path	# lines of code	# active days	days since first update	days since last update	# commits	# contributors	first updated	last updated	first contributor	last contributor
rules/network/command_and_control_accepted_default_telnet_port_connection.toml	102	10	919	112	12	6	2022-11-07	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml	115	31	1779	112	36	14	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/lateral_movement_dns_server_overflow.toml	75	6	801	357	8	5	2023-03-05	2024-05-22	16747370+brokensound77@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/network/command_and_control_fin7_c2_behavior.toml	56	28	1687	112	32	12	2020-09-30	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml	125	33	1779	112	38	14	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_halfbaked_beacon.toml	83	25	1687	112	29	10	2020-09-30	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_download_rar_powershell_from_internet.toml	111	27	1687	112	31	13	2020-09-30	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_cobalt_strike_beacon.toml	85	26	1687	112	30	10	2020-09-30	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml	106	31	1779	112	36	14	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/initial_access_unsecure_elasticsearch_node.toml	74	24	1687	112	28	10	2020-09-30	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_port_26_activity.toml	77	32	1779	112	36	13	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml	86	20	1617	112	25	8	2020-12-09	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/command_and_control_nat_traversal_port_activity.toml	67	30	1779	112	34	13	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml	97	31	1779	112	36	14	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml	97	31	1779	112	36	14	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/discovery_potential_port_scan_detected.toml	93	14	675	75	16	8	2023-07-09	2025-02-28	99642919+1337-42@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml	108	31	1779	112	36	14	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/network/discovery_potential_network_sweep_detected.toml	93	14	675	75	16	8	2023-07-09	2025-02-28	99642919+1337-42@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/network/discovery_potential_syn_port_scan_detected.toml	93	15	675	75	17	8	2023-07-09	2025-02-28	99642919+1337-42@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/threat_intel/threat_intel_indicator_match_address.toml	157	3	336	100	3	3	2024-06-12	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/threat_intel/threat_intel_indicator_match_hash.toml	191	3	336	100	3	3	2024-06-12	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/threat_intel/threat_intel_rapid7_threat_command.toml	90	4	336	112	4	4	2024-06-12	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/threat_intel/threat_intel_indicator_match_url.toml	160	3	336	100	3	3	2024-06-12	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/threat_intel/threat_intel_indicator_match_registry.toml	146	3	336	100	3	3	2024-06-12	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/fim/persistence_suspicious_file_modifications.toml	252	7	337	112	7	3	2024-06-11	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml	77	5	375	112	5	4	2024-05-04	2025-01-22	16747370+brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml	81	4	375	112	4	3	2024-05-04	2025-01-22	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml	81	6	373	112	6	3	2024-05-06	2025-01-22	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml	77	2	162	112	2	2	2024-12-03	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml	76	2	162	112	2	2	2024-12-03	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml	89	5	243	112	5	3	2024-09-13	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml	76	2	162	112	2	2	2024-12-03	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml	78	4	375	112	4	4	2024-05-04	2025-01-22	16747370+brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml	76	2	162	112	2	2	2024-12-03	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml	81	5	375	112	5	4	2024-05-04	2025-01-22	16747370+brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml	59	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml	62	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml	136	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml	114	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml	136	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/elastic_endpoint_security.toml	107	12	1358	96	14	8	2021-08-25	2025-02-07	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/impact_elastic_ransomware_detected.toml	123	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml	114	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml	123	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml	142	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml	142	3	146	96	3	2	2024-12-19	2025-02-07	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_azure_automation_account_created.toml	78	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml	89	10	1393	357	14	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml	109	3	184	83	3	3	2024-11-11	2025-02-20	64742097+samirbous@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/azure/credential_access_storage_account_key_regenerated.toml	79	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml	85	11	1393	357	15	9	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml	72	10	1393	357	14	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml	86	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml	131	2	153	112	2	2	2024-12-12	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_suppression_rule_created.toml	76	8	1210	112	10	8	2022-01-20	2025-01-22	austin@songer.pro	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml	66	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml	80	2	317	112	2	2	2024-07-01	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/impact_virtual_network_device_modified.toml	74	10	1307	112	12	8	2021-10-15	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/initial_access_external_guest_user_invite.toml	83	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/collection_update_event_hub_auth_rule.toml	83	8	1393	112	10	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_network_watcher_deletion.toml	80	8	1393	112	10	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml	74	9	1203	112	11	7	2022-01-27	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml	74	7	1262	112	9	7	2021-11-29	2025-01-22	austin@songer.pro	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_entra_password_spraying_non_interactive_sfa.toml	132	1	64	64	1	1	2025-03-11	2025-03-11	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml	66	6	1027	112	8	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml	101	3	246	112	3	2	2024-09-10	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml	76	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/execution_command_virtual_machine.toml	78	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/impact_azure_service_principal_credentials_added.toml	74	8	1393	112	10	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml	63	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml	105	13	1393	159	17	9	2021-07-21	2024-12-06	31489089+rw-access@users.noreply.github.com	59296946+imays11@users.noreply.github.com
rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml	98	1	64	64	1	1	2025-03-11	2025-03-11	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml	79	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml	79	10	1308	112	12	8	2021-10-14	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_key_vault_modified.toml	79	8	1393	112	10	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_event_hub_deletion.toml	79	8	1393	112	10	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml	78	8	1306	112	10	8	2021-10-16	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml	66	8	1393	112	10	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_azure_automation_webhook_created.toml	65	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/impact_kubernetes_pod_deleted.toml	69	9	1307	112	11	7	2021-10-15	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml	90	10	1393	357	14	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml	80	10	1274	357	14	8	2021-11-17	2024-05-22	a.songer@protonmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml	100	1	64	64	1	1	2025-03-11	2025-03-11	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml	81	8	1393	112	10	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml	84	8	1323	112	10	7	2021-09-29	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml	104	3	246	112	3	2	2024-09-10	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml	78	10	1308	112	12	8	2021-10-14	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/impact_resource_group_deletion.toml	89	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml	68	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/discovery_blob_container_access_mod.toml	80	7	1393	112	9	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml	90	10	1393	357	14	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml	86	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml	86	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml	85	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml	86	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml	85	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml	87	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml	84	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml	87	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml	86	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml	85	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml	86	9	595	112	12	7	2023-09-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml	85	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml	85	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml	86	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml	86	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml	86	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml	85	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml	85	8	578	112	10	6	2023-10-14	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml	92	10	569	112	12	8	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml	93	10	569	112	12	8	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml	99	13	569	112	15	9	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml	97	2	265	112	2	2	2024-08-22	2025-01-22	109447885+sodhikirti07@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml	91	10	569	112	12	8	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml	90	10	569	112	12	8	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml	93	10	569	112	12	8	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml	92	10	569	112	12	8	2023-10-23	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml	91	8	1021	112	10	7	2022-07-28	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml	94	8	1021	112	10	7	2022-07-28	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml	91	8	1021	112	10	7	2022-07-28	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml	86	7	1021	112	9	7	2022-07-28	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/discovery_denied_service_account_request.toml	77	6	968	112	8	6	2022-09-19	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/execution_user_exec_to_pod.toml	81	9	1070	112	11	7	2022-06-09	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml	80	7	1021	112	9	7	2022-07-28	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml	94	8	1021	112	10	7	2022-07-28	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml	81	5	953	112	7	6	2022-10-04	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml	79	10	968	112	12	7	2022-09-19	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml	109	6	953	112	8	6	2022-10-04	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml	84	7	968	112	9	6	2022-09-19	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml	104	4	727	231	6	5	2023-05-18	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml	114	3	317	83	3	3	2024-07-01	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml	91	9	1027	231	11	6	2022-07-22	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml	97	2	317	231	2	2	2024-07-01	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml	100	5	782	112	7	5	2023-03-24	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml	104	5	786	231	7	5	2023-03-20	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml	104	13	1393	231	15	8	2021-07-21	2024-09-25	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml	96	8	992	231	10	5	2022-08-26	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml	98	8	968	231	10	5	2022-09-19	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml	66	6	848	112	8	5	2023-01-17	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml	92	9	1027	231	11	6	2022-07-22	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml	92	6	804	112	8	5	2023-03-02	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml	109	7	763	83	