_rdp_hijack_shadowing.yml │ │ ├── proc_creation_win_redirect_to_stream.yml │ │ ├── proc_creation_win_redmimicry_winnti_proc.yml │ │ ├── proc_creation_win_reg_add_run_key.yml │ │ ├── proc_creation_win_reg_defender_exclusion.yml │ │ ├── proc_creation_win_reg_defender_tampering.yml │ │ ├── proc_creation_win_reg_dump_sam.yml │ │ ├── proc_creation_win_reg_enable_rdp.yml │ │ ├── proc_creation_win_reg_lsass_ppl.yml │ │ ├── proc_creation_win_reg_service_imagepath_change.yml │ │ ├── proc_creation_win_regedit_export_critical_keys.yml │ │ ├── proc_creation_win_regedit_export_keys.yml │ │ ├── proc_creation_win_regedit_import_keys.yml │ │ ├── proc_creation_win_regedit_import_keys_ads.yml │ │ ├── proc_creation_win_regini.yml │ │ ├── proc_creation_win_regini_ads.yml │ │ ├── proc_creation_win_remote_powershell_session_process.yml │ │ ├── proc_creation_win_remote_time_discovery.yml │ │ ├── proc_creation_win_remove_windows_defender_definition_files.yml │ │ ├── proc_creation_win_renamed_binary.yml │ │ ├── proc_creation_win_renamed_binary_highly_relevant.yml │ │ ├── proc_creation_win_renamed_browsercore.yml │ │ ├── proc_creation_win_renamed_jusched.yml │ │ ├── proc_creation_win_renamed_megasync.yml │ │ ├── proc_creation_win_renamed_msdt.yml │ │ ├── proc_creation_win_renamed_paexec.yml │ │ ├── proc_creation_win_renamed_plink.yml │ │ ├── proc_creation_win_renamed_powershell.yml │ │ ├── proc_creation_win_renamed_procdump.yml │ │ ├── proc_creation_win_renamed_psexec.yml │ │ ├── proc_creation_win_renamed_rundll32.yml │ │ ├── proc_creation_win_renamed_whoami.yml │ │ ├── proc_creation_win_root_certificate_installed.yml │ │ ├── proc_creation_win_rpcss_anomalies.yml │ │ ├── proc_creation_win_run_executable_invalid_extension.yml │ │ ├── proc_creation_win_run_from_zip.yml │ │ ├── proc_creation_win_run_powershell_script_from_ads.yml │ │ ├── proc_creation_win_run_powershell_script_from_input_stream.yml │ │ ├── proc_creation_win_run_virtualbox.yml │ │ ├── proc_creation_win_rundll32_not_from_c_drive.yml │ │ ├── proc_creation_win_rundll32_parent_explorer.yml │ │ ├── proc_creation_win_rundll32_registered_com_objects.yml │ │ ├── proc_creation_win_rundll32_without_parameters.yml │ │ ├── proc_creation_win_schtasks_appdata_local_system.yml │ │ ├── proc_creation_win_schtasks_powershell_windowsapps_execution.yml │ │ ├── proc_creation_win_schtasks_reg_loader.yml │ │ ├── proc_creation_win_screenconnect.yml │ │ ├── proc_creation_win_screenconnect_anomaly.yml │ │ ├── proc_creation_win_script_event_consumer_spawn.yml │ │ ├── proc_creation_win_sdbinst_shim_persistence.yml │ │ ├── proc_creation_win_sdclt_child_process.yml │ │ ├── proc_creation_win_sdelete.yml │ │ ├── proc_creation_win_sdiagnhost_susp_child.yml │ │ ├── proc_creation_win_service_execution.yml │ │ ├── proc_creation_win_service_stop.yml │ │ ├── proc_creation_win_set_policies_to_unsecure_level.yml │ │ ├── proc_creation_win_shadow_copies_access_symlink.yml │ │ ├── proc_creation_win_shadow_copies_creation.yml │ │ ├── proc_creation_win_shadow_copies_deletion.yml │ │ ├── proc_creation_win_shell_spawn_by_java.yml │ │ ├── proc_creation_win_shell_spawn_susp_program.yml │ │ ├── proc_creation_win_silenttrinity_stage_use.yml │ │ ├── proc_creation_win_software_discovery.yml │ │ ├── proc_creation_win_soundrec_audio_capture.yml │ │ ├── proc_creation_win_spn_enum.yml │ │ ├── proc_creation_win_sqlcmd_veeam_dump.yml │ │ ├── proc_creation_win_sqlite_firefox_cookies.yml │ │ ├── proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml │ │ ├── proc_creation_win_stickykey_like_backdoor.yml │ │ ├── proc_creation_win_stordiag_execution.yml │ │ ├── proc_creation_win_sus_auditpol_usage.yml │ │ ├── proc_creation_win_susp_7z.yml │ │ ├── proc_creation_win_susp_ad_reco.yml │ │ ├── proc_creation_win_susp_add_user_remote_desktop.yml │ │ ├── proc_creation_win_susp_adfind.yml │ │ ├── proc_creation_win_susp_adfind_enumerate.yml │ │ ├── proc_creation_win_susp_adidnsdump.yml │ │ ├── proc_creation_win_susp_advancedrun.yml │ │ ├── proc_creation_win_susp_advancedrun_priv_user.yml │ │ ├── proc_creation_win_susp_athremotefxvgpudisablementcommand.yml │ │ ├── proc_creation_win_susp_base64_invoke.yml │ │ ├── proc_creation_win_susp_base64_load.yml │ │ ├── proc_creation_win_susp_bcdedit.yml │ │ ├── proc_creation_win_susp_bginfo.yml │ │ ├── proc_creation_win_susp_bitstransfer.yml │ │ ├── proc_creation_win_susp_calc.yml │ │ ├── proc_creation_win_susp_cdb.yml │ │ ├── proc_creation_win_susp_certutil_command.yml │ │ ├── proc_creation_win_susp_certutil_encode.yml │ │ ├── proc_creation_win_susp_char_in_cmd.yml │ │ ├── proc_creation_win_susp_child_process_as_system_.yml │ │ ├── proc_creation_win_susp_cipher.yml │ │ ├── proc_creation_win_susp_cli_escape.yml │ │ ├── proc_creation_win_susp_cmd_http_appdata.yml │ │ ├── proc_creation_win_susp_cmd_shadowcopy_access.yml │ │ ├── proc_creation_win_susp_codepage_lookup.yml │ │ ├── proc_creation_win_susp_codepage_switch.yml │ │ ├── proc_creation_win_susp_commandline_chars.yml │ │ ├── proc_creation_win_susp_commands_recon_activity.yml │ │ ├── proc_creation_win_susp_compression_params.yml │ │ ├── proc_creation_win_susp_comsvcs_procdump.yml │ │ ├── proc_creation_win_susp_conhost.yml │ │ ├── proc_creation_win_susp_conhost_option.yml │ │ ├── proc_creation_win_susp_control_cve_2021_40444.yml │ │ ├── proc_creation_win_susp_control_dll_load.yml │ │ ├── proc_creation_win_susp_copy_lateral_movement.yml │ │ ├── proc_creation_win_susp_copy_system32.yml │ │ ├── proc_creation_win_susp_covenant.yml │ │ ├── proc_creation_win_susp_crackmapexec_execution.yml │ │ ├── proc_creation_win_susp_crackmapexec_flags.yml │ │ ├── proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml │ │ ├── proc_creation_win_susp_csc.yml │ │ ├── proc_creation_win_susp_csc_folder.yml │ │ ├── proc_creation_win_susp_cscript_vbs.yml │ │ ├── proc_creation_win_susp_csi.yml │ │ ├── proc_creation_win_susp_curl_download.yml │ │ ├── proc_creation_win_susp_curl_fileupload.yml │ │ ├── proc_creation_win_susp_curl_start_combo.yml │ │ ├── proc_creation_win_susp_curl_useragent.yml │ │ ├── proc_creation_win_susp_dctask64_proc_inject.yml │ │ ├── proc_creation_win_susp_del.yml │ │ ├── proc_creation_win_susp_desktopimgdownldr.yml │ │ ├── proc_creation_win_susp_devinit_lolbin.yml │ │ ├── proc_creation_win_susp_devtoolslauncher.yml │ │ ├── proc_creation_win_susp_dir.yml │ │ ├── proc_creation_win_susp_direct_asep_reg_keys_modification.yml │ │ ├── proc_creation_win_susp_disable_eventlog.yml │ │ ├── proc_creation_win_susp_disable_ie_features.yml │ │ ├── proc_creation_win_susp_disable_raccine.yml │ │ ├── proc_creation_win_susp_diskshadow.yml │ │ ├── proc_creation_win_susp_ditsnap.yml │ │ ├── proc_creation_win_susp_dllhost_no_cli.yml │ │ ├── proc_creation_win_susp_dnx.yml │ │ ├── proc_creation_win_susp_double_extension.yml │ │ ├── proc_creation_win_susp_download_office_domain.yml │ │ ├── proc_creation_win_susp_dtrace_kernel_dump.yml │ │ ├── proc_creation_win_susp_emotet_rundll32_execution.yml │ │ ├── proc_creation_win_susp_esentutl_params.yml │ │ ├── proc_creation_win_susp_eventlog_clear.yml │ │ ├── proc_creation_win_susp_execution_path.yml │ │ ├── proc_creation_win_susp_execution_path_webserver.yml │ │ ├── proc_creation_win_susp_explorer.yml │ │ ├── proc_creation_win_susp_explorer_break_proctree.yml │ │ ├── proc_creation_win_susp_explorer_nouaccheck.yml │ │ ├── proc_creation_win_susp_file_characteristics.yml │ │ ├── proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml │ │ ├── proc_creation_win_susp_findstr_385201.yml │ │ ├── proc_creation_win_susp_findstr_lnk.yml │ │ ├── proc_creation_win_susp_finger_usage.yml │ │ ├── proc_creation_win_susp_firewall_disable.yml │ │ ├── proc_creation_win_susp_format.yml │ │ ├── proc_creation_win_susp_fsutil_usage.yml │ │ ├── proc_creation_win_susp_ftp.yml │ │ ├── proc_creation_win_susp_gpresult.yml │ │ ├── proc_creation_win_susp_gup.yml │ │ ├── proc_creation_win_susp_gup_download.yml │ │ ├── proc_creation_win_susp_gup_execution.yml │ │ ├── proc_creation_win_susp_hostname.yml │ │ ├── proc_creation_win_susp_image_missing.yml │ │ ├── proc_creation_win_susp_instalutil.yml │ │ ├── proc_creation_win_susp_iss_module_install.yml │ │ ├── proc_creation_win_susp_lsass_clone.yml │ │ ├── proc_creation_win_susp_machineguid.yml │ │ ├── proc_creation_win_susp_mounted_share_deletion.yml │ │ ├── proc_creation_win_susp_mpiexec_lolbin.yml │ │ ├── proc_creation_win_susp_mshta_execution.yml │ │ ├── proc_creation_win_susp_mshta_pattern.yml │ │ ├── proc_creation_win_susp_msiexec_cwd.yml │ │ ├── proc_creation_win_susp_msiexec_web_install.yml │ │ ├── proc_creation_win_susp_msoffice.yml │ │ ├── proc_creation_win_susp_net_execution.yml │ │ ├── proc_creation_win_susp_net_use_password_plaintext.yml │ │ ├── proc_creation_win_susp_netsh_command.yml │ │ ├── proc_creation_win_susp_netsh_dll_persistence.yml │ │ ├── proc_creation_win_susp_network_command.yml │ │ ├── proc_creation_win_susp_network_listing_connections.yml │ │ ├── proc_creation_win_susp_ngrok_pua.yml │ │ ├── proc_creation_win_susp_nmap.yml │ │ ├── proc_creation_win_susp_non_exe_image.yml │ │ ├── proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml │ │ ├── proc_creation_win_susp_ntdll_type_redirect.yml │ │ ├── proc_creation_win_susp_ntds.yml │ │ ├── proc_creation_win_susp_ntdsutil.yml │ │ ├── proc_creation_win_susp_ntlmrelay.yml │ │ ├── proc_creation_win_susp_odbcconf.yml │ │ ├── proc_creation_win_susp_openwith.yml │ │ ├── proc_creation_win_susp_outlook.yml │ │ ├── proc_creation_win_susp_outlook_temp.yml │ │ ├── proc_creation_win_susp_parents.yml │ │ ├── proc_creation_win_susp_pcwutl.yml │ │ ├── proc_creation_win_susp_pester.yml │ │ ├── proc_creation_win_susp_ping_hex_ip.yml │ │ ├── proc_creation_win_susp_plink_remote_forward.yml │ │ ├── proc_creation_win_susp_powershell_cmd_patterns.yml │ │ ├── proc_creation_win_susp_powershell_download_cradles.yml │ │ ├── proc_creation_win_susp_powershell_download_iex.yml │ │ ├── proc_creation_win_susp_powershell_empire_launch.yml │ │ ├── proc_creation_win_susp_powershell_empire_uac_bypass.yml │ │ ├── proc_creation_win_susp_powershell_enc_cmd.yml │ │ ├── proc_creation_win_susp_powershell_encode.yml │ │ ├── proc_creation_win_susp_powershell_encoded_param.yml │ │ ├── proc_creation_win_susp_powershell_getprocess_lsass.yml │ │ ├── proc_creation_win_susp_powershell_hidden_b64_cmd.yml │ │ ├── proc_creation_win_susp_powershell_iex_patterns.yml │ │ ├── proc_creation_win_susp_powershell_parent_combo.yml │ │ ├── proc_creation_win_susp_powershell_parent_process.yml │ │ ├── proc_creation_win_susp_powershell_sam_access.yml │ │ ├── proc_creation_win_susp_powershell_sub_processes.yml │ │ ├── proc_creation_win_susp_powershell_webclient_casing.yml │ │ ├── proc_creation_win_susp_pressynkey_lolbin.yml │ │ ├── proc_creation_win_susp_print.yml │ │ ├── proc_creation_win_susp_procdump.yml │ │ ├── proc_creation_win_susp_procdump_lsass.yml │ │ ├── proc_creation_win_susp_progname.yml │ │ ├── proc_creation_win_susp_ps_appdata.yml │ │ ├── proc_creation_win_susp_ps_downloadfile.yml │ │ ├── proc_creation_win_susp_psexec_eula.yml │ │ ├── proc_creation_win_susp_psexex_paexec_escalate_system.yml │ │ ├── proc_creation_win_susp_psexex_paexec_flags.yml │ │ ├── proc_creation_win_susp_psloglist.yml │ │ ├── proc_creation_win_susp_psr_capture_screenshots.yml │ │ ├── proc_creation_win_susp_radmin.yml │ │ ├── proc_creation_win_susp_rar_flags.yml │ │ ├── proc_creation_win_susp_rasdial_activity.yml │ │ ├── proc_creation_win_susp_razorinstaller_explorer.yml │ │ ├── proc_creation_win_susp_rclone_execution.yml │ │ ├── proc_creation_win_susp_recon.yml │ │ ├── proc_creation_win_susp_recon_activity.yml │ │ ├── proc_creation_win_susp_recon_net_activity.yml │ │ ├── proc_creation_win_susp_redir_local_admin_share.yml │ │ ├── proc_creation_win_susp_reg_bitlocker.yml │ │ ├── proc_creation_win_susp_reg_disable_sec_services.yml │ │ ├── proc_creation_win_susp_reg_open_command.yml │ │ ├── proc_creation_win_susp_regedit_trustedinstaller.yml │ │ ├── proc_creation_win_susp_register_cimprovider.yml │ │ ├── proc_creation_win_susp_registration_via_cscript.yml │ │ ├── proc_creation_win_susp_regsvr32_anomalies.yml │ │ ├── proc_creation_win_susp_regsvr32_explorer.yml │ │ ├── proc_creation_win_susp_regsvr32_flags_anomaly.yml │ │ ├── proc_creation_win_susp_regsvr32_http_pattern.yml │ │ ├── proc_creation_win_susp_regsvr32_image.yml │ │ ├── proc_creation_win_susp_regsvr32_no_dll.yml │ │ ├── proc_creation_win_susp_renamed_dctask64.yml │ │ ├── proc_creation_win_susp_renamed_debugview.yml │ │ ├── proc_creation_win_susp_renamed_paexec.yml │ │ ├── proc_creation_win_susp_rpcping.yml │ │ ├── proc_creation_win_susp_run_folder.yml │ │ ├── proc_creation_win_susp_run_locations.yml │ │ ├── proc_creation_win_susp_rundll32_activity.yml │ │ ├── proc_creation_win_susp_rundll32_by_ordinal.yml │ │ ├── proc_creation_win_susp_rundll32_inline_vbs.yml │ │ ├── proc_creation_win_susp_rundll32_js_runhtmlapplication.yml │ │ ├── proc_creation_win_susp_rundll32_keymgr.yml │ │ ├── proc_creation_win_susp_rundll32_no_params.yml │ │ ├── proc_creation_win_susp_rundll32_script_run.yml │ │ ├── proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml │ │ ├── proc_creation_win_susp_rundll32_spawn_explorer.yml │ │ ├── proc_creation_win_susp_rundll32_sys.yml │ │ ├── proc_creation_win_susp_rundll32_user32_dll.yml │ │ ├── proc_creation_win_susp_runonce_execution.yml │ │ ├── proc_creation_win_susp_runscripthelper.yml │ │ ├── proc_creation_win_susp_sc_query.yml │ │ ├── proc_creation_win_susp_schtask_creation.yml │ │ ├── proc_creation_win_susp_schtask_creation_temp_folder.yml │ │ ├── proc_creation_win_susp_schtasks_disable.yml │ │ ├── proc_creation_win_susp_schtasks_env_folder.yml │ │ ├── proc_creation_win_susp_schtasks_folder_combos.yml │ │ ├── proc_creation_win_susp_schtasks_parent.yml │ │ ├── proc_creation_win_susp_schtasks_pattern.yml │ │ ├── proc_creation_win_susp_schtasks_user_temp.yml │ │ ├── proc_creation_win_susp_screenconnect_access.yml │ │ ├── proc_creation_win_susp_screensaver_reg.yml │ │ ├── proc_creation_win_susp_script_exec_from_env_folder.yml │ │ ├── proc_creation_win_susp_script_exec_from_temp.yml │ │ ├── proc_creation_win_susp_script_execution.yml │ │ ├── proc_creation_win_susp_service_dacl_modification.yml │ │ ├── proc_creation_win_susp_service_dir.yml │ │ ├── proc_creation_win_susp_service_modification.yml │ │ ├── proc_creation_win_susp_service_path_modification.yml │ │ ├── proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml │ │ ├── proc_creation_win_susp_servu_process_pattern.yml │ │ ├── proc_creation_win_susp_sharpview.yml │ │ ├── proc_creation_win_susp_shell_spawn_by_java.yml │ │ ├── proc_creation_win_susp_shell_spawn_by_java_keytool.yml │ │ ├── proc_creation_win_susp_shell_spawn_from_mssql.yml │ │ ├── proc_creation_win_susp_shell_spawn_from_winrm.yml │ │ ├── proc_creation_win_susp_shimcache_flush.yml │ │ ├── proc_creation_win_susp_shutdown.yml │ │ ├── proc_creation_win_susp_splwow64.yml │ │ ├── proc_creation_win_susp_spoolsv_child_processes.yml │ │ ├── proc_creation_win_susp_squirrel_lolbin.yml │ │ ├── proc_creation_win_susp_svchost.yml │ │ ├── proc_creation_win_susp_svchost_no_cli.yml │ │ ├── proc_creation_win_susp_sysprep_appdata.yml │ │ ├── proc_creation_win_susp_system_user_anomaly.yml │ │ ├── proc_creation_win_susp_systeminfo.yml │ │ ├── proc_creation_win_susp_sysvol_access.yml │ │ ├── proc_creation_win_susp_takeown.yml │ │ ├── proc_creation_win_susp_target_location_shell32.yml │ │ ├── proc_creation_win_susp_taskkill.yml │ │ ├── proc_creation_win_susp_tasklist_command.yml │ │ ├── proc_creation_win_susp_taskmgr_localsystem.yml │ │ ├── proc_creation_win_susp_taskmgr_parent.yml │ │ ├── proc_creation_win_susp_tracker_execution.yml │ │ ├── proc_creation_win_susp_trolleyexpress_procdump.yml │ │ ├── proc_creation_win_susp_tscon_localsystem.yml │ │ ├── proc_creation_win_susp_tscon_rdp_redirect.yml │ │ ├── proc_creation_win_susp_uac_bypass_trustedpath.yml │ │ ├── proc_creation_win_susp_use_of_csharp_console.yml │ │ ├── proc_creation_win_susp_use_of_sqlps_bin.yml │ │ ├── proc_creation_win_susp_use_of_sqltoolsps_bin.yml │ │ ├── proc_creation_win_susp_use_of_te_bin.yml │ │ ├── proc_creation_win_susp_use_of_vsjitdebugger_bin.yml │ │ ├── proc_creation_win_susp_userinit_child.yml │ │ ├── proc_creation_win_susp_vaultcmd.yml │ │ ├── proc_creation_win_susp_vboxdrvinst.yml │ │ ├── proc_creation_win_susp_vbscript_unc2452.yml │ │ ├── proc_creation_win_susp_volsnap_disable.yml │ │ ├── proc_creation_win_susp_web_request_cmd.yml │ │ ├── proc_creation_win_susp_webdav_client_execution.yml │ │ ├── proc_creation_win_susp_where_execution.yml │ │ ├── proc_creation_win_susp_whoami.yml │ │ ├── proc_creation_win_susp_whoami_anomaly.yml │ │ ├── proc_creation_win_susp_whoami_as_param.yml │ │ ├── proc_creation_win_susp_winrar_dmp.yml │ │ ├── proc_creation_win_susp_winrar_execution.yml │ │ ├── proc_creation_win_susp_winrm_awl_bypass.yml │ │ ├── proc_creation_win_susp_winrm_execution.yml │ │ ├── proc_creation_win_susp_winzip.yml │ │ ├── proc_creation_win_susp_wmi_execution.yml │ │ ├── proc_creation_win_susp_wmic_eventconsumer_create.yml │ │ ├── proc_creation_win_susp_wmic_proc_create_rundll32.yml │ │ ├── proc_creation_win_susp_wmic_security_product_uninstall.yml │ │ ├── proc_creation_win_susp_workfolders.yml │ │ ├── proc_creation_win_susp_wuauclt.yml │ │ ├── proc_creation_win_susp_wuauclt_cmdline.yml │ │ ├── proc_creation_win_susp_zip_compress.yml │ │ ├── proc_creation_win_susp_zipexec.yml │ │ ├── proc_creation_win_sysinternals_eula_accepted.yml │ │ ├── proc_creation_win_sysinternals_psservice.yml │ │ ├── proc_creation_win_sysmon_driver_unload.yml │ │ ├── proc_creation_win_sysmon_uac_bypass_eventvwr.yml │ │ ├── proc_creation_win_system_exe_anomaly.yml │ │ ├── proc_creation_win_tap_installer_execution.yml │ │ ├── proc_creation_win_task_folder_evasion.yml │ │ ├── proc_creation_win_termserv_proc_spawn.yml │ │ ├── proc_creation_win_tool_nircmd.yml │ │ ├── proc_creation_win_tool_nircmd_as_system.yml │ │ ├── proc_creation_win_tool_nsudo_execution.yml │ │ ├── proc_creation_win_tool_psexec.yml │ │ ├── proc_creation_win_tool_runx_as_system.yml │ │ ├── proc_creation_win_tools_relay_attacks.yml │ │ ├── proc_creation_win_tor_browser.yml │ │ ├── proc_creation_win_trust_discovery.yml │ │ ├── proc_creation_win_uac_bypass_changepk_slui.yml │ │ ├── proc_creation_win_uac_bypass_cleanmgr.yml │ │ ├── proc_creation_win_uac_bypass_cmstp.yml │ │ ├── proc_creation_win_uac_bypass_computerdefaults.yml │ │ ├── proc_creation_win_uac_bypass_consent_comctl32.yml │ │ ├── proc_creation_win_uac_bypass_dismhost.yml │ │ ├── proc_creation_win_uac_bypass_fodhelper.yml │ │ ├── proc_creation_win_uac_bypass_idiagnostic_profile.yml │ │ ├── proc_creation_win_uac_bypass_ieinstal.yml │ │ ├── proc_creation_win_uac_bypass_msconfig_gui.yml │ │ ├── proc_creation_win_uac_bypass_ntfs_reparse_point.yml │ │ ├── proc_creation_win_uac_bypass_pkgmgr_dism.yml │ │ ├── proc_creation_win_uac_bypass_winsat.yml │ │ ├── proc_creation_win_uac_bypass_wmp.yml │ │ ├── proc_creation_win_uac_bypass_wsreset.yml │ │ ├── proc_creation_win_uac_bypass_wsreset_integrity_level.yml │ │ ├── proc_creation_win_uninstall_crowdstrike_falcon.yml │ │ ├── proc_creation_win_uninstall_sysmon.yml │ │ ├── proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml │ │ ├── proc_creation_win_using_sc_to_hide_sevices.yml │ │ ├── proc_creation_win_using_settingsynchost_as_lolbin.yml │ │ ├── proc_creation_win_verclsid_runs_com.yml │ │ ├── proc_creation_win_vmtoolsd_susp_child_process.yml │ │ ├── proc_creation_win_vul_java_remote_debugging.yml │ │ ├── proc_creation_win_webshell_detection.yml │ │ ├── proc_creation_win_webshell_hacking.yml │ │ ├── proc_creation_win_webshell_recon_detection.yml │ │ ├── proc_creation_win_webshell_spawn.yml │ │ ├── proc_creation_win_whoami_as_priv_user.yml │ │ ├── proc_creation_win_whoami_as_system.yml │ │ ├── proc_creation_win_whoami_priv.yml │ │ ├── proc_creation_win_win10_sched_task_0day.yml │ │ ├── proc_creation_win_win_exchange_transportagent.yml │ │ ├── proc_creation_win_winword_dll_load.yml │ │ ├── proc_creation_win_wmi_backdoor_exchange_transport_agent.yml │ │ ├── proc_creation_win_wmi_persistence_script_event_consumer.yml │ │ ├── proc_creation_win_wmi_spwns_powershell.yml │ │ ├── proc_creation_win_wmic_hotfix_enum.yml │ │ ├── proc_creation_win_wmic_reconnaissance.yml │ │ ├── proc_creation_win_wmic_remote_command.yml │ │ ├── proc_creation_win_wmic_remote_service.yml │ │ ├── proc_creation_win_wmic_remove_application.yml │ │ ├── proc_creation_win_wmic_service.yml │ │ ├── proc_creation_win_wmic_unquoted_service_search.yml │ │ ├── proc_creation_win_wmiprvse_spawning_process.yml │ │ ├── proc_creation_win_workflow_compiler.yml │ │ ├── proc_creation_win_write_protect_for_storage_disabled.yml │ │ ├── proc_creation_win_wsreset_uac_bypass.yml │ │ ├── proc_creation_win_xordump.yml │ │ └── proc_creation_win_xsl_script_processing.yml │ │ ├── raw_access_thread │ │ └── sysmon_raw_disk_access_using_illegitimate_tools.yml │ │ ├── registry │ │ ├── registry_add │ │ │ ├── registry_add_logon_scripts_userinitmprlogonscript_reg.yml │ │ │ ├── registry_add_mal_netwire.yml │ │ │ ├── registry_add_mal_ursnif.yml │ │ │ ├── registry_add_persistence_key_linking.yml │ │ │ ├── registry_add_sysinternals_eula_accepted.yml │ │ │ └── registry_add_sysinternals_sdelete_registry_keys.yml │ │ ├── registry_delete │ │ │ ├── registry_delete_mstsc_history_cleared.yml │ │ │ ├── registry_delete_removal_amsi_registry_key.yml │ │ │ ├── registry_delete_removal_com_hijacking_registry_key.yml │ │ │ └── registry_delete_removal_sd_value_scheduled_task_hide.yml │ │ ├── registry_event │ │ │ ├── registry_event_add_local_hidden_user.yml │ │ │ ├── registry_event_apt_chafer_mar18.yml │ │ │ ├── registry_event_apt_leviathan.yml │ │ │ ├── registry_event_apt_oceanlotus_registry.yml │ │ │ ├── registry_event_apt_pandemic.yml │ │ │ ├── registry_event_bypass_via_wsreset.yml │ │ │ ├── registry_event_cmstp_execution_by_registry.yml │ │ │ ├── registry_event_crashdump_disabled.yml │ │ │ ├── registry_event_cve_2021_31979_cve_2021_33771_exploits.yml │ │ │ ├── registry_event_disable_security_events_logging_adding_reg_key_minint.yml │ │ │ ├── registry_event_disable_wdigest_credential_guard.yml │ │ │ ├── registry_event_dns_serverlevelplugindll.yml │ │ │ ├── registry_event_esentutl_volume_shadow_copy_service_keys.yml │ │ │ ├── registry_event_hack_wce_reg.yml │ │ │ ├── registry_event_hybridconnectionmgr_svc_installation.yml │ │ │ ├── registry_event_mal_azorult.yml │ │ │ ├── registry_event_mal_flowcloud.yml │ │ │ ├── registry_event_mimikatz_printernightmare.yml │ │ │ ├── registry_event_modify_screensaver_binary_path.yml │ │ │ ├── registry_event_narrator_feedback_persistance.yml │ │ │ ├── registry_event_net_ntlm_downgrade.yml │ │ │ ├── registry_event_new_dll_added_to_appcertdlls_registry_key.yml │ │ │ ├── registry_event_new_dll_added_to_appinit_dlls_registry_key.yml │ │ │ ├── registry_event_office_test_regadd.yml │ │ │ ├── registry_event_persistence_recycle_bin.yml │ │ │ ├── registry_event_portproxy_registry_key.yml │ │ │ ├── registry_event_redmimicry_winnti_reg.yml │ │ │ ├── registry_event_runkey_winekey.yml │ │ │ ├── registry_event_runonce_persistence.yml │ │ │ ├── registry_event_shell_open_keys_manipulation.yml │ │ │ ├── registry_event_silentprocessexit_lsass.yml │ │ │ ├── registry_event_ssp_added_lsa_config.yml │ │ │ ├── registry_event_stickykey_like_backdoor.yml │ │ │ ├── registry_event_susp_atbroker_change.yml │ │ │ ├── registry_event_susp_download_run_key.yml │ │ │ ├── registry_event_susp_lsass_dll_load.yml │ │ │ ├── registry_event_susp_mic_cam_access.yml │ │ │ └── registry_event_trust_record_modification.yml │ │ └── registry_set │ │ │ ├── registry_set_abusing_windows_telemetry_for_persistence.yml │ │ │ ├── registry_set_add_load_service_in_safe_mode.yml │ │ │ ├── registry_set_add_port_monitor.yml │ │ │ ├── registry_set_asep_reg_keys_modification_classes.yml │ │ │ ├── registry_set_asep_reg_keys_modification_common.yml │ │ │ ├── registry_set_asep_reg_keys_modification_currentcontrolset.yml │ │ │ ├── registry_set_asep_reg_keys_modification_currentversion.yml │ │ │ ├── registry_set_asep_reg_keys_modification_currentversion_nt.yml │ │ │ ├── registry_set_asep_reg_keys_modification_internet_explorer.yml │ │ │ ├── registry_set_asep_reg_keys_modification_office.yml │ │ │ ├── registry_set_asep_reg_keys_modification_session_manager.yml │ │ │ ├── registry_set_asep_reg_keys_modification_system_scripts.yml │ │ │ ├── registry_set_asep_reg_keys_modification_winsock2.yml │ │ │ ├── registry_set_asep_reg_keys_modification_wow6432node.yml │ │ │ ├── registry_set_asep_reg_keys_modification_wow6432node_classes.yml │ │ │ ├── registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml │ │ │ ├── registry_set_blackbyte_ransomware.yml │ │ │ ├── registry_set_bypass_uac_using_delegateexecute.yml │ │ │ ├── registry_set_bypass_uac_using_eventviewer.yml │ │ │ ├── registry_set_bypass_uac_using_silentcleanup_task.yml │ │ │ ├── registry_set_change_rdp_port.yml │ │ │ ├── registry_set_change_security_zones.yml │ │ │ ├── registry_set_chrome_extension.yml │ │ │ ├── registry_set_cobaltstrike_service_installs.yml │ │ │ ├── registry_set_comhijack_sdclt.yml │ │ │ ├── registry_set_creation_service_susp_folder.yml │ │ │ ├── registry_set_creation_service_temp_folder.yml │ │ │ ├── registry_set_creation_service_uncommon_folder.yml │ │ │ ├── registry_set_custom_file_open_handler_powershell_execution.yml │ │ │ ├── registry_set_cve_2020_1048_new_printer_port.yml │ │ │ ├── registry_set_cve_2022_30190_msdt_follina.yml │ │ │ ├── registry_set_defender_disabled.yml │ │ │ ├── registry_set_defender_exclusions.yml │ │ │ ├── registry_set_defender_realtime_protection_disabled.yml │ │ │ ├── registry_set_dhcp_calloutdll.yml │ │ │ ├── registry_set_disable_administrative_share.yml │ │ │ ├── registry_set_disable_defender_firewall.yml │ │ │ ├── registry_set_disable_fonction_user.yml │ │ │ ├── registry_set_disable_microsoft_office_security_features.yml │ │ │ ├── registry_set_disable_system_restore.yml │ │ │ ├── registry_set_disable_uac_registry.yml │ │ │ ├── registry_set_disable_winevt_logging.yml │ │ │ ├── registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml │ │ │ ├── registry_set_disabled_microsoft_defender_eventlog.yml │ │ │ ├── registry_set_disabled_pua_protection_on_microsoft_defender.yml │ │ │ ├── registry_set_disabled_tamper_protection_on_microsoft_defender.yml │ │ │ ├── registry_set_dns_over_https_enabled.yml │ │ │ ├── registry_set_enabling_cor_profiler_env_variables.yml │ │ │ ├── registry_set_enabling_turnoffcheck.yml │ │ │ ├── registry_set_etw_disabled.yml │ │ │ ├── registry_set_file_association_exefile.yml │ │ │ ├── registry_set_globalflags_persistence.yml │ │ │ ├── registry_set_hidden_extention.yml │ │ │ ├── registry_set_hide_file.yml │ │ │ ├── registry_set_hide_fonction_user.yml │ │ │ ├── registry_set_ie_persistence.yml │ │ │ ├── registry_set_install_root_or_ca_certificat.yml │ │ │ ├── registry_set_lolbin_onedrivestandaloneupdater.yml │ │ │ ├── registry_set_mal_adwind.yml │ │ │ ├── registry_set_mal_blue_mockingbird.yml │ │ │ ├── registry_set_new_application_appcompat.yml │ │ │ ├── registry_set_office_enable_dde.yml │ │ │ ├── registry_set_office_security.yml │ │ │ ├── registry_set_office_vsto_persistence.yml │ │ │ ├── registry_set_outlook_c2_registry_key.yml │ │ │ ├── registry_set_outlook_registry_todaypage.yml │ │ │ ├── registry_set_outlook_registry_webview.yml │ │ │ ├── registry_set_outlook_security.yml │ │ │ ├── registry_set_persistence_search_order.yml │ │ │ ├── registry_set_powershell_as_service.yml │ │ │ ├── registry_set_powershell_in_run_keys.yml │ │ │ ├── registry_set_powershell_logging_disabled.yml │ │ │ ├── registry_set_rdp_registry_modification.yml │ │ │ ├── registry_set_rdp_settings_hijack.yml │ │ │ ├── registry_set_scr_file_executed_by_rundll32.yml │ │ │ ├── registry_set_set_nopolicies_user.yml │ │ │ ├── registry_set_set_servicedll.yml │ │ │ ├── registry_set_shim_databases_persistence.yml │ │ │ ├── registry_set_silentprocessexit.yml │ │ │ ├── registry_set_susp_printer_driver.yml │ │ │ ├── registry_set_susp_reg_persist_explorer_run.yml │ │ │ ├── registry_set_susp_run_key_img_folder.yml │ │ │ ├── registry_set_susp_service_installed.yml │ │ │ ├── registry_set_taskcache_entry.yml │ │ │ ├── registry_set_telemetry_persistence.yml │ │ │ ├── registry_set_timeproviders_dllname.yml │ │ │ ├── registry_set_uac_bypass_eventvwr.yml │ │ │ ├── registry_set_uac_bypass_sdclt.yml │ │ │ ├── registry_set_uac_bypass_winsat.yml │ │ │ ├── registry_set_uac_bypass_wmp.yml │ │ │ ├── registry_set_vbs_payload_stored.yml │ │ │ ├── registry_set_wab_dllpath_reg_change.yml │ │ │ ├── registry_set_wdigest_enable_uselogoncredential.yml │ │ │ └── registry_set_winlogon_notify_key.yml │ │ ├── sysmon │ │ ├── sysmon_accessing_winapi_in_powershell_credentials_dumping.yml │ │ ├── sysmon_config_modification.yml │ │ ├── sysmon_config_modification_error.yml │ │ ├── sysmon_config_modification_status.yml │ │ ├── sysmon_dcom_iertutil_dll_hijack.yml │ │ └── sysmon_process_hollowing.yml │ │ └── wmi_event │ │ ├── sysmon_wmi_event_subscription.yml │ │ ├── sysmon_wmi_susp_encoded_scripts.yml │ │ └── sysmon_wmi_susp_scripting.yml ├── generated │ └── org │ │ └── opensearch │ │ └── securityanalytics │ │ └── rules │ │ └── condition │ │ ├── ConditionBaseListener.java │ │ ├── ConditionBaseVisitor.java │ │ ├── ConditionLexer.java │ │ ├── ConditionListener.java │ │ ├── ConditionParser.java │ │ ├── ConditionVisitor.java │ │ └── aggregation │ │ ├── AggregationBaseListener.java │ │ ├── AggregationBaseVisitor.java │ │ ├── AggregationLexer.java │ │ ├── AggregationListener.java │ │ ├── AggregationParser.java │ │ └── AggregationVisitor.java ├── grammars │ ├── Aggregation.g4 │ └── Condition.g4 ├── java │ └── org │ │ └── opensearch │ │ └── securityanalytics │ │ ├── SecurityAnalyticsPlugin.java │ │ ├── action │ │ ├── AckAlertsAction.java │ │ ├── AckAlertsRequest.java │ │ ├── AckAlertsResponse.java │ │ ├── AckCorrelationAlertsAction.java │ │ ├── AckCorrelationAlertsRequest.java │ │ ├── AckCorrelationAlertsResponse.java │ │ ├── AlertDto.java │ │ ├── CorrelatedFindingAction.java │ │ ├── CorrelatedFindingRequest.java │ │ ├── CorrelatedFindingResponse.java │ │ ├── CreateIndexMappingsAction.java │ │ ├── CreateIndexMappingsRequest.java │ │ ├── DeleteCorrelationRuleAction.java │ │ ├── DeleteCorrelationRuleRequest.java │ │ ├── DeleteCustomLogTypeAction.java │ │ ├── DeleteCustomLogTypeRequest.java │ │ ├── DeleteCustomLogTypeResponse.java │ │ ├── DeleteDetectorAction.java │ │ ├── DeleteDetectorRequest.java │ │ ├── DeleteDetectorResponse.java │ │ ├── DeleteRuleAction.java │ │ ├── DeleteRuleRequest.java │ │ ├── DeleteRuleResponse.java │ │ ├── FindingDto.java │ │ ├── GetAlertsAction.java │ │ ├── GetAlertsRequest.java │ │ ├── GetAlertsResponse.java │ │ ├── GetAllRuleCategoriesAction.java │ │ ├── GetAllRuleCategoriesRequest.java │ │ ├── GetAllRuleCategoriesResponse.java │ │ ├── GetCorrelationAlertsAction.java │ │ ├── GetCorrelationAlertsRequest.java │ │ ├── GetCorrelationAlertsResponse.java │ │ ├── GetDetectorAction.java │ │ ├── GetDetectorRequest.java │ │ ├── GetDetectorResponse.java │ │ ├── GetFindingsAction.java │ │ ├── GetFindingsRequest.java │ │ ├── GetFindingsResponse.java │ │ ├── GetIndexMappingsAction.java │ │ ├── GetIndexMappingsRequest.java │ │ ├── GetIndexMappingsResponse.java │ │ ├── GetMappingsViewAction.java │ │ ├── GetMappingsViewRequest.java │ │ ├── GetMappingsViewResponse.java │ │ ├── IndexCorrelationRuleAction.java │ │ ├── IndexCorrelationRuleRequest.java │ │ ├── IndexCorrelationRuleResponse.java │ │ ├── IndexCustomLogTypeAction.java │ │ ├── IndexCustomLogTypeRequest.java │ │ ├── IndexCustomLogTypeResponse.java │ │ ├── IndexDetectorAction.java │ │ ├── IndexDetectorRequest.java │ │ ├── IndexDetectorResponse.java │ │ ├── IndexRuleAction.java │ │ ├── IndexRuleRequest.java │ │ ├── IndexRuleResponse.java │ │ ├── ListCorrelationsAction.java │ │ ├── ListCorrelationsRequest.java │ │ ├── ListCorrelationsResponse.java │ │ ├── SearchCorrelationRuleAction.java │ │ ├── SearchCorrelationRuleRequest.java │ │ ├── SearchCustomLogTypeAction.java │ │ ├── SearchCustomLogTypeRequest.java │ │ ├── SearchDetectorAction.java │ │ ├── SearchDetectorRequest.java │ │ ├── SearchRuleAction.java │ │ ├── SearchRuleRequest.java │ │ ├── TestS3ConnectionAction.java │ │ ├── TestS3ConnectionRequest.java │ │ ├── TestS3ConnectionResponse.java │ │ ├── UpdateIndexMappingsAction.java │ │ ├── UpdateIndexMappingsRequest.java │ │ ├── ValidateRulesAction.java │ │ ├── ValidateRulesRequest.java │ │ └── ValidateRulesResponse.java │ │ ├── alerts │ │ └── AlertsService.java │ │ ├── config │ │ └── monitors │ │ │ └── DetectorMonitorConfig.java │ │ ├── correlation │ │ ├── CorrelationConstants.java │ │ ├── JoinEngine.java │ │ ├── VectorEmbeddingsEngine.java │ │ ├── alert │ │ │ ├── CorrelationAlertService.java │ │ │ ├── CorrelationAlertsList.java │ │ │ ├── CorrelationRuleScheduler.java │ │ │ └── notifications │ │ │ │ ├── CorrelationAlertContext.java │ │ │ │ └── NotificationService.java │ │ └── index │ │ │ ├── CorrelationParamsContext.java │ │ │ ├── VectorField.java │ │ │ ├── codec │ │ │ ├── BasePerFieldCorrelationVectorsFormat.java │ │ │ ├── CorrelationCodecService.java │ │ │ ├── CorrelationCodecVersion.java │ │ │ ├── correlation9120 │ │ │ │ └── CorrelationCodec9120.java │ │ │ ├── correlation950 │ │ │ │ ├── CorrelationCodec950.java │ │ │ │ └── PerFieldCorrelationVectorsFormat950.java │ │ │ ├── correlation990 │ │ │ │ ├── CorrelationCodec990.java │ │ │ │ └── PerFieldCorrelationVectorsFormat990.java │ │ │ └── util │ │ │ │ ├── CorrelationVectorAsArraySerializer.java │ │ │ │ └── CorrelationVectorSerializer.java │ │ │ ├── mapper │ │ │ ├── CorrelationVectorFieldMapper.java │ │ │ └── LuceneFieldMapper.java │ │ │ └── query │ │ │ ├── CorrelationQueryBuilder.java │ │ │ └── CorrelationQueryFactory.java │ │ ├── findings │ │ └── FindingsService.java │ │ ├── indexmanagment │ │ └── DetectorIndexManagementService.java │ │ ├── jobscheduler │ │ └── SecurityAnalyticsRunner.java │ │ ├── logtype │ │ ├── BuiltinLogTypeLoader.java │ │ ├── LogTypeService.java │ │ └── MappingSchema.java │ │ ├── mapper │ │ ├── IndexTemplateManager.java │ │ ├── IndexTemplateUtils.java │ │ ├── MapperService.java │ │ ├── MapperUtils.java │ │ └── MappingsTraverser.java │ │ ├── model │ │ ├── CorrelatedFinding.java │ │ ├── CorrelationQuery.java │ │ ├── CorrelationRule.java │ │ ├── CorrelationRuleTrigger.java │ │ ├── CreateMappingResult.java │ │ ├── CustomLogType.java │ │ ├── DetailedSTIX2IOCDto.java │ │ ├── Detector.java │ │ ├── DetectorInput.java │ │ ├── DetectorRule.java │ │ ├── DetectorTrigger.java │ │ ├── FieldMappingDoc.java │ │ ├── FindingWithScore.java │ │ ├── LogType.java │ │ ├── Rule.java │ │ ├── RuleCategory.java │ │ ├── STIX2IOC.java │ │ ├── STIX2IOCDto.java │ │ ├── ThreatIntelFeedData.java │ │ ├── Value.java │ │ └── threatintel │ │ │ ├── BaseEntity.java │ │ │ ├── IocFinding.java │ │ │ ├── IocWithFeeds.java │ │ │ └── ThreatIntelAlert.java │ │ ├── resthandler │ │ ├── RestAcknowledgeAlertsAction.java │ │ ├── RestAcknowledgeCorrelationAlertsAction.java │ │ ├── RestCreateIndexMappingsAction.java │ │ ├── RestDeleteCorrelationRuleAction.java │ │ ├── RestDeleteCustomLogTypeAction.java │ │ ├── RestDeleteDetectorAction.java │ │ ├── RestDeleteRuleAction.java │ │ ├── RestGetAlertsAction.java │ │ ├── RestGetAllRuleCategoriesAction.java │ │ ├── RestGetCorrelationsAlertsAction.java │ │ ├── RestGetDetectorAction.java │ │ ├── RestGetFindingsAction.java │ │ ├── RestGetIndexMappingsAction.java │ │ ├── RestGetMappingsViewAction.java │ │ ├── RestIndexCorrelationRuleAction.java │ │ ├── RestIndexCustomLogTypeAction.java │ │ ├── RestIndexDetectorAction.java │ │ ├── RestIndexRuleAction.java │ │ ├── RestListCorrelationAction.java │ │ ├── RestSearchCorrelationAction.java │ │ ├── RestSearchCorrelationRuleAction.java │ │ ├── RestSearchCustomLogTypeAction.java │ │ ├── RestSearchDetectorAction.java │ │ ├── RestSearchRuleAction.java │ │ ├── RestTestS3ConnectionAction.java │ │ ├── RestUpdateIndexMappingsAction.java │ │ └── RestValidateRulesAction.java │ │ ├── rules │ │ ├── aggregation │ │ │ ├── AggregationItem.java │ │ │ └── AggregationTraverseVisitor.java │ │ ├── backend │ │ │ ├── AggregationBuilders.java │ │ │ ├── OSQueryBackend.java │ │ │ └── QueryBackend.java │ │ ├── condition │ │ │ ├── ConditionAND.java │ │ │ ├── ConditionFieldEqualsValueExpression.java │ │ │ ├── ConditionIdentifier.java │ │ │ ├── ConditionItem.java │ │ │ ├── ConditionNOT.java │ │ │ ├── ConditionOR.java │ │ │ ├── ConditionSelector.java │ │ │ ├── ConditionTraverseVisitor.java │ │ │ ├── ConditionType.java │ │ │ └── ConditionValueExpression.java │ │ ├── exceptions │ │ │ ├── CompositeSigmaErrors.java │ │ │ ├── SigmaConditionError.java │ │ │ ├── SigmaDateError.java │ │ │ ├── SigmaDetectionError.java │ │ │ ├── SigmaError.java │ │ │ ├── SigmaIdentifierError.java │ │ │ ├── SigmaLevelError.java │ │ │ ├── SigmaLogsourceError.java │ │ │ ├── SigmaModifierError.java │ │ │ ├── SigmaRegularExpressionError.java │ │ │ ├── SigmaStatusError.java │ │ │ ├── SigmaTitleError.java │ │ │ ├── SigmaTypeError.java │ │ │ └── SigmaValueError.java │ │ ├── modifiers │ │ │ ├── SigmaAllModifier.java │ │ │ ├── SigmaBase64Modifier.java │ │ │ ├── SigmaBase64OffsetModifier.java │ │ │ ├── SigmaCIDRModifier.java │ │ │ ├── SigmaCompareModifier.java │ │ │ ├── SigmaContainsModifier.java │ │ │ ├── SigmaEndswithModifier.java │ │ │ ├── SigmaGreaterThanEqualModifier.java │ │ │ ├── SigmaGreaterThanModifier.java │ │ │ ├── SigmaLessThanEqualModifier.java │ │ │ ├── SigmaLessThanModifier.java │ │ │ ├── SigmaListModifier.java │ │ │ ├── SigmaModifier.java │ │ │ ├── SigmaModifierFacade.java │ │ │ ├── SigmaRegularExpressionModifier.java │ │ │ ├── SigmaStartswithModifier.java │ │ │ ├── SigmaValueModifier.java │ │ │ ├── SigmaWideModifier.java │ │ │ └── SigmaWindowsDashModifier.java │ │ ├── objects │ │ │ ├── SigmaCondition.java │ │ │ ├── SigmaDetection.java │ │ │ ├── SigmaDetectionItem.java │ │ │ ├── SigmaDetections.java │ │ │ ├── SigmaLevel.java │ │ │ ├── SigmaLogSource.java │ │ │ ├── SigmaRule.java │ │ │ ├── SigmaRuleTag.java │ │ │ └── SigmaStatus.java │ │ ├── types │ │ │ ├── Placeholder.java │ │ │ ├── SigmaBool.java │ │ │ ├── SigmaCIDRExpression.java │ │ │ ├── SigmaCompareExpression.java │ │ │ ├── SigmaExpansion.java │ │ │ ├── SigmaNull.java │ │ │ ├── SigmaNumber.java │ │ │ ├── SigmaRegularExpression.java │ │ │ ├── SigmaString.java │ │ │ ├── SigmaType.java │ │ │ └── SigmaTypeFacade.java │ │ └── utils │ │ │ ├── AnyOneOf.java │ │ │ ├── Either.java │ │ │ ├── Left.java │ │ │ ├── Middle.java │ │ │ └── Right.java │ │ ├── services │ │ ├── JsonPathAwareInputCodec.java │ │ ├── STIX2IOCConnectorFactory.java │ │ ├── STIX2IOCConsumer.java │ │ ├── STIX2IOCFeedStore.java │ │ └── STIX2IOCFetchService.java │ │ ├── settings │ │ └── SecurityAnalyticsSettings.java │ │ ├── threatIntel │ │ ├── action │ │ │ ├── GetIocFindingsAction.java │ │ │ ├── GetIocFindingsRequest.java │ │ │ ├── GetIocFindingsResponse.java │ │ │ ├── ListIOCsAction.java │ │ │ ├── ListIOCsActionRequest.java │ │ │ ├── ListIOCsActionResponse.java │ │ │ ├── PutTIFJobAction.java │ │ │ ├── PutTIFJobRequest.java │ │ │ ├── SADeleteTIFSourceConfigAction.java │ │ │ ├── SADeleteTIFSourceConfigRequest.java │ │ │ ├── SADeleteTIFSourceConfigResponse.java │ │ │ ├── SAGetTIFSourceConfigAction.java │ │ │ ├── SAGetTIFSourceConfigRequest.java │ │ │ ├── SAGetTIFSourceConfigResponse.java │ │ │ ├── SAIndexTIFSourceConfigAction.java │ │ │ ├── SAIndexTIFSourceConfigRequest.java │ │ │ ├── SAIndexTIFSourceConfigResponse.java │ │ │ ├── SARefreshTIFSourceConfigAction.java │ │ │ ├── SARefreshTIFSourceConfigRequest.java │ │ │ ├── SASearchTIFSourceConfigsAction.java │ │ │ ├── SASearchTIFSourceConfigsRequest.java │ │ │ ├── ThreatIntelIndicesResponse.java │ │ │ └── monitor │ │ │ │ ├── DeleteThreatIntelMonitorAction.java │ │ │ │ ├── GetThreatIntelAlertsAction.java │ │ │ │ ├── IndexThreatIntelMonitorAction.java │ │ │ │ ├── SearchThreatIntelMonitorAction.java │ │ │ │ ├── UpdateThreatIntelAlertStatusAction.java │ │ │ │ ├── request │ │ │ │ ├── DeleteThreatIntelMonitorRequest.java │ │ │ │ ├── GetThreatIntelAlertsRequest.java │ │ │ │ ├── IndexThreatIntelMonitorRequest.java │ │ │ │ ├── SearchThreatIntelMonitorRequest.java │ │ │ │ └── UpdateThreatIntelAlertStatusRequest.java │ │ │ │ └── response │ │ │ │ ├── GetThreatIntelAlertsResponse.java │ │ │ │ ├── IndexThreatIntelMonitorResponse.java │ │ │ │ └── UpdateThreatIntelAlertsStatusResponse.java │ │ ├── common │ │ │ ├── Constants.java │ │ │ ├── ParameterValidator.java │ │ │ ├── RefreshType.java │ │ │ ├── SourceConfigDtoValidator.java │ │ │ ├── SourceConfigType.java │ │ │ ├── TIFJobState.java │ │ │ └── TIFLockService.java │ │ ├── feedMetadata │ │ │ └── BuiltInTIFMetadataLoader.java │ │ ├── iocscan │ │ │ ├── dao │ │ │ │ ├── BaseEntityCrudService.java │ │ │ │ ├── IocFindingService.java │ │ │ │ └── ThreatIntelAlertService.java │ │ │ ├── dto │ │ │ │ ├── IocScanContext.java │ │ │ │ └── PerIocTypeScanInputDto.java │ │ │ └── service │ │ │ │ ├── IoCScanService.java │ │ │ │ ├── IoCScanServiceInterface.java │ │ │ │ ├── SaIoCScanService.java │ │ │ │ ├── ThreatIntelAlertContext.java │ │ │ │ └── ThreatIntelMonitorRunner.java │ │ ├── jobscheduler │ │ │ ├── TIFJobRunner.java │ │ │ └── TIFSourceConfigRunner.java │ │ ├── model │ │ │ ├── CustomSchemaIocUploadSource.java │ │ │ ├── DefaultIocStoreConfig.java │ │ │ ├── IocSchema.java │ │ │ ├── IocStoreConfig.java │ │ │ ├── IocUploadSource.java │ │ │ ├── JsonPathIocSchema.java │ │ │ ├── JsonPathSchemaField.java │ │ │ ├── S3Source.java │ │ │ ├── SATIFSourceConfig.java │ │ │ ├── SATIFSourceConfigDto.java │ │ │ ├── Source.java │ │ │ ├── TIFJobParameter.java │ │ │ ├── TIFMetadata.java │ │ │ ├── UrlDownloadSource.java │ │ │ └── monitor │ │ │ │ ├── PerIocTypeScanInput.java │ │ │ │ ├── ThreatIntelInput.java │ │ │ │ ├── ThreatIntelTrigger.java │ │ │ │ └── TransportThreatIntelMonitorFanOutAction.java │ │ ├── resthandler │ │ │ ├── RestDeleteTIFSourceConfigAction.java │ │ │ ├── RestGetIocFindingsAction.java │ │ │ ├── RestGetTIFSourceConfigAction.java │ │ │ ├── RestIndexTIFSourceConfigAction.java │ │ │ ├── RestListIOCsAction.java │ │ │ ├── RestRefreshTIFSourceConfigAction.java │ │ │ ├── RestSearchTIFSourceConfigsAction.java │ │ │ └── monitor │ │ │ │ ├── RestDeleteThreatIntelMonitorAction.java │ │ │ │ ├── RestGetThreatIntelAlertsAction.java │ │ │ │ ├── RestIndexThreatIntelMonitorAction.java │ │ │ │ ├── RestSearchThreatIntelMonitorAction.java │ │ │ │ └── RestUpdateThreatIntelAlertsStatusAction.java │ │ ├── sacommons │ │ │ ├── IndexTIFSourceConfigAction.java │ │ │ ├── IndexTIFSourceConfigRequest.java │ │ │ ├── IndexTIFSourceConfigResponse.java │ │ │ ├── TIFSourceConfig.java │ │ │ ├── TIFSourceConfigDto.java │ │ │ ├── TIFSourceConfigManagementService.java │ │ │ └── monitor │ │ │ │ ├── IndexIocScanMonitorResponseInterface.java │ │ │ │ ├── IndexTIFSourceConfigRequestInterface.java │ │ │ │ ├── ThreatIntelAlertDto.java │ │ │ │ ├── ThreatIntelMonitorActions.java │ │ │ │ ├── ThreatIntelMonitorDto.java │ │ │ │ ├── ThreatIntelMonitorDtoInterface.java │ │ │ │ └── ThreatIntelTriggerDto.java │ │ ├── service │ │ │ ├── DefaultTifSourceConfigLoaderService.java │ │ │ ├── DetectorThreatIntelService.java │ │ │ ├── JsonPathIocSchemaThreatIntelHandler.java │ │ │ ├── SATIFSourceConfigManagementService.java │ │ │ ├── SATIFSourceConfigService.java │ │ │ ├── TIFJobParameterService.java │ │ │ ├── TIFJobUpdateService.java │ │ │ └── ThreatIntelFeedDataService.java │ │ ├── transport │ │ │ ├── TransportDeleteTIFSourceConfigAction.java │ │ │ ├── TransportGetIocFindingsAction.java │ │ │ ├── TransportGetTIFSourceConfigAction.java │ │ │ ├── TransportIndexTIFSourceConfigAction.java │ │ │ ├── TransportListIOCsAction.java │ │ │ ├── TransportPutTIFJobAction.java │ │ │ ├── TransportRefreshTIFSourceConfigAction.java │ │ │ ├── TransportSearchTIFSourceConfigsAction.java │ │ │ └── monitor │ │ │ │ ├── TransportDeleteThreatIntelMonitorAction.java │ │ │ │ ├── TransportGetThreatIntelAlertsAction.java │ │ │ │ ├── TransportIndexThreatIntelMonitorAction.java │ │ │ │ ├── TransportSearchThreatIntelMonitorAction.java │ │ │ │ └── TransportUpdateThreatIntelAlertStatusAction.java │ │ └── util │ │ │ ├── ThreatIntelFeedDataUtils.java │ │ │ ├── ThreatIntelFeedParser.java │ │ │ └── ThreatIntelMonitorUtils.java │ │ ├── threatintel │ │ └── common │ │ │ └── StashedThreadContext.java │ │ ├── transport │ │ ├── SecureTransportAction.java │ │ ├── TransportAckCorrelationAlertsAction.java │ │ ├── TransportAcknowledgeAlertsAction.java │ │ ├── TransportCorrelateFindingAction.java │ │ ├── TransportCreateIndexMappingsAction.java │ │ ├── TransportDeleteCorrelationRuleAction.java │ │ ├── TransportDeleteCustomLogTypeAction.java │ │ ├── TransportDeleteDetectorAction.java │ │ ├── TransportDeleteRuleAction.java │ │ ├── TransportGetAlertsAction.java │ │ ├── TransportGetAllRuleCategoriesAction.java │ │ ├── TransportGetCorrelationAlertsAction.java │ │ ├── TransportGetDetectorAction.java │ │ ├── TransportGetFindingsAction.java │ │ ├── TransportGetIndexMappingsAction.java │ │ ├── TransportGetMappingsViewAction.java │ │ ├── TransportIndexCorrelationRuleAction.java │ │ ├── TransportIndexCustomLogTypeAction.java │ │ ├── TransportIndexDetectorAction.java │ │ ├── TransportIndexRuleAction.java │ │ ├── TransportListCorrelationAction.java │ │ ├── TransportSearchCorrelationAction.java │ │ ├── TransportSearchCorrelationRuleAction.java │ │ ├── TransportSearchCustomLogTypeAction.java │ │ ├── TransportSearchDetectorAction.java │ │ ├── TransportSearchRuleAction.java │ │ ├── TransportTestS3ConnectionAction.java │ │ ├── TransportUpdateIndexMappingsAction.java │ │ └── TransportValidateRulesAction.java │ │ └── util │ │ ├── AutoCorrelationsRepo.java │ │ ├── CorrelationIndices.java │ │ ├── CorrelationRuleIndices.java │ │ ├── CustomLogTypeIndices.java │ │ ├── DetectorIndices.java │ │ ├── DetectorUtils.java │ │ ├── ExceptionChecker.java │ │ ├── FileUtils.java │ │ ├── IndexUtils.java │ │ ├── MonitorService.java │ │ ├── RestHandlerUtils.java │ │ ├── RuleIndices.java │ │ ├── RuleTopicIndices.java │ │ ├── RuleValidator.java │ │ ├── SecurityAnalyticsException.java │ │ ├── ThrowableCheckingPredicates.java │ │ ├── WorkflowService.java │ │ └── XContentUtils.java ├── plugin-metadata │ └── plugin-security.policy └── resources │ ├── META-INF │ └── services │ │ ├── org.apache.lucene.codecs.Codec │ │ ├── org.opensearch.alerting.spi.RemoteMonitorRunnerExtension │ │ └── org.opensearch.jobscheduler.spi.JobSchedulerExtension │ ├── OSMapping │ ├── ad_ldap_logtype.json │ ├── apache_access_logtype.json │ ├── azure_logtype.json │ ├── cloudtrail_logtype.json │ ├── dns_logtype.json │ ├── github_logtype.json │ ├── gworkspace_logtype.json │ ├── linux_logtype.json │ ├── logtypes.json │ ├── m365_logtype.json │ ├── netflow_logtype.json │ ├── network_logtype.json │ ├── okta_logtype.json │ ├── others_application_logtype.json │ ├── others_apt_logtype.json │ ├── others_cloud_logtype.json │ ├── others_compliance_logtype.json │ ├── others_macos_logtype.json │ ├── others_proxy_logtype.json │ ├── others_web_logtype.json │ ├── s3_logtype.json │ ├── test_windows_logtype.json │ ├── vpcflow_logtype.json │ ├── waf_logtype.json │ └── windows_logtype.json │ ├── correlations │ └── mitre_correlation.json │ ├── mappings │ ├── alert_mapping.json │ ├── correlation-rules.json │ ├── correlation.json │ ├── correlation_alert_mapping.json │ ├── detector-settings.json │ ├── detectors.json │ ├── finding_mapping.json │ ├── ioc_finding_mapping.json │ ├── log_type_config_mapping.json │ ├── rules.json │ ├── stix2_ioc_mapping.json │ ├── threat_intel_alert_mapping.json │ ├── threat_intel_feed_mapping.json │ └── threat_intel_job_mapping.json │ ├── threatIntelFeed │ └── feedMetadata.json │ └── threatIntelFeedInfo │ └── feodo.yml └── test ├── java └── org │ └── opensearch │ └── securityanalytics │ ├── DetectorThreatIntelIT.java │ ├── LogTypeServiceTests.java │ ├── SecurityAnalyticsClientUtils.java │ ├── SecurityAnalyticsPluginRestApiIT.java │ ├── SecurityAnalyticsRestTestCase.java │ ├── TestHelpers.java │ ├── action │ ├── AckAlertsRequestTests.java │ ├── AckAlertsResponseTests.java │ ├── CreateIndexMappingsRequestTests.java │ ├── GetDetectorActionTests.java │ ├── GetDetectorRequestTests.java │ ├── GetIndexMappingsRequestTests.java │ ├── GetIndexMappingsResponseTests.java │ ├── GetTIFSourceConfigActionTests.java │ ├── GetTIFSourceConfigRequestTests.java │ ├── GetTIFSourceConfigResponseTests.java │ ├── IndexDetectorActionTests.java │ ├── IndexDetectorRequestTests.java │ ├── IndexDetectorResponseTests.java │ ├── IndexTIFSourceConfigActionTests.java │ ├── IndexTIFSourceConfigRequestTests.java │ ├── IndexTIFSourceConfigResponseTests.java │ ├── UpdateIndexMappingsRequestTests.java │ ├── ValidateRulesRequestTests.java │ └── ValidateRulesResponseTests.java │ ├── alerts │ ├── AlertingServiceTests.java │ ├── AlertsIT.java │ └── SecureAlertsRestApiIT.java │ ├── correlation │ ├── CorrelationEngineRestApiIT.java │ ├── CorrelationEngineRuleRestApiIT.java │ ├── LuceneEngineIT.java │ └── alerts │ │ ├── CorrelationAlertServiceTests.java │ │ └── CorrelationAlertsRestApiIT.java │ ├── findings │ ├── FindingDtoTests.java │ ├── FindingIT.java │ ├── FindingServiceTests.java │ └── SecureFindingRestApiIT.java │ ├── mapper │ ├── MapperRestApiIT.java │ ├── MapperServiceTests.java │ ├── MapperUtilsTests.java │ ├── MappingsTraverserTests.java │ └── action │ │ └── mapping │ │ ├── CreateIndexMappingsRequestTests.java │ │ ├── GetIndexMappingsRequestTests.java │ │ ├── GetIndexMappingsResponseTests.java │ │ └── UpdateIndexMappingsRequestTests.java │ ├── model │ ├── DetailedSTIX2IOCDtoTests.java │ ├── DetectorInputTests.java │ ├── IocFindingTests.java │ ├── SATIFSourceConfigDtoTests.java │ ├── SATIFSourceConfigTests.java │ ├── STIX2IOCDtoTests.java │ ├── STIX2IOCTests.java │ ├── WriteableTests.java │ ├── XContentTests.java │ └── threatintel │ │ └── ThreatIntelAlertTests.java │ ├── resthandler │ ├── CustomLogTypeRestApiIT.java │ ├── CustomSchemaSourceConfigIocUploadIT.java │ ├── DetectorMonitorRestApiIT.java │ ├── DetectorRestApiIT.java │ ├── ListIOCsRestApiIT.java │ ├── OCSFDetectorRestApiIT.java │ ├── RuleRestApiIT.java │ ├── SATIFSourceConfigRestApiIT.java │ ├── SecureDetectorRestApiIT.java │ ├── SecureThreatIntelMonitorRestApiIT.java │ ├── SourceConfigWithoutS3RestApiIT.java │ ├── TestS3ConnectionRestIT.java │ ├── ThreatIntelAlertIT.java │ └── ThreatIntelMonitorRestApiIT.java │ ├── rules │ ├── aggregation │ │ └── AggregationBackendTests.java │ ├── backend │ │ └── QueryBackendTests.java │ ├── condition │ │ └── ConditionTests.java │ ├── modifiers │ │ ├── SigmaAllModifierTests.java │ │ ├── SigmaBase64ModifierTests.java │ │ ├── SigmaBase64OffsetModifierTests.java │ │ ├── SigmaCIDRModifierTests.java │ │ ├── SigmaCompareModifierTests.java │ │ ├── SigmaContainsModifierTests.java │ │ ├── SigmaEndswithModifierTests.java │ │ ├── SigmaModifierTests.java │ │ ├── SigmaRegularExpressionModifierTests.java │ │ ├── SigmaStartswithModifierTests.java │ │ ├── SigmaWideModifierTests.java │ │ └── SigmaWindowsDashModifierTests.java │ ├── objects │ │ ├── SigmaDetectionItemTests.java │ │ ├── SigmaDetectionTests.java │ │ ├── SigmaDetectionsTests.java │ │ ├── SigmaLogSourceTests.java │ │ ├── SigmaRuleTagTests.java │ │ └── SigmaRuleTests.java │ ├── types │ │ ├── SigmaBoolTests.java │ │ ├── SigmaNullTests.java │ │ ├── SigmaNumberTests.java │ │ ├── SigmaStringTests.java │ │ └── SigmaTypeFacadeTests.java │ └── utils │ │ ├── AnyOneOfTests.java │ │ └── EitherTests.java │ ├── threatIntel │ ├── ThreatIntelTestCase.java │ ├── action │ │ ├── PutTIFJobRequestTests.java │ │ └── TransportPutTIFJobActionTests.java │ ├── common │ │ └── ThreatIntelLockServiceTests.java │ ├── integTests │ │ ├── TIFJobExtensionPluginIT.java │ │ └── ThreatIntelJobRunnerIT.java │ ├── iocscan │ │ └── dao │ │ │ └── IocFindingServiceRestApiIT.java │ ├── jobscheduler │ │ ├── TIFJobParameterServiceTests.java │ │ ├── TIFJobParameterTests.java │ │ ├── TIFJobRunnerTests.java │ │ └── TIFJobUpdateServiceTests.java │ └── model │ │ ├── JsonPathIocSchemaTests.java │ │ ├── ThreatIntelSourceTests.java │ │ └── monitor │ │ └── ThreatIntelInputTests.java │ ├── util │ ├── ExceptionCheckerTests.java │ ├── IndexUtilsTests.java │ ├── STIX2IOCGenerator.java │ └── ThrowableCheckingPredicatesTests.java │ └── writable │ └── LogTypeTests.java └── resources ├── OSMapping └── windows │ ├── fieldmappings.yml │ └── mappings.json ├── ad_ldap-sample.json ├── azure-sample.json ├── cloudtrail-sample.json ├── dns-sample.json ├── s3-sample.json ├── sample.pem ├── test-kirk.jks ├── testMissingPath.json ├── testMultipleAliasesWithSameName.json ├── testValidAliasMappings.json ├── testValidAliasMappingsSimple.json ├── testValidAliasMappingsWithNestedType.json ├── threatIntel ├── custom_schema_ioc │ └── custom_schema_1.json ├── sample_csv_with_description_and_header.csv ├── sample_invalid_less_than_two_fields.csv └── sample_valid.csv ├── threatIntelFeed └── feedMetadata.json └── waf-sample.json /.codecov.