10	6	2023-04-12	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml	104	2	317	231	2	2	2024-07-01	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml	97	12	1393	231	14	8	2021-07-21	2024-09-25	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml	98	8	992	231	10	5	2022-08-26	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml	92	9	1027	231	11	6	2022-07-22	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml	103	8	974	231	10	5	2022-09-13	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml	97	8	975	231	10	5	2022-09-12	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml	96	9	1027	231	11	6	2022-07-22	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml	103	8	992	231	10	5	2022-08-26	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml	94	12	1027	231	16	7	2022-07-22	2024-09-25	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml	99	12	1393	231	14	8	2021-07-21	2024-09-25	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml	87	4	346	112	4	2	2024-06-02	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/initial_access_console_login_root.toml	87	14	1393	357	18	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml	81	3	316	112	3	2	2024-07-02	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml	95	14	1393	357	18	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml	112	4	189	83	4	2	2024-11-06	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml	77	13	1306	112	15	8	2021-10-16	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml	84	13	1393	112	15	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml	108	16	1393	186	20	8	2021-07-21	2024-11-09	31489089+rw-access@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml	103	2	119	112	2	2	2025-01-15	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml	88	3	287	112	3	3	2024-07-31	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml	142	1	119	119	1	1	2025-01-15	2025-01-15	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/impact_rds_group_deletion.toml	75	13	1393	112	15	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml	103	5	259	112	6	2	2024-08-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml	98	3	189	112	3	2	2024-11-06	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml	82	3	365	112	5	4	2024-05-14	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml	104	1	119	119	1	1	2025-01-15	2025-01-15	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/impact_cloudtrail_logging_updated.toml	102	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml	128	3	189	112	3	2	2024-11-06	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_rds_instance_made_public.toml	96	3	315	112	3	2	2024-07-03	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml	125	4	307	100	4	3	2024-07-11	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml	127	3	189	112	3	2	2024-11-06	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml	123	4	378	186	4	3	2024-05-01	2024-11-09	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml	124	5	348	100	5	4	2024-05-31	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml	76	11	1307	112	13	7	2021-10-15	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/ml_cloudtrail_error_message_spike.toml	96	20	1393	329	24	10	2021-07-21	2024-06-19	31489089+rw-access@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/integrations/aws/impact_rds_instance_cluster_deletion.toml	87	11	1130	112	13	7	2022-04-10	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml	93	4	343	112	7	5	2024-06-05	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml	82	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml	104	3	189	103	3	2	2024-11-06	2025-01-31	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml	79	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml	106	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/impact_s3_object_versioning_disabled.toml	81	4	299	100	4	4	2024-07-19	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml	83	14	1393	357	18	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml	152	5	307	100	5	3	2024-07-11	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml	120	2	119	112	2	2	2025-01-15	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml	78	2	299	112	2	2	2024-07-19	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/initial_access_password_recovery.toml	79	12	1393	112	14	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml	95	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml	123	2	103	100	2	2	2025-01-31	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml	75	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_route_table_created.toml	79	15	1296	112	17	9	2021-10-26	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml	83	13	1393	112	15	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml	101	5	343	103	8	5	2024-06-05	2025-01-31	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/collection_cloudtrail_logging_created.toml	78	13	1393	112	15	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml	88	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_rds_snapshot_export.toml	71	14	1393	112	16	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml	100	1	103	103	1	1	2025-01-31	2025-01-31	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml	86	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml	91	4	343	112	7	5	2024-06-05	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_rds_instance_restored.toml	91	2	319	112	2	2	2024-06-29	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/ml_cloudtrail_rare_error_code.toml	97	17	1393	329	21	9	2021-07-21	2024-06-19	31489089+rw-access@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml	95	5	313	100	5	4	2024-07-05	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml	96	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml	88	4	259	112	4	2	2024-08-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_redshift_instance_creation.toml	76	12	1112	112	14	7	2022-04-28	2025-01-22	pjhampton@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml	97	17	1393	329	21	9	2021-07-21	2024-06-19	31489089+rw-access@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml	118	3	189	112	3	2	2024-11-06	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_sts_get_federation_token.toml	84	2	265	112	2	2	2024-08-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml	87	4	266	112	4	2	2024-08-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml	89	2	300	112	2	2	2024-07-18	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml	88	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml	85	3	365	112	5	4	2024-05-14	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml	141	2	170	112	2	2	2024-11-25	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml	102	5	344	100	8	4	2024-06-04	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml	86	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/credential_access_root_console_failure_brute_force.toml	80	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml	76	12	1318	112	14	7	2021-10-04	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml	85	3	316	112	3	2	2024-07-02	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_iam_deactivate_mfa_device.toml	100	15	1393	190	19	9	2021-07-21	2024-11-05	31489089+rw-access@users.noreply.github.com	59296946+imays11@users.noreply.github.com
rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml	101	4	338	112	4	2	2024-06-10	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml	118	2	190	112	2	2	2024-11-05	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_sqs_purge_queue.toml	137	2	119	112	2	2	2025-01-15	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml	115	2	103	100	2	2	2025-01-31	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml	85	4	347	112	7	5	2024-06-01	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml	130	1	83	83	1	1	2025-02-20	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml	88	6	369	112	9	6	2024-05-10	2025-01-22	terrance.dejesus@elastic.co	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_rds_snapshot_deleted.toml	82	3	316	112	3	2	2024-07-02	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_rds_db_instance_password_modified.toml	100	3	316	112	3	2	2024-07-02	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml	99	20	1393	329	24	10	2021-07-21	2024-06-19	31489089+rw-access@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml	124	4	307	100	4	3	2024-07-11	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml	106	16	1393	357	20	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml	80	4	346	112	7	5	2024-06-02	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml	92	12	1330	112	14	8	2021-09-22	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml	174	2	114	112	2	2	2025-01-20	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_ec2_network_acl_creation.toml	85	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml	141	4	189	103	4	2	2024-11-06	2025-01-31	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml	126	1	119	119	1	1	2025-01-15	2025-01-15	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml	145	17	1368	112	19	9	2021-08-15	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml	97	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml	154	7	323	100	7	3	2024-06-25	2025-02-03	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml	99	17	1393	329	21	9	2021-07-21	2024-06-19	31489089+rw-access@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/integrations/aws/privilege_escalation_sts_role_chaining.toml	108	2	196	112	2	2	2024-10-30	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml	85	9	937	112	11	6	2022-10-20	2025-01-22	10544080+xavigpich@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml	76	14	1304	112	16	7	2021-10-18	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/impact_iam_group_deletion.toml	81	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml	88	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml	90	4	351	112	7	5	2024-05-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml	84	2	267	112	2	2	2024-08-20	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml	92	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/credential_access_iam_user_addition_to_group.toml	86	14	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/persistence_iam_group_creation.toml	87	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml	145	2	156	112	2	2	2024-12-09	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml	81	4	345	112	7	5	2024-06-03	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml	80	3	365	112	5	4	2024-05-14	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml	116	3	189	112	3	2	2024-11-06	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_rds_cluster_creation.toml	91	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml	89	4	351	112	7	5	2024-05-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_rds_group_creation.toml	79	13	1393	112	15	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_rds_instance_creation.toml	73	14	1393	112	16	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml	75	2	286	112	2	2	2024-08-01	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml	83	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml	99	2	287	112	2	2	2024-07-31	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml	77	12	1317	112	14	7	2021-10-05	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml	111	12	742	100	17	5	2023-05-03	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/aws/defense_evasion_waf_acl_deletion.toml	82	12	1393	112	14	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml	94	15	1393	357	19	8	2021-07-21	2024-05-22	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml	82	11	1322	112	13	7	2021-09-30	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml	77	9	1203	112	11	7	2022-01-27	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml	74	10	1217	112	12	7	2022-01-13	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml	77	8	1310	112	8	6	2021-10-12	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml	74	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml	73	10	1393	112	12	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml	73	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml	69	10	1203	112	12	7	2022-01-27	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml	73	7	1027	112	9	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml	107	1	82	82	1	1	2025-02-21	2025-02-21	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml	66	10	1296	112	12	7	2021-10-26	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml	74	9	1310	112	11	8	2021-10-12	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml	84	3	251	112	3	2	2024-09-05	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml	70	9	1203	112	11	7	2022-01-27	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml	85	3	251	112	3	2	2024-09-05	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml	78	13	1393	112	15	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml	78	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml	80	11	1203	112	13	7	2022-01-27	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml	114	17	1393	112	19	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml	75	10	1310	112	12	8	2021-10-12	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml	78	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml	78	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml	78	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml	61	2	692	112	2	2	2023-06-22	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml	69	13	1317	112	15	8	2021-10-05	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml	80	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml	79	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml	73	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml	88	13	1393	112	15	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml	79	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml	80	9	1393	112	11	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml	108	7	665	112	9	4	2023-07-19	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml	71	7	1027	112	9	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml	89	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml	76	13	1027	112	16	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml	89	9	533	112	12	5	2023-11-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml	76	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml	81	9	533	112	12	6	2023-11-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml	78	15	1027	112	18	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml	97	6	243	100	6	3	2024-09-13	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml	83	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_user_impersonation_access.toml	63	18	1148	112	21	8	2022-03-23	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml	91	9	519	83	12	5	2023-12-12	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml	73	19	1393	112	22	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml	103	6	320	112	6	3	2024-06-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml	114	6	327	112	6	3	2024-06-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml	84	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml	117	6	327	112	6	3	2024-06-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml	83	4	219	112	4	3	2024-10-07	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml	108	8	525	112	11	5	2023-12-06	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml	70	16	1393	112	19	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml	79	14	1393	112	17	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml	78	14	1393	112	17	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml	73	13	1027	112	16	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml	83	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml	77	14	1393	112	17	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/impact_possible_okta_dos_attack.toml	74	14	1393	112	17	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml	82	17	1027	112	20	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml	84	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml	64	8	534	112	11	5	2023-11-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml	116	6	327	112	6	3	2024-06-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml	75	19	1393	112	22	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml	74	19	1393	112	22	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml	59	10	693	112	13	6	2023-06-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml	99	8	540	112	8	4	2023-11-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml	79	8	533	112	11	5	2023-11-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml	102	14	1393	112	17	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml	74	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml	70	9	534	83	12	5	2023-11-27	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml	85	8	534	112	11	5	2023-11-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml	86	18	1317	112	21	10	2021-10-05	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml	78	16	1393	112	19	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml	83	15	1027	112	18	7	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml	101	19	1393	112	22	9	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml	81	9	513	112	12	5	2023-12-18	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/initial_access_okta_fastpass_phishing.toml	72	10	533	112	13	6	2023-11-28	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml	76	8	534	112	11	5	2023-11-27	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml	83	17	1027	112	20	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml	45	1	71	71	1	1	2025-03-04	2025-03-04	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml	49	1	71	71	1	1	2025-03-04	2025-03-04	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/azure_openai/azure_openai_model_theft_detection.toml	47	1	71	71	1	1	2025-03-04	2025-03-04	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/beaconing/command_and_control_beaconing.toml	92	12	562	112	13	9	2023-10-30	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml	87	10	562	112	11	7	2023-10-30	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/persistence_github_org_owner_added.toml	75	7	586	112	10	5	2023-10-06	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/impact_github_repository_deleted.toml	71	8	608	112	11	5	2023-09-14	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml	77	5	478	112	8	5	2024-01-22	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/persistence_organization_owner_role_granted.toml	73	7	586	112	10	5	2023-10-06	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml	69	6	608	112	9	5	2023-09-14	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/execution_new_github_app_installed.toml	65	6	579	112	9	5	2023-10-13	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml	73	4	478	112	6	5	2024-01-22	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/github/execution_github_app_deleted.toml	60	5	478	112	8	5	2024-01-22	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml	96	9	576	112	11	6	2023-10-16	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml	92	9	576	112	11	6	2023-10-16	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml	95	9	576	112	11	6	2023-10-16	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml	96	9	576	112	11	6	2023-10-16	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/impact_gcp_iam_role_deletion.toml	78	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/persistence_gcp_service_account_created.toml	78	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml	81	7	1027	112	9	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml	77	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml	82	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml	76	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml	82	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml	87	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml	77	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml	79	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml	82	7	1027	112	9	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/impact_gcp_service_account_deleted.toml	78	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml	78	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml	82	7	1027	112	9	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml	69	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml	82	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml	79	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml	79	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml	81	10	1393	112	12	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml	77	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml	76	11	1393	112	13	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/impact_gcp_service_account_disabled.toml	78	9	1393	112	11	7	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml	79	11	1393	112	13	8	2021-07-21	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml	93	16	1090	112	18	8	2022-05-20	2025-01-22	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml	68	19	1686	112	23	8	2020-10-01	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml	88	14	1555	112	16	7	2021-02-09	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/execution_potential_widespread_malware_infection.toml	79	3	369	112	3	3	2024-05-10	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/impact_hosts_file_modified.toml	100	33	1687	198	41	12	2020-09-30	2024-10-28	7442091+peasead@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/cross-platform/command_and_control_non_standard_ssh_port.toml	93	10	911	112	12	6	2022-11-15	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml	67	10	1393	112	12	7	2021-07-21	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/persistence_shell_profile_modification.toml	90	16	1554	112	18	8	2021-02-10	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/multiple_alerts_different_tactics_host.toml	63	6	908	112	8	4	2022-11-18	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/credential_access_forced_authentication_pipes.toml	94	5	294	84	6	2	2024-07-24	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml	82	2	239	112	2	2	2024-09-17	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml	92	11	911	112	13	7	2022-11-15	2025-01-22	59296946+imays11@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/execution_suspicious_java_netcon_childproc.toml	113	11	1195	100	13	7	2022-02-04	2025-02-03	brokensound77@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml	70	14	1556	112	16	8	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/discovery_security_software_grep.toml	125	25	1569	208	29	9	2021-01-26	2024-10-18	64742097+samirbous@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml	85	13	1322	112	15	7	2021-09-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml	84	21	1625	112	27	7	2020-12-01	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml	102	16	1085	112	18	8	2022-05-25	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/persistence_ssh_authorized_keys_modification.toml	120	18	1569	112	20	8	2021-01-26	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/execution_revershell_via_shell_cmd.toml	84	23	1556	231	27	9	2021-02-08	2024-09-25	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/multiple_alerts_involving_user.toml	66	5	862	112	7	4	2023-01-03	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/guided_onboarding_sample_rule.toml	62	9	875	112	12	6	2022-12-21	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml	73	13	1555	112	15	7	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml	121	16	1559	112	18	8	2021-02-05	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml	83	8	692	84	12	6	2023-06-22	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml	95	14	1560	112	18	8	2021-02-04	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml	81	15	1561	112	19	8	2021-02-03	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/defense_evasion_timestomp_touch.toml	84	15	1517	112	17	8	2021-03-19	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml	102	21	1569	84	23	7	2021-01-26	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml	72	9	1393	112	11	7	2021-07-21	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml	144	4	245	112	4	3	2024-09-11	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml	68	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/credential_access_endgame_cred_dumping_detected.toml	73	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml	68	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/endgame_malware_prevented.toml	59	12	1532	112	14	8	2021-03-04	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/endgame_malware_detected.toml	58	12	1532	112	14	8	2021-03-04	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/endgame_adversary_behavior_detected.toml	58	13	1532	112	15	8	2021-03-04	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/execution_endgame_exploit_prevented.toml	81	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/endgame_ransomware_detected.toml	57	13	1532	112	15	8	2021-03-04	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/privilege_escalation_endgame_process_injection_detected.toml	69	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml	68	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/external_alerts.toml	89	23	1770	112	29	12	2020-07-09	2025-01-22	spong@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml	68	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/endgame_ransomware_prevented.toml	58	13	1532	112	15	8	2021-03-04	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml	68	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/execution_endgame_exploit_detected.toml	79	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/promotions/credential_access_endgame_cred_dumping_prevented.toml	72	8	1027	112	10	6	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_suspicious_dnshostname_update.toml	91	16	1099	84	18	8	2022-05-11	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_newcreds_logon_rare_process.toml	73	8	534	84	10	