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.codecov.yml -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/CODEOWNERS -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/ISSUE_TEMPLATE/bug_report.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/ISSUE_TEMPLATE/config.yml -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/documentation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/ISSUE_TEMPLATE/documentation.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/ISSUE_TEMPLATE/feature_request.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/office_hours.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/ISSUE_TEMPLATE/office_hours.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/PULL_REQUEST_TEMPLATE.md -------------------------------------------------------------------------------- /.github/workflows/add-untriaged.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/add-untriaged.yml -------------------------------------------------------------------------------- /.github/workflows/backport.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/backport.yml -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/ci.yml -------------------------------------------------------------------------------- /.github/workflows/delete_backport_branch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/delete_backport_branch.yml -------------------------------------------------------------------------------- /.github/workflows/maven-publish.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/maven-publish.yml -------------------------------------------------------------------------------- /.github/workflows/multi-node-test-workflow.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/multi-node-test-workflow.yml -------------------------------------------------------------------------------- /.github/workflows/security-test-workflow.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/security-test-workflow.yml -------------------------------------------------------------------------------- /.github/workflows/version.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.github/workflows/version.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.gitignore -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/.whitesource -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/CODE_OF_CONDUCT.md -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /DEVELOPER_GUIDE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/DEVELOPER_GUIDE.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/LICENSE -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/MAINTAINERS.md -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/README.md -------------------------------------------------------------------------------- /checkstyle/sun_checks.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/checkstyle/sun_checks.xml -------------------------------------------------------------------------------- /formatter/formatterConfig.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/formatter/formatterConfig.xml -------------------------------------------------------------------------------- /gradle/formatting.gradle: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/gradle/formatting.gradle -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/gradle/wrapper/gradle-wrapper.properties -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/gradlew -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/gradlew.bat -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.10.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.10.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.11.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.11.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.11.1.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.11.1.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.12.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.12.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.14.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.14.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.15.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.15.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.16.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.16.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.17.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.17.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.17.1.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.17.1.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.18.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.18.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.19.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.19.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.4.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.4.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.4.1.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.4.1.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.5.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.5.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.6.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.6.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.7.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.7.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.8.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.8.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-2.9.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-2.9.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-3.0.0.0-alpha1.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-3.0.0.0-alpha1.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-3.0.0.0-beta1.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-3.0.0.0-beta1.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-3.0.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-3.0.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-3.1.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-3.1.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-3.2.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-3.2.0.0.md -------------------------------------------------------------------------------- /release-notes/opensearch-security-analytics.release-notes-3.3.0.0.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/release-notes/opensearch-security-analytics.release-notes-3.3.0.0.md -------------------------------------------------------------------------------- /scripts/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/scripts/build.sh -------------------------------------------------------------------------------- /security-analytics-commons-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/security-analytics-commons-1.0.0.jar -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/settings.gradle -------------------------------------------------------------------------------- /src/main/config/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml -------------------------------------------------------------------------------- /src/main/config/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml -------------------------------------------------------------------------------- /src/main/config/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml -------------------------------------------------------------------------------- /src/main/config/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml -------------------------------------------------------------------------------- /src/main/config/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml -------------------------------------------------------------------------------- /src/main/config/rules/ad_ldap/win_ldap_recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/ad_ldap/win_ldap_recon.yml -------------------------------------------------------------------------------- /src/main/config/rules/apache_access/web_apache_segfault.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/apache_access/web_apache_segfault.yml -------------------------------------------------------------------------------- /src/main/config/rules/apache_access/web_apache_threading_error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/apache_access/web_apache_threading_error.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_aadhybridhealth_adfs_new_server.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_aadhybridhealth_adfs_new_server.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_account_lockout.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_account_lockout.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_account_created_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_account_created_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_auth_failure_increase.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_auth_failure_increase.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_auth_sucess_increase.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_auth_sucess_increase.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_azurehound_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_azurehound_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_bitlocker_key_retrieval.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_bitlocker_key_retrieval.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_device_registration_policy_changes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_device_registration_policy_changes.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_only_single_factor_auth_required.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_only_single_factor_auth_required.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_sign_ins_from_noncompliant_devices.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_sign_ins_from_noncompliant_devices.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_sign_ins_from_unknown_devices.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_sign_ins_from_unknown_devices.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_suspicious_signin_bypassing_mfa.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_suspicious_signin_bypassing_mfa.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_user_added_to_admin_role.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_user_added_to_admin_role.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_ad_users_added_to_device_admin_roles.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_ad_users_added_to_device_admin_roles.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_appid_uri_changes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_appid_uri_changes.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_credential_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_credential_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_credential_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_credential_modification.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_delegated_permissions_all_users.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_delegated_permissions_all_users.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_device_code_authentication.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_device_code_authentication.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_end_user_consent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_end_user_consent.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_end_user_consent_blocked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_end_user_consent_blocked.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_owner_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_owner_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_permissions_msft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_permissions_msft.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_privileged_permissions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_privileged_permissions.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_role_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_role_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_ropc_authentication.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_ropc_authentication.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_app_uri_modifications.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_app_uri_modifications.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_application_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_application_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_blocked_account_attempt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_blocked_account_attempt.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_change_to_authentication_method.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_change_to_authentication_method.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_conditional_access_failure.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_conditional_access_failure.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_container_registry_created_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_container_registry_created_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_device_no_longer_managed_or_compliant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_device_no_longer_managed_or_compliant.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_dns_zone_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_dns_zone_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_federation_modified.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_federation_modified.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_firewall_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_firewall_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_granting_permission_detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_granting_permission_detection.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_group_user_addition_ca_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_group_user_addition_ca_modification.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_group_user_removal_ca_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_group_user_removal_ca_modification.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_guest_invite_failure.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_guest_invite_failure.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_guest_to_member.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_guest_to_member.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_anomalous_token.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_anomalous_token.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_anomalous_user.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_anomalous_user.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_atypical_travel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_atypical_travel.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_impossible_travel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_impossible_travel.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_malware_linked_ip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_malware_linked_ip.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_new_coutry_region.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_new_coutry_region.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_password_spray.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_password_spray.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_prt_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_prt_access.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_threat_intel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_threat_intel.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_identity_protection_unfamilar_sign_in.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_identity_protection_unfamilar_sign_in.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_keyvault_key_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_keyvault_key_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_keyvault_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_keyvault_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_admission_controller.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_admission_controller.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_cronjob.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_cronjob.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_events_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_events_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_network_policy_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_network_policy_change.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_pods_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_pods_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_kubernetes_role_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_kubernetes_role_access.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_legacy_authentication_protocols.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_legacy_authentication_protocols.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_login_to_disabled_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_login_to_disabled_account.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_mfa_denies.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_mfa_denies.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_mfa_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_mfa_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_mfa_interrupted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_mfa_interrupted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_network_security_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_network_security_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_new_cloudshell_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_new_cloudshell_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_account_stale.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_account_stale.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_activation_approve_deny.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_activation_approve_deny.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_alerts_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_alerts_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_change_settings.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_change_settings.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_invalid_license.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_invalid_license.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_role_assigned_outside_of_pim.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_role_assigned_outside_of_pim.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_role_frequent_activation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_role_frequent_activation.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_role_no_mfa_required.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_role_no_mfa_required.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_role_not_used.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_role_not_used.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_pim_too_many_global_admins.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_pim_too_many_global_admins.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_priviledged_role_assignment_add.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_priviledged_role_assignment_add.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_privileged_account_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_privileged_account_creation.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_rare_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_rare_operations.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_service_principal_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_service_principal_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_service_principal_removed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_service_principal_removed.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_suppression_rule_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_suppression_rule_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_tap_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_tap_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_unusual_authentication_interruption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_unusual_authentication_interruption.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_user_password_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_user_password_change.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_virtual_network_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_virtual_network_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/azure/azure_vpn_connection_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/azure/azure_vpn_connection_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_cloudtrail_disable_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_cloudtrail_disable_logging.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_config_disable_recording.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_config_disable_recording.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_console_getsignintoken.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_console_getsignintoken.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_create_load_balancer_layer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_create_load_balancer_layer.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_delete_identity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_delete_identity.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_disable_bucket_versioning.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_disable_bucket_versioning.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_ec2_disable_encryption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_ec2_disable_encryption.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_ec2_download_userdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_ec2_download_userdata.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_ec2_startup_script_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_ec2_startup_script_change.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_ec2_vm_export_failure.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_ec2_vm_export_failure.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_ecs_task_definition_backdoor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_ecs_task_definition_backdoor.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_elasticache_security_group_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_elasticache_security_group_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_enum_buckets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_enum_buckets.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_enum_listing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_enum_listing.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_guardduty_disruption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_guardduty_disruption.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_iam_backdoor_users_keys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_iam_backdoor_users_keys.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_macic_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_macic_evasion.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_rds_change_master_password.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_rds_change_master_password.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_rds_public_db_restore.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_rds_public_db_restore.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_root_account_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_root_account_usage.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_securityhub_finding_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_securityhub_finding_evasion.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_sso_idp_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_sso_idp_change.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_sts_assumerole_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_sts_assumerole_misuse.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_susp_saml_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_susp_saml_activity.yml -------------------------------------------------------------------------------- /src/main/config/rules/cloudtrail/aws_update_login_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/cloudtrail/aws_update_login_profile.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_c2_detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_c2_detection.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_external_service_interaction_domains.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_external_service_interaction_domains.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_high_bytes_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_high_bytes_out.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_high_null_records_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_high_null_records_requests_rate.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_high_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_high_requests_rate.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_high_txt_records_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_high_txt_records_requests_rate.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_mal_cobaltstrike.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_mal_cobaltstrike.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_pua_cryptocoin_mining_xmr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_pua_cryptocoin_mining_xmr.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_susp_b64_queries.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_susp_b64_queries.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_susp_telegram_api.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_susp_telegram_api.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_susp_txt_exec_strings.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_susp_txt_exec_strings.yml -------------------------------------------------------------------------------- /src/main/config/rules/dns/net_dns_wannacry_killswitch_domain.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/dns/net_dns_wannacry_killswitch_domain.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_delete_action_invoked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_delete_action_invoked.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_disable_high_risk_configuration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_disable_high_risk_configuration.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_new_org_member.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_new_org_member.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_new_secret_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_new_secret_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_outside_collaborator_detected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_outside_collaborator_detected.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_push_protection_bypass_detected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_push_protection_bypass_detected.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_push_protection_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_push_protection_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_secret_scanning_feature_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_secret_scanning_feature_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/github/github_self_hosted_runner_changes_detected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/github/github_self_hosted_runner_changes_detected.yml -------------------------------------------------------------------------------- /src/main/config/rules/gworkspace/gcp_gworkspace_application_removed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/gworkspace/gcp_gworkspace_application_removed.yml -------------------------------------------------------------------------------- /src/main/config/rules/gworkspace/gcp_gworkspace_mfa_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/gworkspace/gcp_gworkspace_mfa_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/gworkspace/gcp_gworkspace_role_privilege_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/gworkspace/gcp_gworkspace_role_privilege_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_audio_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_audio_capture.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_auditing_config_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_auditing_config_change.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_binary_padding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_binary_padding.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_clipboard_collection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_clipboard_collection.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_coinminer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_coinminer.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_create_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_create_account.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_data_compressed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_data_compressed.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_dd_delete_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_dd_delete_file.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_load_module_insmod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_load_module_insmod.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_logging_config_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_logging_config_change.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_masquerading_crond.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_masquerading_crond.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_network_service_scanning.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_network_service_scanning.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_network_sniffing.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_screencapture_import.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_screencapture_import.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_susp_cmds.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_susp_cmds.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_system_info_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_system_info_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_user_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_user_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/auditd/lnx_auditd_web_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/auditd/lnx_auditd_web_rce.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_buffer_overflows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_buffer_overflows.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_clear_syslog.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_clear_syslog.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_file_copy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_file_copy.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_ldso_preload_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_ldso_preload_injection.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_privileged_user_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_privileged_user_creation.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_shell_clear_cmd_history.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_shell_clear_cmd_history.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_shell_susp_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_shell_susp_commands.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_shell_susp_log_entries.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_shell_susp_log_entries.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_shell_susp_rev_shells.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_shell_susp_rev_shells.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_shellshock.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_shellshock.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_space_after_filename_.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_space_after_filename_.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_susp_dev_tcp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_susp_dev_tcp.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_susp_jexboss.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_susp_jexboss.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/lnx_symlink_etc_passwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/lnx_symlink_etc_passwd.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/process_creation/proc_creation_lnx_groupdel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/process_creation/proc_creation_lnx_groupdel.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/process_creation/proc_creation_lnx_nohup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/process_creation/proc_creation_lnx_nohup.yml -------------------------------------------------------------------------------- /src/main/config/rules/linux/process_creation/proc_creation_lnx_userdel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/linux/process_creation/proc_creation_lnx_userdel.