6	2023-11-27	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml	127	29	1318	84	34	10	2021-10-04	2025-02-19	a.songer@protonmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_domain_backup_dpapi_private_keys.toml	52	41	1688	112	45	12	2020-09-29	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_posh_compressed.toml	154	29	1247	100	33	8	2021-12-14	2025-02-03	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_wsl_filesystem.toml	82	11	833	112	13	6	2023-02-01	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_psexec_lateral_movement_command.toml	111	37	1779	211	44	12	2020-06-30	2024-10-15	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_disable_uac_registry.toml	136	30	1554	211	34	9	2021-02-10	2024-10-15	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_appcertdlls_registry.toml	93	32	1618	112	36	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_indirect_exec_forfiles.toml	80	2	100	84	2	2	2025-02-03	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_enumeration_via_wmiprvse.toml	128	32	1570	84	34	12	2021-01-25	2025-02-19	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_sysmon_wmi_event_subscription.toml	84	9	624	112	11	6	2023-08-29	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_ms_office_written_file.toml	109	39	1686	278	44	11	2020-10-01	2024-08-09	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml	138	28	1618	100	34	8	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_com_clipup.toml	112	32	1626	112	37	10	2020-11-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_dump_registry_hives.toml	98	35	1624	84	42	10	2020-12-02	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml	100	38	1695	61	43	13	2020-09-22	2025-03-14	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/windows/privilege_escalation_unquoted_service_path.toml	91	7	393	84	9	4	2024-04-16	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_ms_office_addins_file.toml	83	28	1638	112	34	9	2020-11-18	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_suspicious_psexesvc.toml	89	38	1667	211	44	13	2020-10-20	2024-10-15	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_iis_httplogging_disabled.toml	92	40	1688	84	45	13	2020-09-29	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_injection_msbuild.toml	93	27	1779	76	32	10	2020-06-30	2025-02-27	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_create_mod_root_certificate.toml	130	30	1556	211	35	10	2021-02-08	2024-10-15	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_suspicious_managedcode_host_process.toml	86	31	1695	112	36	10	2020-09-22	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_browser_extension_install.toml	98	6	393	112	8	4	2024-04-16	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_iis_connectionstrings_dumping.toml	94	39	1688	84	44	13	2020-09-29	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml	121	41	1695	84	46	13	2020-09-22	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml	104	32	1618	84	37	9	2020-12-08	2025-02-19	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_winrar_encryption.toml	120	37	1608	190	44	8	2020-12-18	2024-11-05	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_scheduled_task_updated.toml	92	15	968	84	17	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_wsl_bash_exec.toml	116	13	833	112	15	7	2023-02-01	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml	83	20	1407	112	22	9	2021-07-07	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_workfolders_control_execution.toml	92	25	1168	84	29	9	2022-03-03	2025-02-19	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_execution_via_office_addins.toml	128	10	770	112	12	5	2023-04-05	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_veeam_commands.toml	111	8	419	84	10	4	2024-03-21	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_registry_uncommon.toml	173	32	1618	112	37	11	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_evasion_registry_ifeo_injection.toml	108	30	1618	112	35	10	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_network_connection_from_windows_binary.toml	193	36	1667	100	40	11	2020-10-20	2025-02-03	brokensound77@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/windows/persistence_service_windows_service_winlog.toml	125	18	910	84	22	8	2022-11-16	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_via_token_theft.toml	130	10	911	112	12	7	2022-11-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_priv_escalation_via_accessibility_features.toml	159	51	1779	100	60	13	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_process_termination_followed_by_deletion.toml	151	23	1618	100	25	8	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml	167	14	840	112	16	6	2023-01-25	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml	160	51	1695	84	60	13	2020-09-22	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_posh_mailbox.toml	122	13	841	198	15	5	2023-01-24	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_microsoft_defender_tampering.toml	134	28	1217	211	32	10	2022-01-13	2024-10-15	austin@songer.pro	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_suspicious_cmd_wmi.toml	100	33	1608	84	38	10	2020-12-18	2025-02-19	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml	85	18	1322	112	20	8	2021-09-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/discovery_adfind_command_activity.toml	126	39	1617	84	46	11	2020-12-09	2025-02-19	7442091+peasead@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_clearing_windows_security_logs.toml	72	28	1583	84	32	9	2021-01-12	2025-02-19	33020901+janniten@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_defender_disabled_via_registry.toml	110	37	1555	205	41	10	2021-02-09	2024-10-21	7442091+peasead@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_remote_sam_secretsdump.toml	96	30	1168	357	34	9	2022-03-03	2024-05-22	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml	102	5	243	112	5	4	2024-09-13	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_msiexec_child_proc_netcon.toml	89	4	241	112	4	3	2024-09-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_event_viewer.toml	151	53	1779	84	64	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_xsl_script_execution_via_com.toml	93	4	455	112	6	4	2024-02-14	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_tunnel_vscode.toml	91	7	240	84	7	4	2024-09-16	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_cmd_service.toml	107	30	1686	112	33	12	2020-10-01	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_msbuild_making_network_connections.toml	138	26	1608	78	28	7	2020-12-18	2025-02-25	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml	99	24	1199	84	28	8	2022-01-31	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml	85	15	1447	112	17	9	2021-05-28	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_windows_filtering_platform.toml	137	9	497	84	11	5	2024-01-03	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_group_modification_by_system.toml	86	5	322	84	5	2	2024-06-26	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_sccm_scnotification_dll.toml	71	3	391	112	5	4	2024-04-18	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_windows_powershell_susp_args.toml	142	6	241	84	6	3	2024-09-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_exploit_jetbrains_teamcity.toml	127	9	415	84	11	5	2024-03-25	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_posh_clipboard_capture.toml	131	15	841	198	15	5	2023-01-24	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_kerberoasting_unusual_process.toml	161	36	1638	100	46	10	2020-11-18	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml	94	16	833	84	18	6	2023-02-01	2025-02-19	59296946+imays11@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml	142	38	1618	100	47	9	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/execution_downloaded_shortcut_files.toml	89	26	1686	112	28	11	2020-10-01	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_pdf_written_file.toml	117	33	1686	211	38	10	2020-10-01	2024-10-15	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_command_shell_started_by_svchost.toml	152	51	1779	84	63	15	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/discovery_posh_suspicious_api_functions.toml	165	29	1308	198	32	8	2021-10-14	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/execution_initial_access_via_msc_file.toml	95	5	365	112	7	5	2024-05-14	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_initial_access_foxmail_exploit.toml	100	5	240	84	6	3	2024-09-16	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_create_process_with_token_unpriv.toml	98	6	524	112	8	6	2023-12-07	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_suspicious_short_program_name.toml	112	17	1027	100	19	7	2022-07-22	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_wsl_kalilinux.toml	97	16	833	84	18	8	2023-02-01	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml	158	51	1695	84	60	13	2020-09-22	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_webshell_screenconnect_server.toml	109	9	413	84	11	5	2024-03-27	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_remote_file_copy_hidden_share.toml	93	33	1618	76	38	9	2020-12-08	2025-02-27	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/windows/defense_evasion_code_signing_policy_modification_registry.toml	112	17	833	100	19	5	2023-02-01	2025-02-03	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_hide_encoded_executable_registry.toml	68	24	1618	112	28	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_wsl_child_process.toml	109	15	833	84	17	7	2023-02-01	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_mailbox_export_winlog.toml	103	13	854	198	13	5	2023-01-11	2024-10-28	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml	117	15	833	84	17	6	2023-02-01	2025-02-19	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_installertakeover.toml	129	29	1210	100	36	8	2022-01-20	2025-02-03	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml	123	14	1027	112	17	8	2022-07-22	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml	280	12	742	84	14	4	2023-05-03	2025-02-19	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/discovery_posh_invoke_sharefinder.toml	129	16	968	198	20	6	2022-09-19	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_clearing_windows_event_logs.toml	105	50	1779	84	60	16	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_teamviewer_remote_file_copy.toml	121	48	1695	100	57	12	2020-09-22	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_via_wsus_update.toml	91	9	296	84	9	3	2024-07-22	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_windows_script_from_internet.toml	108	3	100	86	3	2	2025-02-03	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_via_compiled_html_file.toml	155	47	1779	84	52	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml	105	6	328	112	6	2	2024-06-20	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_rdp_sharprdp_target.toml	88	22	1618	112	24	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_msoffice_startup_registry.toml	92	4	393	112	6	4	2024-04-16	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_adidns_wpad_record.toml	95	7	328	84	7	2	2024-06-20	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_imageload_azureadconnectauthsvc.toml	87	4	212	86	4	3	2024-10-14	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_disabling_windows_defender_powershell.toml	113	28	1407	84	32	10	2021-07-07	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml	154	32	1636	100	37	10	2020-11-20	2025-02-03	57736958+dstepanic17@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_remote_service_installed_winlog.toml	114	12	910	84	14	7	2022-11-16	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml	137	20	968	84	24	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml	107	29	1636	112	34	9	2020-11-20	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml	98	20	1492	112	22	9	2021-04-13	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_sip_provider_mod.toml	88	23	1567	112	26	9	2021-01-28	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_timestomp_sysmon.toml	95	9	838	76	11	6	2023-01-27	2025-02-27	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/impact_backup_file_deletion.toml	115	26	1318	213	30	8	2021-10-04	2024-10-13	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_wmi_stdregprov_run_services.toml	183	18	1499	100	20	9	2021-04-06	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_via_rogue_named_pipe.toml	88	16	1253	76	18	8	2021-12-08	2025-02-27	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_lsass_memdump_handle_access.toml	154	30	1175	84	36	8	2022-02-24	2025-02-19	mikaayenson@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/discovery_high_number_ad_properties.toml	83	7	407	84	9	5	2024-04-02	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_local_scheduled_task_scripting.toml	86	26	1623	112	28	11	2020-12-03	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_disable_kerberos_preauth.toml	116	25	1199	84	29	8	2022-01-31	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml	88	40	1779	84	47	