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_activity_by_terminated_user.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_activity_by_terminated_user.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_disabling_mfa.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_disabling_mfa.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_from_susp_ip_addresses.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_from_susp_ip_addresses.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_impossible_travel_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_impossible_travel_activity.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_logon_from_risky_ip_address.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_logon_from_risky_ip_address.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_new_federated_domain_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_new_federated_domain_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_potential_ransomware_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_potential_ransomware_activity.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_pst_export_alert.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_pst_export_alert.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_susp_inbox_forwarding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_susp_inbox_forwarding.yml -------------------------------------------------------------------------------- /src/main/config/rules/m365/microsoft365_unusual_volume_of_file_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/m365/microsoft365_unusual_volume_of_file_deletion.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_clear_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_clear_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_collect_data.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_collect_data.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_disable_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_disable_logging.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_dos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_dos.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_file_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_file_deletion.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_input_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_input_capture.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_local_accounts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_local_accounts.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_modify_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_modify_config.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_moving_data.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_moving_data.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/aaa/cisco_cli_net_sniff.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/aaa/cisco_cli_net_sniff.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/firewall/net_firewall_cleartext_protocols.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/firewall/net_firewall_cleartext_protocols.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/firewall/net_firewall_high_dns_bytes_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/firewall/net_firewall_high_dns_bytes_out.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dns_mining_pools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dns_mining_pools.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dns_nkn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dns_nkn.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dns_susp_zbit_flag.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dns_susp_zbit_flag.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_dns_torproxy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_dns_torproxy.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_http_webdav_put_request.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_http_webdav_put_request.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_rdp_public_listener.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_rdp_public_listener.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/network/zeek/zeek_susp_kerberos_rc4.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/network/zeek/zeek_susp_kerberos_rc4.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_admin_role_assigned_to_user_or_group.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_admin_role_assigned_to_user_or_group.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_admin_role_assignment_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_admin_role_assignment_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_api_token_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_api_token_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_api_token_revoked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_api_token_revoked.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_application_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_application_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_mfa_reset_or_deactivated.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_mfa_reset_or_deactivated.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_network_zone_deactivated_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_network_zone_deactivated_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_policy_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_policy_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_policy_rule_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_policy_rule_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_security_threat_detected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_security_threat_detected.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_unauthorized_access_to_app.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_unauthorized_access_to_app.yml -------------------------------------------------------------------------------- /src/main/config/rules/okta/okta_user_account_locked_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/okta/okta_user_account_locked_out.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/antivirus/av_exploiting.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/antivirus/av_exploiting.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/antivirus/av_hacktool.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/antivirus/av_hacktool.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/antivirus/av_password_dumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/antivirus/av_password_dumper.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/antivirus/av_ransomware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/antivirus/av_ransomware.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/antivirus/av_relevant_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/antivirus/av_relevant_files.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/antivirus/av_webshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/antivirus/av_webshell.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_application/sql/app_sqlinjection_errors.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_application/sql/app_sqlinjection_errors.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_apt/apt_silence_downloader_v3.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_apt/apt_silence_downloader_v3.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_apt/apt_silence_eda.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_apt/apt_silence_eda.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_account_lockout.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_account_lockout.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_app_appid_uri_changes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_app_appid_uri_changes.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_app_credential_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_app_credential_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_app_owner_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_app_owner_added.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_app_ropc_authentication.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_app_ropc_authentication.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_app_uri_modifications.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_app_uri_modifications.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_application_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_application_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_blocked_account_attempt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_blocked_account_attempt.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_federation_modified.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_federation_modified.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_kubernetes_cronjob.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_kubernetes_cronjob.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_kubernetes_pods_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_kubernetes_pods_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_kubernetes_role_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_kubernetes_role_access.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_mfa_denies.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_mfa_denies.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_mfa_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_mfa_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_mfa_interrupted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_mfa_interrupted.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_new_cloudshell_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_new_cloudshell_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_rare_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_rare_operations.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/azure/azure_suppression_rule_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/azure/azure_suppression_rule_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gcp/gcp_bucket_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gcp/gcp_bucket_enumeration.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gcp/gcp_service_account_modified.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gcp/gcp_service_account_modified.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_api_token_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_api_token_created.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_api_token_revoked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_api_token_revoked.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_security_threat_detected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_security_threat_detected.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_unauthorized_access_to_app.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_unauthorized_access_to_app.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_cloud/okta/okta_user_account_locked_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_cloud/okta/okta_user_account_locked_out.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_compliance/default_credentials_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_compliance/default_credentials_usage.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_compliance/firewall_cleartext_protocols.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_compliance/firewall_cleartext_protocols.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_compliance/group_modification_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_compliance/group_modification_logging.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_compliance/host_without_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_compliance/host_without_firewall.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_compliance/netflow_cleartext_protocols.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_compliance/netflow_cleartext_protocols.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_compliance/workstation_was_locked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_compliance/workstation_was_locked.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_apt40.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_apt40.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_apt_domestic_kitten.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_apt_domestic_kitten.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_baby_shark.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_baby_shark.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_chafer_malware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_chafer_malware.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_cobalt_amazon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_cobalt_amazon.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_cobalt_malformed_uas.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_cobalt_malformed_uas.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_cobalt_ocsp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_cobalt_ocsp.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_cobalt_onedrive.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_cobalt_onedrive.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_download_susp_dyndns.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_download_susp_dyndns.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_download_susp_tlds_blacklist.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_download_susp_tlds_blacklist.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_download_susp_tlds_whitelist.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_download_susp_tlds_whitelist.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_downloadcradle_webdav.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_downloadcradle_webdav.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_empire_ua_uri_combos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_empire_ua_uri_combos.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_empty_ua.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_empty_ua.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ios_implant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ios_implant.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_java_class_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_java_class_download.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_powershell_ua.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_powershell_ua.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_pwndrop.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_pwndrop.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_raw_paste_service_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_raw_paste_service_access.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_susp_flash_download_loc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_susp_flash_download_loc.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_telegram_api.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_telegram_api.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_turla_comrat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_turla_comrat.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_apt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_apt.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_cryptominer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_cryptominer.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_frameworks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_frameworks.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_hacktool.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_hacktool.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_malware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_malware.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ua_susp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ua_susp.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ursnif_malware_c2_url.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ursnif_malware_c2_url.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_proxy/proxy_ursnif_malware_download_url.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_proxy/proxy_ursnif_malware_download_url.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_apache_segfault.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_apache_segfault.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_apache_threading_error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_apache_threading_error.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2010_5278_exploitation_attempt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2010_5278_exploitation_attempt.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2018_2894_weblogic_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2018_2894_weblogic_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2019_11510_pulsesecure_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2019_11510_pulsesecure_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2019_19781_citrix_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2019_19781_citrix_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2019_3398_confluence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2019_3398_confluence.