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_krbrelayup_service_creation.toml	100	13	1111	84	15	8	2022-04-29	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_lsass_memdump_file_created.toml	142	33	1618	100	39	10	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/exfiltration_smb_rare_destination.toml	122	8	524	112	10	5	2023-12-07	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_via_update_orchestrator_service_hijack.toml	157	47	1688	84	55	13	2020-09-29	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml	89	26	1407	84	31	9	2021-07-07	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_command_shell_via_rundll32.toml	111	31	1626	112	36	9	2020-11-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_user_account_added_to_privileged_group_ad.toml	101	32	1554	84	38	11	2021-02-10	2025-02-19	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml	114	31	1639	112	36	10	2020-11-17	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_powershell_susp_args_via_winscript.toml	92	6	241	84	6	3	2024-09-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_posh_token_impersonation.toml	186	20	968	100	22	7	2022-09-19	2025-02-03	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_execution_windefend_unusual_path.toml	97	22	1407	112	24	11	2021-07-07	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_parent_process_pid_spoofing.toml	122	14	1399	112	16	8	2021-07-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml	111	20	1104	84	22	9	2022-05-06	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml	122	28	1267	84	33	9	2021-11-24	2025-02-19	austin@songer.pro	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_kirbi_file.toml	68	13	464	112	14	4	2024-02-05	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_msxsl_network.toml	82	20	1608	112	22	8	2020-12-18	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_amsienable_key_mod.toml	103	29	1437	211	34	9	2021-06-07	2024-10-15	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_application_shimming.toml	108	44	1779	84	49	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_via_ppid_spoofing.toml	132	13	911	112	15	8	2022-11-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_alternate_creds_pth.toml	78	8	777	84	10	6	2023-03-29	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_windows_cmd_shell_susp_args.toml	138	5	241	84	5	3	2024-09-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_rogue_windir_environment_var.toml	94	26	1618	112	31	10	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml	129	43	1695	100	52	12	2020-09-22	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_rdp_enabled_registry.toml	101	35	1618	211	42	10	2020-12-08	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_scheduled_task_target.toml	86	28	1618	211	32	10	2020-12-08	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/discovery_privileged_localgroup_membership.toml	179	36	1253	84	40	11	2021-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_posh_minidump.toml	107	23	1296	198	27	8	2021-10-26	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/command_and_control_screenconnect_childproc.toml	104	12	413	84	13	5	2024-03-27	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_headless_browser.toml	88	7	365	84	9	4	2024-05-14	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml	127	48	1779	84	58	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_suspicious_ms_outlook_child_process.toml	141	37	1608	84	44	9	2020-12-18	2025-02-19	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_disabling_windows_logs.toml	118	30	1393	84	34	10	2021-07-21	2025-02-19	austin@songer.pro	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_from_unusual_directory.toml	171	26	1027	84	28	9	2022-07-22	2025-02-19	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml	102	23	1528	112	26	10	2021-03-08	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml	107	13	911	84	15	8	2022-11-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/impact_stop_process_service_threshold.toml	82	24	1329	84	28	7	2021-09-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_unusual_system_vp_child_program.toml	84	39	1695	84	44	12	2020-09-22	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_downloaded_url_file.toml	87	26	1686	112	28	11	2020-10-01	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_suspicious_scrobj_load.toml	97	35	1667	112	38	12	2020-10-20	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml	128	30	1608	112	35	10	2020-12-18	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_tool_transfer_via_curl.toml	107	3	100	78	3	2	2025-02-03	2025-02-25	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_ms_outlook_vba_template.toml	78	27	1626	112	32	9	2020-11-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_mock_windir.toml	152	41	1618	84	50	11	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_masquerading_communication_apps.toml	136	6	569	112	8	4	2023-10-23	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml	104	25	1044	78	27	11	2022-07-05	2025-02-25	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_bruteforce_admin_account.toml	117	19	968	84	23	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/impact_modification_of_boot_config.toml	91	29	1329	84	33	9	2021-09-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_run_key_and_startup_broad.toml	284	37	1618	100	45	9	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml	149	36	1618	84	41	11	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml	74	4	581	112	6	4	2023-10-11	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_posh_obfuscation.toml	118	4	314	112	4	4	2024-07-04	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_register_server_program_connecting_to_the_internet.toml	148	42	1779	100	47	13	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml	91	18	1274	112	20	9	2021-11-17	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_persistence_phantom_dll.toml	191	33	1556	86	39	10	2021-02-08	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_exfiltration_first_time_seen_usb.toml	105	10	684	112	12	5	2023-06-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_group_policy_privileged_groups.toml	88	24	1210	84	29	8	2022-01-20	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_direct_outbound_smb_connection.toml	128	46	1779	98	55	13	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml	118	31	1625	112	37	9	2020-12-01	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/discovery_group_policy_object_discovery.toml	86	17	841	84	19	6	2023-01-24	2025-02-19	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_from_unusual_path_cmdline.toml	239	42	1618	84	50	11	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_via_mmc_console_file_unusual_path.toml	119	9	321	84	9	4	2024-06-27	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_unusual_dir_ads.toml	80	29	1618	112	34	10	2020-12-08	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_port_forwarding_added_registry.toml	97	29	1329	211	32	8	2021-09-23	2024-10-15	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_windows_service_via_unusual_client.toml	103	20	1188	84	22	8	2022-02-11	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_execution_remote_via_msiexec.toml	116	4	455	112	6	4	2024-02-14	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_generic_localdumps.toml	100	12	972	112	14	7	2022-09-15	2025-01-22	jonhnathancesar@gmail.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml	156	33	1492	100	39	10	2021-04-13	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/execution_command_shell_started_by_unusual_process.toml	94	38	1689	112	42	13	2020-09-28	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_remote_task_creation_winlog.toml	75	16	968	84	20	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml	94	29	1329	84	33	9	2021-09-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_shared_modules_local_sxs_dll.toml	53	27	1626	112	33	11	2020-11-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml	104	17	925	112	18	7	2022-11-01	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_suspicious_scheduled_task_runtime.toml	126	27	1618	84	32	10	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_remote_services.toml	153	37	1618	100	42	10	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_audit_policy_disabled_winlog.toml	113	4	120	84	4	2	2025-01-14	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_posh_invoke_ninjacopy.toml	115	10	842	198	12	4	2023-01-23	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_lsass_openprocess_api.toml	188	18	772	100	20	6	2023-04-03	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml	93	23	1195	211	27	8	2022-02-04	2024-10-15	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_sunburst_c2_activity_detected.toml	138	29	1611	100	37	10	2020-12-15	2025-02-03	7442091+peasead@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/collection_posh_screen_grabber.toml	103	21	1247	198	25	8	2021-12-14	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_dcom_mmc20.toml	101	23	1618	112	25	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_disable_nla.toml	87	5	393	112	7	4	2024-04-16	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml	110	30	1638	112	35	9	2020-11-18	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_defender_exclusion_via_powershell.toml	128	34	1393	84	39	11	2021-07-21	2025-02-19	57736958+dstepanic17@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_rdp_tunnel_plink.toml	103	32	1329	84	35	8	2021-09-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_spn_attribute_modified.toml	102	25	1148	84	29	8	2022-03-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml	99	19	1198	84	22	8	2022-02-01	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_cve_2020_0601.toml	74	23	1779	84	28	9	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_msbuild_started_renamed.toml	123	43	1779	100	50	13	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_lsass_loaded_susp_dll.toml	142	14	861	112	17	7	2023-01-04	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_outlook_home_page.toml	95	4	282	112	4	2	2024-08-05	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_dontexpirepasswd_account.toml	94	20	1145	84	24	8	2022-03-26	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_via_filter_manager.toml	131	41	1779	78	46	13	2020-06-30	2025-02-25	31489089+rw-access@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/windows/persistence_app_compat_shim.toml	89	34	1686	112	36	12	2020-10-01	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_suspicious_image_load_wmi_ms_office.toml	85	28	1636	112	33	11	2020-11-20	2025-01-22	57736958+dstepanic17@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_posh_relay_tools.toml	128	5	412	112	7	4	2024-03-28	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_sdprop_exclusion_dsheuristics.toml	103	26	1161	84	30	8	2022-03-10	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_command_prompt_connecting_to_the_internet.toml	142	33	1779	100	38	10	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_posh_assembly_load.toml	171	29	1253	100	34	9	2021-12-08	2025-02-03	jonhnathancesar@gmail.com	64742097+samirbous@users.noreply.github.com