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_0688_exchange_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_0688_exchange_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_0688_msexchange.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_0688_msexchange.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_10148_solarwinds_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_10148_solarwinds_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_14882_weblogic_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_14882_weblogic_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_5902_f5_bigip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_5902_f5_bigip.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2020_8193_8195_citrix_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2020_8193_8195_citrix_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_22005_vmware_file_upload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_22005_vmware_file_upload.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_22123_fortinet_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_22123_fortinet_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_26814_wzuh_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_26814_wzuh_rce.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_26858_iis_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_26858_iis_rce.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_28480_exchange_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_28480_exchange_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_40539_adselfservice.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_40539_adselfservice.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_43798_grafana.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_43798_grafana.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_44228_log4j.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_44228_log4j.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_cve_2021_44228_log4j_fields.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_cve_2021_44228_log4j_fields.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_exchange_exploitation_hafnium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_exchange_exploitation_hafnium.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_exchange_proxyshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_exchange_proxyshell.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_exchange_proxyshell_successful.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_exchange_proxyshell_successful.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_iis_tilt_shortname_scan.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_iis_tilt_shortname_scan.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_java_payload_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_java_payload_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_jndi_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_jndi_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_nginx_core_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_nginx_core_dump.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_solarwinds_supernova_webshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_solarwinds_supernova_webshell.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_sonicwall_jarrewrite_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_sonicwall_jarrewrite_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_source_code_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_source_code_enumeration.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_sql_injection_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_sql_injection_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_ssti_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_ssti_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_susp_windows_path_uri.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_susp_windows_path_uri.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_unc2546_dewmode_php_webshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_unc2546_dewmode_php_webshell.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_webshell_regeorg.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_webshell_regeorg.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_win_webshells_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_win_webshells_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/others_web/web_xss_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/others_web/web_xss_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/rule_categories.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/rule_categories.json -------------------------------------------------------------------------------- /src/main/config/rules/s3/aws_s3_data_management_tampering.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/s3/aws_s3_data_management_tampering.yml -------------------------------------------------------------------------------- /src/main/config/rules/test_windows/proc_creation_win_system_exe_anomaly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/test_windows/proc_creation_win_system_exe_anomaly.yml -------------------------------------------------------------------------------- /src/main/config/rules/test_windows/win_sample_rule.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/test_windows/win_sample_rule.yml -------------------------------------------------------------------------------- /src/main/config/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml -------------------------------------------------------------------------------- /src/main/config/rules/waf/web_sql_injection_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/waf/web_sql_injection_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/waf/web_susp_useragents.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/waf/web_susp_useragents.yml -------------------------------------------------------------------------------- /src/main/config/rules/waf/web_xss_in_access_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/waf/web_xss_in_access_logs.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/application/win_audit_cve.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/application/win_audit_cve.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/application/win_av_relevant_match.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/application/win_av_relevant_match.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/application/win_vul_cve_2020_0688.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/application/win_vul_cve_2020_0688.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/dns_server/win_apt_gallium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/dns_server/win_apt_gallium.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/dns_server/win_susp_dns_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/dns_server/win_susp_dns_config.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/ldap/win_ldap_recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/ldap/win_ldap_recon.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_account_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_account_discovery.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_ad_user_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_ad_user_enumeration.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_admin_rdp_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_admin_rdp_login.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_admin_share_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_admin_share_access.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_alert_ruler.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_alert_ruler.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_apt_slingshot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_apt_slingshot.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_apt_wocao.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_apt_wocao.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_atsvc_task.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_atsvc_task.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_dcsync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_dcsync.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_defender_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_defender_bypass.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_etw_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_etw_modification.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_event_log_cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_event_log_cleared.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_external_device.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_external_device.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_gpo_scheduledtasks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_gpo_scheduledtasks.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_hidden_user_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_hidden_user_creation.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_impacket_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_impacket_psexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_impacket_secretdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_impacket_secretdump.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_iso_mount.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_iso_mount.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_lm_namedpipe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_lm_namedpipe.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_mal_wceaux_dll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_mal_wceaux_dll.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_net_ntlm_downgrade.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_net_ntlm_downgrade.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_overpass_the_hash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_overpass_the_hash.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_pass_the_hash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_pass_the_hash.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_pass_the_hash_2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_pass_the_hash_2.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_possible_dc_shadow.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_possible_dc_shadow.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_rdp_localhost_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_rdp_localhost_login.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_add_sid_history.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_add_sid_history.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_krbrelayup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_krbrelayup.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_lsass_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_lsass_dump.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_psexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_rc4_kerberos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_rc4_kerberos.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_rottenpotato.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_rottenpotato.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_samr_pwset.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_samr_pwset.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_sdelete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_sdelete.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_susp_wmi_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_susp_wmi_login.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_user_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_user_creation.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/security/win_user_driver_loaded.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/security/win_user_driver_loaded.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_apt_stonedrill.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_apt_stonedrill.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_apt_turla_service_png.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_apt_turla_service_png.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_eventlog_cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_eventlog_cleared.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_hack_smbexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_hack_smbexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_lsasrv_ntlmv1.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_lsasrv_ntlmv1.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_mal_creddumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_mal_creddumper.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_moriya_rootkit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_moriya_rootkit.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_pcap_drivers.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_pcap_drivers.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_rare_service_installs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_rare_service_installs.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_sample_rule.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_sample_rule.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_service_hacktools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_service_hacktools.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_susp_dhcp_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_susp_dhcp_config.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_susp_proceshacker.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_susp_proceshacker.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_susp_sam_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_susp_sam_dump.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_tool_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_tool_psexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/system/win_vul_cve_2020_1472.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/system/win_vul_cve_2020_1472.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/win_alert_mimikatz_keywords.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/win_alert_mimikatz_keywords.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/win_susp_logon_newcredentials.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/win_susp_logon_newcredentials.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/windefend/win_alert_lsass_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/windefend/win_alert_lsass_access.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/windefend/win_defender_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/windefend/win_defender_disabled.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/windefend/win_defender_exclusions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/windefend/win_defender_exclusions.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/windefend/win_defender_threat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/windefend/win_defender_threat.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/builtin/wmi/win_wmi_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/builtin/wmi/win_wmi_persistence.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/create_remote_thread/sysmon_cactustorch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/create_remote_thread/sysmon_cactustorch.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/create_stream_hash/sysmon_ads_executable.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/create_stream_hash/sysmon_ads_executable.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_ammyy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_ammyy.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_gotoopener.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_gotoopener.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_logmein.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_logmein.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_mega_nz.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_mega_nz.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_susp_ipify.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_susp_ipify.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_tor_onion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_tor_onion.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/dns_query/dns_query_win_ufile_io.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/dns_query/dns_query_win_ufile_io.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/driver_load/driver_load_mal_creddumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/driver_load/driver_load_mal_creddumper.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/driver_load/driver_load_susp_temp_use.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/driver_load/driver_load_susp_temp_use.