rules/windows/execution_scheduled_task_powershell_source.toml	93	27	1608	112	29	12	2020-12-18	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_via_bits_job_notify_command.toml	77	21	1492	112	22	8	2021-04-13	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/impact_ransomware_file_rename_smb.toml	96	4	372	86	6	4	2024-05-07	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_appinitdlls_registry.toml	142	32	1618	100	37	8	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_execution_lolbas_wuauclt.toml	131	33	1618	84	39	11	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_posh_hacktool_authors.toml	116	5	370	112	7	4	2024-05-09	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/initial_access_script_executing_powershell.toml	118	35	1608	211	43	8	2020-12-18	2024-10-15	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml	115	29	1611	112	35	10	2020-12-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_posh_kerb_ticket_dump.toml	122	12	633	112	14	4	2023-08-20	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_named_pipe_impersonation.toml	128	31	1622	84	36	10	2020-12-04	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_incoming_winrm_shell_execution.toml	89	22	1618	112	24	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_masquerading_renamed_autoit.toml	112	40	1695	100	45	12	2020-09-22	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_dns_serverlevelplugindll.toml	81	5	336	112	5	3	2024-06-12	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_sdelete_like_filename_rename.toml	86	33	1688	211	38	12	2020-09-29	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_suspicious_comsvcs_imageload.toml	145	20	1273	100	22	9	2021-11-18	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_executable_tool_transfer_smb.toml	93	23	1624	231	28	9	2020-12-02	2024-09-25	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml	101	20	1203	84	22	9	2022-01-27	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_posh_keylogger.toml	121	31	1274	198	35	9	2021-11-17	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_create_process_as_different_user.toml	86	16	968	84	18	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_remote_file_copy_powershell.toml	151	32	1618	100	38	9	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml	111	26	1329	84	28	9	2021-09-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml	121	31	1611	84	36	11	2020-12-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_remote_password_reset.toml	105	25	1273	84	30	10	2021-11-18	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_mshta_beacon.toml	86	33	1667	112	35	11	2020-10-20	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_masquerading_business_apps_installer.toml	212	4	455	112	6	4	2024-02-14	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/initial_access_scripts_process_started_via_wmi.toml	127	26	1608	112	28	10	2020-12-18	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/impact_ransomware_note_file_over_smb.toml	95	4	372	86	6	4	2024-05-07	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_posh_webcam_video_capture.toml	113	6	464	112	8	4	2024-02-05	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_system_shells_via_services.toml	135	51	1779	84	59	14	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_amsi_bypass_dllhijack.toml	146	22	839	100	23	6	2023-01-26	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_ldap_attributes.toml	131	21	911	84	23	7	2022-11-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml	117	19	1447	112	21	8	2021-05-28	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_unusual_dns_service_children.toml	102	13	577	84	15	3	2023-10-15	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_ad_adminsdholder.toml	87	18	1198	84	20	8	2022-02-01	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_suspicious_ms_office_child_process.toml	154	38	1608	84	47	11	2020-12-18	2025-02-19	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml	132	45	1688	100	53	13	2020-09-29	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_saved_creds_vault_winlog.toml	91	18	968	84	20	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_dollar_account_relay.toml	93	6	285	84	7	2	2024-08-02	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_incoming_wmi.toml	101	29	1618	78	31	10	2020-12-08	2025-02-25	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_unusual_dns_service_file_writes.toml	62	10	577	112	12	4	2023-10-15	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_suspicious_lsass_access_generic.toml	113	14	840	112	16	7	2023-01-25	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml	106	20	1563	112	22	9	2021-02-01	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_scheduled_task_creation_winlog.toml	87	14	968	84	16	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml	89	48	1779	84	57	14	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml	148	36	1779	100	41	11	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_user_account_creation.toml	88	46	1779	84	55	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_amsi_bypass_powershell.toml	150	18	839	76	21	6	2023-01-26	2025-02-27	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/windows/initial_access_execution_from_removable_media.toml	75	4	455	112	6	4	2024-02-14	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/discovery_peripheral_device.toml	82	32	1622	84	40	9	2020-12-04	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml	106	29	1318	84	34	10	2021-10-04	2025-02-19	7442091+peasead@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_suspicious_pdf_reader.toml	125	45	1779	84	55	12	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_group_policy_iniscript.toml	123	24	1210	84	29	8	2022-01-20	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_posh_request_ticket.toml	115	26	1203	198	30	8	2022-01-27	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_unusual_ads_file_creation.toml	154	38	1554	100	43	12	2021-02-10	2025-02-03	56412096+bm11100@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml	81	19	1253	84	21	8	2021-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_rundll32_no_arguments.toml	120	35	1667	100	39	12	2020-10-20	2025-02-03	brokensound77@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_execution_from_tsclient_mup.toml	94	31	1618	84	36	9	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_startup_folder_scripts.toml	133	41	1618	100	52	10	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_dcsync_replication_rights.toml	130	35	1183	84	39	9	2022-02-16	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml	105	42	1779	84	49	14	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_execution_from_inetcache.toml	112	9	454	84	11	5	2024-02-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_ingress_transfer_bits.toml	144	15	838	100	17	6	2023-01-27	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_proxy_execution_via_msdt.toml	86	19	1078	112	21	9	2022-06-01	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_service_control_spawned_script_int.toml	161	15	719	84	17	4	2023-05-26	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml	82	17	1261	211	21	8	2021-11-30	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/discovery_command_system_account.toml	95	21	1091	211	25	8	2022-05-19	2024-10-15	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_wsl_registry_modification.toml	89	14	833	112	16	6	2023-02-01	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_posh_hacktool_functions.toml	319	21	834	100	21	5	2023-01-31	2025-02-03	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_suspicious_service_created_registry.toml	96	27	1622	112	32	9	2020-12-04	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_services_registry.toml	116	29	1618	112	34	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_wsl_enabled_via_dism.toml	88	16	833	84	18	7	2023-02-01	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_suspicious_zoom_child_process.toml	137	43	1687	84	47	13	2020-09-30	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_adidns_wildcard.toml	99	8	413	84	10	4	2024-03-27	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_cmdline_dump_tool.toml	140	39	1618	84	46	10	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_sc_sdset.toml	98	5	301	112	5	3	2024-07-17	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml	121	42	1695	112	46	13	2020-09-22	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_suspicious_wmi_script.toml	92	32	1667	112	35	13	2020-10-20	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/discovery_whoami_command_activity.toml	113	46	1779	78	54	13	2020-06-30	2025-02-25	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_regback_sam_security_hives.toml	81	3	313	86	3	2	2024-07-05	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_saved_creds_vaultcmd.toml	101	33	1570	84	35	9	2021-01-25	2025-02-19	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_hidden_run_key_valuename.toml	122	28	1618	112	33	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_root_dir_ads_creation.toml	91	5	366	112	7	4	2024-05-13	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_suspicious_powershell_imgload.toml	103	34	1608	231	43	13	2020-12-18	2024-09-25	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_posh_encryption.toml	95	11	841	198	13	5	2023-01-24	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_mimikatz_memssp_default_logs.toml	83	41	1695	211	47	12	2020-09-22	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml	128	21	968	84	25	7	2022-09-19	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_make_token_local.toml	92	9	526	84	11	6	2023-12-05	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml	99	29	1618	112	34	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml	122	26	1148	84	30	9	2022-03-23	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_email_powershell_exchange_mailbox.toml	122	43	1611	84	49	11	2020-12-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_powershell_remoting_target.toml	107	25	1618	112	27	10	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_masquerading_trusted_directory.toml	116	34	1618	84	39	10	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml	109	28	1611	112	33	10	2020-12-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml	143	43	1779	84	51	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml	143	38	1638	100	47	9	2020-11-18	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_webshell_detection.toml	155	32	1359	84	35	11	2021-08-24	2025-02-19	57736958+dstepanic17@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml	129	33	1618	84	38	10	2020-12-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_dns_over_https_enabled.toml	87	22	1306	112	24	9	2021-10-16	2025-01-22	a.songer@protonmail.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_dotnet_compiler_parent_process.toml	107	38	1667	84	43	12	2020-10-20	2025-02-19	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml	157	3	393	112	5	4	2024-04-16	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_dcsync_newterm_subjectuser.toml	123	19	832	84	21	5	2023-02-02	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml	271	2	119	112	2	2	2025-01-15	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_service_dll_unsigned.toml	189	11	840	112	13	6	2023-01-25	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_runtime_run_key_startup_susp_procs.toml	92	21	1618	112	23	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/initial_access_rdp_file_mail_attachment.toml	100	3	184	84	3	3	2024-11-11	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_user_account_creation_event_logs.toml	78	21	1554	84	21	9	2021-02-10	2025-02-19	36789353+skoetting@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_local_scheduled_job_creation.toml	81	23	1491	112	24	9	2021-04-14	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml	125	38	1779	100	43	12	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_local_scheduled_task_creation.toml	94	20	1497	96	22	10	2021-04-08	2025-02-07	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_moving_registry_hive_via_smb.toml	96	20	1169	278	24	8	2022-03-02	2024-08-09	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml	100	45	1779	84	52	13	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/initial_access_suspicious_ms_exchange_files.toml	92	24	1532	112	26	8	2021-03-04	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_gpo_schtask_service_creation.toml	100	11	577	112	14	5	2023-10-15	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_ms_office_suspicious_regmod.toml	120	23	1203	211	28	9	2022-01-27	2024-10-15	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_mofcomp.toml	102	7	393	84	9	4	2024-04-16	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_unusual_process_network_connection.toml	93	22	1608	211	26	7	2020-12-18	2024-10-15	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_lsa_auth_package.toml	94	17	1554	112	19	9	2021-02-10	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/collection_email_outlook_mailbox_via_com.toml	102	13	840	86	15	7	2023-01-25	2025-02-17	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_credential_dumping_msbuild.toml	143	43	1779	100	54	12	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_netsh_helper_dll.toml	92	5	393	112	7	4	2024-04-16	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_suspicious_lsass_access_memdump.toml	106	23	1274	112	25	9	2021-11-17	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_suspicious_certutil_commands.toml	133	22	1393	84	25	11	2021-07-21	2025-02-19	austin@songer.pro	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml	126	29	1153	84	33	8	2022-03-18	2025-02-19	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_driver_newterm_imphash.toml	127	5	577	100	7	3	2023-10-15	2025-02-03	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml	99	29	1624	112	34	8	2020-12-02	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_encrypted_channel_freesslcert.toml	88	22	1618	112	27	8	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_dnsnode_creation.toml	99	8	413	84	10	4	2024-03-27	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_installutil_beacon.toml	82	31	1667	112	34	11	2020-10-20	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml	88	21	1622	112	23	9	2020-12-04	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_mod_wdigest_security_provider.toml	103	33	1570	211	38	10	2021-01-25	2024-10-15	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_lsa_security_support_provider_registry.toml	98	30	1618	112	35	9	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_persistence_network_logon_provider_modification.toml	147	24	1491	100	26	9	2021-04-14	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/persistence_msi_installer_task_startup.toml	103	2	240	112	2	2	2024-09-16	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/command_and_control_common_webservices.toml	307	46	1638	100	55	10	2020-11-18	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/initial_access_suspicious_ms_exchange_process.toml	129	