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/driver_load/driver_load_windivert.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/driver_load/driver_load_windivert.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_hack_dumpert.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_hack_dumpert.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_hktl_nppspy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_hktl_nppspy.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_lsass_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_lsass_dump.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_macro_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_macro_file.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_mal_adwind.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_mal_adwind.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_new_src_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_new_src_file.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_ntds_dit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_ntds_dit.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_sam_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_sam_dump.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_susp_diagcab.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_susp_diagcab.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_susp_dropper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_susp_dropper.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/file_event/file_event_win_tool_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/file_event/file_event_win_tool_psexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_msdt_sdiageng.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_msdt_sdiageng.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_pcre_net_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_pcre_net_load.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_spoolsv_dll_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_spoolsv_dll_load.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_susp_fax_dll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_susp_fax_dll.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_susp_image_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_susp_image_load.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_susp_vss_ps_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_susp_vss_ps_load.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/image_load/image_load_wmi_module_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/image_load/image_load_wmi_module_load.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/pipe_created/pipe_created_tool_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/pipe_created/pipe_created_tool_psexec.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/sysmon/sysmon_config_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/sysmon/sysmon_config_modification.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/sysmon/sysmon_process_hollowing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/sysmon/sysmon_process_hollowing.yml -------------------------------------------------------------------------------- /src/main/config/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/config/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml -------------------------------------------------------------------------------- /src/main/grammars/Aggregation.g4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/grammars/Aggregation.g4 -------------------------------------------------------------------------------- /src/main/grammars/Condition.g4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/grammars/Condition.g4 -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/action/AlertDto.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/action/FindingDto.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/mapper/MapperUtils.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/mapper/MapperUtils.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/Detector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/Detector.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/LogType.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/LogType.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/Rule.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/Rule.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/STIX2IOC.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/STIX2IOC.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/STIX2IOCDto.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/STIX2IOCDto.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/model/Value.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/model/Value.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/rules/utils/AnyOneOf.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/rules/utils/AnyOneOf.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/rules/utils/Either.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/rules/utils/Either.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/rules/utils/Left.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/rules/utils/Left.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/rules/utils/Middle.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/rules/utils/Middle.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/rules/utils/Right.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/rules/utils/Right.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/FileUtils.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/FileUtils.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/MonitorService.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/MonitorService.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/WorkflowService.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/WorkflowService.java -------------------------------------------------------------------------------- /src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java -------------------------------------------------------------------------------- /src/main/plugin-metadata/plugin-security.policy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/plugin-metadata/plugin-security.policy -------------------------------------------------------------------------------- /src/main/resources/META-INF/services/org.apache.lucene.codecs.Codec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/META-INF/services/org.apache.lucene.codecs.Codec -------------------------------------------------------------------------------- /src/main/resources/OSMapping/ad_ldap_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/ad_ldap_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/apache_access_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/apache_access_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/azure_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/azure_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/cloudtrail_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/cloudtrail_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/dns_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/dns_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/github_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/github_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/gworkspace_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/gworkspace_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/linux_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/linux_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/logtypes.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/logtypes.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/m365_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/m365_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/netflow_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/netflow_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/network_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/network_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/okta_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/okta_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_application_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_application_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_apt_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_apt_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_cloud_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_cloud_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_compliance_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_compliance_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_macos_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_macos_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_proxy_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_proxy_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/others_web_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/others_web_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/s3_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/s3_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/test_windows_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/test_windows_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/vpcflow_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/vpcflow_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/waf_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/waf_logtype.json -------------------------------------------------------------------------------- /src/main/resources/OSMapping/windows_logtype.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/OSMapping/windows_logtype.json -------------------------------------------------------------------------------- /src/main/resources/correlations/mitre_correlation.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/correlations/mitre_correlation.json -------------------------------------------------------------------------------- /src/main/resources/mappings/alert_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/alert_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/correlation-rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/correlation-rules.json -------------------------------------------------------------------------------- /src/main/resources/mappings/correlation.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/correlation.json -------------------------------------------------------------------------------- /src/main/resources/mappings/correlation_alert_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/correlation_alert_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/detector-settings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/detector-settings.json -------------------------------------------------------------------------------- /src/main/resources/mappings/detectors.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/detectors.json -------------------------------------------------------------------------------- /src/main/resources/mappings/finding_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/finding_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/ioc_finding_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/ioc_finding_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/log_type_config_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/log_type_config_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/rules.json -------------------------------------------------------------------------------- /src/main/resources/mappings/stix2_ioc_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/stix2_ioc_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/threat_intel_alert_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/threat_intel_alert_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/threat_intel_feed_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/threat_intel_feed_mapping.json -------------------------------------------------------------------------------- /src/main/resources/mappings/threat_intel_job_mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/mappings/threat_intel_job_mapping.json -------------------------------------------------------------------------------- /src/main/resources/threatIntelFeed/feedMetadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/threatIntelFeed/feedMetadata.json -------------------------------------------------------------------------------- /src/main/resources/threatIntelFeedInfo/feodo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/main/resources/threatIntelFeedInfo/feodo.yml -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/TestHelpers.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/TestHelpers.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/model/STIX2IOCTests.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/model/STIX2IOCTests.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/model/XContentTests.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java -------------------------------------------------------------------------------- /src/test/java/org/opensearch/securityanalytics/util/IndexUtilsTests.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/java/org/opensearch/securityanalytics/util/IndexUtilsTests.java -------------------------------------------------------------------------------- /src/test/resources/OSMapping/windows/fieldmappings.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/OSMapping/windows/fieldmappings.yml -------------------------------------------------------------------------------- /src/test/resources/OSMapping/windows/mappings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/OSMapping/windows/mappings.json -------------------------------------------------------------------------------- /src/test/resources/ad_ldap-sample.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/ad_ldap-sample.json -------------------------------------------------------------------------------- /src/test/resources/azure-sample.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/azure-sample.json -------------------------------------------------------------------------------- /src/test/resources/cloudtrail-sample.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/cloudtrail-sample.json -------------------------------------------------------------------------------- /src/test/resources/dns-sample.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/dns-sample.json -------------------------------------------------------------------------------- /src/test/resources/s3-sample.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/s3-sample.json -------------------------------------------------------------------------------- /src/test/resources/sample.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/sample.pem -------------------------------------------------------------------------------- /src/test/resources/test-kirk.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/test-kirk.jks -------------------------------------------------------------------------------- /src/test/resources/testMissingPath.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/testMissingPath.json -------------------------------------------------------------------------------- /src/test/resources/testMultipleAliasesWithSameName.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/testMultipleAliasesWithSameName.json -------------------------------------------------------------------------------- /src/test/resources/testValidAliasMappings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/testValidAliasMappings.json -------------------------------------------------------------------------------- /src/test/resources/testValidAliasMappingsSimple.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/testValidAliasMappingsSimple.json -------------------------------------------------------------------------------- /src/test/resources/testValidAliasMappingsWithNestedType.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/testValidAliasMappingsWithNestedType.json -------------------------------------------------------------------------------- /src/test/resources/threatIntel/custom_schema_ioc/custom_schema_1.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/threatIntel/custom_schema_ioc/custom_schema_1.json -------------------------------------------------------------------------------- /src/test/resources/threatIntel/sample_invalid_less_than_two_fields.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/threatIntel/sample_invalid_less_than_two_fields.csv -------------------------------------------------------------------------------- /src/test/resources/threatIntel/sample_valid.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/threatIntel/sample_valid.csv -------------------------------------------------------------------------------- /src/test/resources/threatIntelFeed/feedMetadata.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/threatIntelFeed/feedMetadata.json -------------------------------------------------------------------------------- /src/test/resources/waf-sample.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensearch-project/security-analytics/HEAD/src/test/resources/waf-sample.json --------------------------------------------------------------------------------