27	1532	84	29	10	2021-03-04	2025-02-19	7442091+peasead@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_iexplore_via_com.toml	100	21	1626	112	23	10	2020-11-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/execution_via_hidden_shell_conhost.toml	117	40	1695	211	48	12	2020-09-22	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml	74	1	71	71	1	1	2025-03-04	2025-03-04	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/windows/execution_initial_access_wps_dll_exploit.toml	96	3	241	112	3	3	2024-09-15	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_untrusted_driver_loaded.toml	113	13	838	100	15	5	2023-01-27	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/command_and_control_dns_tunneling_nslookup.toml	92	30	1619	84	34	9	2020-12-07	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml	108	43	1779	84	50	14	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_file_creation_mult_extension.toml	95	30	1570	112	32	11	2021-01-25	2025-01-22	56412096+bm11100@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_suspicious_com_hijack_registry.toml	161	36	1618	281	45	11	2020-12-08	2024-08-06	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml	102	27	1608	211	31	8	2020-12-18	2024-10-15	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_posh_psreflect.toml	155	28	1210	100	32	8	2022-01-20	2025-02-03	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_wpad_exploitation.toml	72	18	1608	112	18	8	2020-12-18	2025-01-22	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/lateral_movement_execution_via_file_shares_sequence.toml	162	37	1624	98	42	9	2020-12-02	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml	93	35	1624	84	42	10	2020-12-02	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml	103	27	1344	84	29	11	2021-09-08	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml	94	24	1407	84	26	11	2021-07-07	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_dcom_hta.toml	102	23	1622	112	25	9	2020-12-04	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_adobe_hijack_persistence.toml	114	52	1779	100	62	12	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/discovery_admin_recon.toml	112	36	1618	84	45	11	2020-12-08	2025-02-19	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_group_policy_scheduled_task.toml	137	26	1210	84	31	8	2022-01-20	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_time_provider_mod.toml	143	30	1570	100	32	9	2021-01-25	2025-02-03	56412096+bm11100@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_posh_process_injection.toml	128	27	1274	198	31	8	2021-11-17	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/discovery_active_directory_webservice.toml	80	4	467	112	6	5	2024-02-02	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml	146	27	1276	100	33	9	2021-11-15	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/command_and_control_remote_file_copy_scripts.toml	128	30	1618	100	36	9	2020-12-08	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_wireless_creds_dumping.toml	130	17	925	84	19	7	2022-11-01	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_script_via_html_app.toml	119	5	241	84	5	4	2024-09-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/collection_posh_audio_capture.toml	111	28	1275	198	33	8	2021-11-16	2024-10-28	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml	69	6	581	112	8	4	2023-10-11	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml	89	21	1618	112	23	10	2020-12-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml	112	41	1695	84	46	13	2020-09-22	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml	111	15	624	84	17	4	2023-08-29	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_powershell_profiles.toml	140	15	800	100	17	4	2023-03-06	2025-02-03	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/defense_evasion_lolbas_win_cdb_utility.toml	92	6	240	84	6	3	2024-09-16	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_temp_scheduled_task.toml	91	14	880	84	16	6	2022-12-16	2025-02-19	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/persistence_werfault_reflectdebugger.toml	89	5	393	112	7	4	2024-04-16	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_mimikatz_powershell_module.toml	109	31	1617	112	37	11	2020-12-09	2025-01-22	7442091+peasead@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml	110	29	1623	112	34	8	2020-12-03	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/impact_high_freq_file_renames_by_kernel.toml	102	5	372	198	7	4	2024-05-07	2024-10-28	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/credential_access_shadow_credentials.toml	102	22	1195	84	24	9	2022-02-04	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_right_to_left_override.toml	104	2	113	112	2	2	2025-01-21	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/defense_evasion_clearing_windows_console_history.toml	115	28	1266	84	32	10	2021-11-25	2025-02-19	austin@songer.pro	26856693+w0rk3r@users.noreply.github.com
rules/windows/credential_access_posh_veeam_sql.toml	112	4	419	112	6	4	2024-03-21	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml	130	42	1695	84	47	12	2020-09-22	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_com_object_xwizard.toml	106	28	1567	84	30	9	2021-01-28	2025-02-19	56412096+bm11100@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/lateral_movement_evasion_rdp_shadowing.toml	105	21	1491	112	23	8	2021-04-14	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_veeam_backup_dll_imageload.toml	92	4	419	112	6	4	2024-03-21	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_lsass_handle_via_malseclogon.toml	87	15	1029	112	17	8	2022-07-20	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_wbadmin_ntds.toml	108	7	328	84	7	2	2024-06-20	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_exploit_cve_202238028.toml	90	7	380	112	9	5	2024-04-29	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml	117	29	1329	84	34	8	2021-09-23	2025-02-19	jonhnathancesar@gmail.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml	135	37	1688	112	42	12	2020-09-29	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml	158	55	1779	84	66	14	2020-06-30	2025-02-19	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_expired_driver_loaded.toml	87	6	569	112	8	4	2023-10-23	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/persistence_evasion_hidden_local_account_creation.toml	80	35	1569	211	39	10	2021-01-26	2024-10-15	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/command_and_control_certreq_postdata.toml	148	19	838	84	21	7	2023-01-27	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/execution_posh_portable_executable.toml	146	28	1304	100	35	8	2021-10-18	2025-02-03	jonhnathancesar@gmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/windows/privilege_escalation_reg_service_imagepath_mod.toml	150	4	328	112	4	2	2024-06-20	2025-01-22	26856693+w0rk3r@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/windows/credential_access_dcsync_user_backdoor.toml	97	7	287	84	7	4	2024-07-31	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/privilege_escalation_credroaming_ldap.toml	95	18	911	84	20	7	2022-11-15	2025-02-19	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/windows/defense_evasion_masquerading_werfault.toml	125	33	1695	100	35	12	2020-09-22	2025-02-03	64742097+samirbous@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/apm/apm_sqlmap_user_agent.toml	58	15	1779	112	19	9	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/apm/apm_405_response_method_not_allowed.toml	57	17	1779	112	21	9	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/apm/apm_403_response_to_a_post.toml	57	17	1779	112	21	9	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/_deprecated/initial_access_login_failures.toml	44	1	1023	1023	1	1	2022-07-26	2022-07-26	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml	39	1	1490	1490	1	1	2021-04-15	2021-04-15	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification.toml	43	1	1154	1154	1	1	2022-03-17	2022-03-17	jonhnathancesar@gmail.com	jonhnathancesar@gmail.com
rules/_deprecated/execution_command_shell_started_by_powershell.toml	37	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml	75	2	650	642	2	2	2023-08-03	2023-08-11	78494512+aegrah@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml	121	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/linux_nmap_activity.toml	34	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/threat_intel_fleet_integrations.toml	153	2	666	664	2	2	2023-07-18	2023-07-20	26856693+w0rk3r@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/defense_evasion_code_injection_conhost.toml	86	2	1002	856	3	3	2022-08-16	2023-01-09	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/_deprecated/execution_crash_binary.toml	42	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml	117	2	569	555	2	2	2023-10-23	2023-11-06	78494512+aegrah@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml	80	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_linux_iodine_activity.toml	53	2	569	555	2	2	2023-10-23	2023-11-06	78494512+aegrah@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/discovery_query_registry_via_reg.toml	37	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/linux_mknod_activity.toml	34	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml	89	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/initial_access_cross_site_scripting.toml	42	1	71	71	1	1	2025-03-04	2025-03-04	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml	100	1	433	433	1	1	2024-03-07	2024-03-07	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml	79	2	1484	1385	2	2	2021-04-21	2021-07-29	56412096+bm11100@users.noreply.github.com	brokensound77@users.noreply.github.com
rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml	48	1	1519	1519	1	1	2021-03-17	2021-03-17	brokensound77@users.noreply.github.com	brokensound77@users.noreply.github.com
rules/_deprecated/command_and_control_sql_server_port_activity_to_the_internet.toml	56	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/execution_linux_process_started_in_temp_directory.toml	42	1	1023	1023	1	1	2022-07-26	2022-07-26	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/container_workload_protection.toml	61	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_busybox_binary.toml	42	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_find_binary.toml	44	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/privilege_escalation_linux_strace_activity.toml	43	1	1020	1020	1	1	2022-07-29	2022-07-29	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml	68	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml	101	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml	82	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_suspicious_jar_child_process.toml	96	1	117	117	1	1	2025-01-17	2025-01-17	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml	77	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/credential_access_tcpdump_activity.toml	52	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/execution_reverse_shell_via_named_pipe.toml	66	2	678	664	2	2	2023-07-06	2023-07-20	78494512+aegrah@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml	44	1	917	917	1	1	2022-11-09	2022-11-09	59296946+imays11@users.noreply.github.com	59296946+imays11@users.noreply.github.com
rules/_deprecated/initial_access_login_location.toml	44	1	1023	1023	1	1	2022-07-26	2022-07-26	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml	76	1	299	299	1	1	2024-07-19	2024-07-19	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml	53	1	408	408	1	1	2024-04-01	2024-04-01	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/_deprecated/persistence_shell_activity_by_web_server.toml	84	1	740	740	1	1	2023-05-05	2023-05-05	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/_deprecated/exfiltration_rds_snapshot_export.toml	40	1	1296	1296	1	1	2021-10-26	2021-10-26	brokensound77@users.noreply.github.com	brokensound77@users.noreply.github.com
rules/_deprecated/execution_expect_binary.toml	44	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml	72	2	1484	1385	2	2	2021-04-21	2021-07-29	56412096+bm11100@users.noreply.github.com	brokensound77@users.noreply.github.com
rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml	58	2	1484	1385	2	2	2021-04-21	2021-07-29	56412096+bm11100@users.noreply.github.com	brokensound77@users.noreply.github.com
rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml	85	3	1016	856	4	4	2022-08-02	2023-01-09	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml	97	2	513	498	2	2	2023-12-18	2024-01-02	78494512+aegrah@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml	39	2	511	498	2	2	2023-12-20	2024-01-02	99630311+terrancedejesus@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/threat_intel_filebeat8x.toml	153	2	666	664	2	2	2023-07-18	2023-07-20	26856693+w0rk3r@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/discovery_whoami_commmand.toml	41	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml	103	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_env_binary.toml	42	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_tor_activity_to_the_internet.toml	60	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml	81	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/defense_evasion_potential_processherpaderping.toml	52	2	512	498	2	2	2023-12-19	2024-01-02	64742097+samirbous@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/execution_c89_c99_binary.toml	44	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_via_net_com_assemblies.toml	46	1	1517	1517	1	1	2021-03-19	2021-03-19	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml	62	1	1017	1017	1	1	2022-08-01	2022-08-01	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml	95	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml	69	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml	42	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/apm_null_user_agent.toml	43	1	968	968	1	1	2022-09-19	2022-09-19	jonhnathancesar@gmail.com	jonhnathancesar@gmail.com
rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml	91	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/initial_access_login_sessions.toml	44	1	1023	1023	1	1	2022-07-26	2022-07-26	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/initial_access_login_time.toml	44	1	1023	1023	1	1	2022-07-26	2022-07-26	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml	75	1	804	804	1	1	2023-03-02	2023-03-02	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml	102	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml	81	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_interactive_exec_to_container.toml	104	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml	81	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml	40	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/linux_socat_activity.toml	33	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/command_and_control_port_8000_activity_to_the_internet.toml	57	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/execution_awk_binary_shell.toml	43	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_gcc_binary.toml	44	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml	83	2	674	664	2	2	2023-07-10	2023-07-20	91139415+shashank-elastic@users.noreply.github.com	mika.ayenson@elastic.co
rules/_deprecated/execution_vi_binary.toml	42	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml	44	1	1023	1023	1	1	2022-07-26	2022-07-26	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/execution_ssh_binary.toml	45	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/privilege_escalation_printspooler_malicious_driver_file_changes.toml	43	1	1154	1154	1	1	2022-03-17	2022-03-17	jonhnathancesar@gmail.com	jonhnathancesar@gmail.com
rules/_deprecated/execution_mysql_binary.toml	44	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml	90	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/credential_access_microsoft_365_potential_password_spraying_attack.toml	53	1	117	117	1	1	2025-01-17	2025-01-17	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/_deprecated/discovery_file_dir_discovery.toml	79	2	1016	856	3	3	2022-08-02	2023-01-09	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/_deprecated/command_and_control_dns_directly_to_the_internet.toml	80	1	1015	1015	1	1	2022-08-03	2022-08-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml	107	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml	80	1	61	61	1	1	2025-03-14	2025-03-14	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml	43	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/command_and_control_proxy_port_activity_to_the_internet.toml	60	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/threat_intel_filebeat7x.toml	158	2	1204	856	3	3	2022-01-26	2023-01-09	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml	50	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/execution_apt_binary.toml	45	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/defense_evasion_mshta_making_network_connections.toml	42	1	1302	1302	1	1	2021-10-20	2021-10-20	brokensound77@users.noreply.github.com	brokensound77@users.noreply.github.com
rules/_deprecated/execution_flock_binary.toml	42	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/_deprecated/command_and_control_smtp_to_the_internet.toml	65	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/persistence_kernel_module_activity.toml	45	1	1484	1484	1	1	2021-04-21	2021-04-21	56412096+bm11100@users.noreply.github.com	56412096+bm11100@users.noreply.github.com
rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml	39	1	1490	1490	1	1	2021-04-15	2021-04-15	64742097+samirbous@users.noreply.github.com	64742097+samirbous@users.noreply.github.com
rules/_deprecated/execution_cpulimit_binary.toml	45	1	1085	1085	1	1	2022-05-25	2022-05-25	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml	135	10	1027	329	12	8	2022-07-22	2024-06-19	99630311+terrancedejesus@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/discovery_ml_linux_system_network_connection_discovery.toml	115	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml	122	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml	123	9	1027	329	11	7	2022-07-22	2024-06-19	99630311+terrancedejesus@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml	121	9	1027	329	11	7	2022-07-22	2024-06-19	99630311+terrancedejesus@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/ml_packetbeat_rare_server_domain.toml	100	17	1779	112	19	11	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/discovery_ml_linux_system_process_discovery.toml	115	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_low_count_events_for_a_host_name.toml	77	1	69	69	1	1	2025-03-06	2025-03-06	109447885+sodhikirti07@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/ml_high_count_events_for_a_host_name.toml	78	1	69	69	1	1	2025-03-06	2025-03-06	109447885+sodhikirti07@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/credential_access_ml_suspicious_login_activity.toml	122	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml	171	16	1027	100	18	9	2022-07-22	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml	115	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/initial_access_ml_auth_rare_user_logon.toml	125	10	1027	329	12	8	2022-07-22	2024-06-19	99630311+terrancedejesus@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/persistence_ml_windows_anomalous_process_creation.toml	159	14	1027	100	16	8	2022-07-22	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml	113	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml	117	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_high_count_network_denies.toml	94	11	1497	112	13	8	2021-04-08	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/discovery_ml_linux_system_information_discovery.toml	115	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/initial_access_ml_windows_anomalous_user_name.toml	106	11	1027	112	13	9	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_high_count_network_events.toml	94	12	1497	112	14	9	2021-04-08	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml	110	9	1027	329	11	7	2022-07-22	2024-06-19	99630311+terrancedejesus@users.noreply.github.com	109447885+sodhikirti07@users.noreply.github.com
rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml	117	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/credential_access_ml_auth_spike_in_logon_events.toml	125	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_linux_anomalous_network_activity.toml	82	21	1779	112	23	13	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml	116	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/execution_ml_windows_anomalous_script.toml	118	11	1027	112	13	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/persistence_ml_windows_anomalous_service.toml	116	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/command_and_control_ml_packetbeat_rare_urls.toml	120	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml	123	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/persistence_ml_rare_process_by_host_linux.toml	121	11	1027	112	13	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml	118	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_rare_destination_country.toml	98	11	1497	112	13	8	2021-04-08	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/persistence_ml_windows_anomalous_path_activity.toml	133	11	1027	112	13	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/initial_access_ml_linux_anomalous_user_name.toml	100	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_spike_in_traffic_to_a_country.toml	98	12	1497	112	14	8	2021-04-08	2025-01-22	30438249+ajosh0504@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml	108	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/persistence_ml_rare_process_by_host_windows.toml	160	16	1027	100	18	9	2022-07-22	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml	91	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/discovery_ml_linux_system_user_discovery.toml	114	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml	115	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml	108	10	1027	112	12	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml	118	9	1027	112	11	8	2022-07-22	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_windows_anomalous_network_activity.toml	82	23	1779	112	25	13	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/ml/ml_linux_anomalous_network_port_activity.toml	100	19	1779	112	21	12	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_emond_rules_file_creation.toml	96	22	1566	98	24	8	2021-01-29	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_creation_modif_launch_deamon_sequence.toml	94	18	1618	98	20	10	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_via_atom_init_file_modification.toml	93	17	1555	112	19	8	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml	101	23	1556	98	25	8	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/privilege_escalation_user_added_to_admin_group.toml	100	4	244	100	4	3	2024-09-12	2025-02-03	thijsxhaflaire31@hotmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/macos/discovery_users_domain_built_in_commands.toml	120	26	1555	98	28	12	2021-02-09	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml	158	21	1567	98	22	9	2021-01-28	2025-02-05	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_finder_sync_plugin_pluginkit.toml	111	19	1556	98	19	9	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml	109	17	1556	112	19	9	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_dumping_keychain_security.toml	94	21	1567	98	24	8	2021-01-28	2025-02-05	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/lateral_movement_remote_ssh_login_enabled.toml	96	28	1695	112	33	11	2020-09-22	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/defense_evasion_modify_environment_launchctl.toml	110	21	1569	112	21	10	2021-01-26	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_creation_change_launch_agents_file.toml	99	17	1618	98	19	8	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_emond_rules_process_execution.toml	122	19	1566	98	21	8	2021-01-29	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml	108	22	1561	98	24	9	2021-02-03	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml	94	19	1560	112	21	9	2021-02-04	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/privilege_escalation_applescript_with_admin_privs.toml	104	22	1556	98	22	9	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_screensaver_engine_unexpected_child_process.toml	79	20	1315	98	22	9	2021-10-07	2025-02-05	56409778+threat-punter@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/credential_access_kerberosdump_kcc.toml	102	27	1687	112	31	12	2020-09-30	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_account_creation_hide_at_logon.toml	94	16	1556	112	18	8	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/privilege_escalation_root_crontab_filemod.toml	97	17	1555	112	19	8	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_loginwindow_plist_modification.toml	78	21	1569	112	23	9	2021-01-26	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_periodic_tasks_file_mdofiy.toml	98	16	1561	112	18	8	2021-02-03	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml	114	18	1618	96	20	9	2020-12-08	2025-02-07	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/credential_access_high_volume_of_pbpaste.toml	99	4	244	100	4	3	2024-09-12	2025-02-03	thijsxhaflaire31@hotmail.com	91139415+shashank-elastic@users.noreply.github.com
rules/macos/persistence_login_logout_hooks_defaults.toml	101	22	1618	98	26	8	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/execution_initial_access_suspicious_browser_childproc.toml	125	19	1556	98	21	9	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/execution_installer_package_spawned_network_event.toml	123	15	1021	98	17	9	2022-07-28	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/defense_evasion_apple_softupdates_modification.toml	96	16	1561	112	18	8	2021-02-03	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_credential_access_authorization_plugin_creation.toml	100	19	1556	112	21	9	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_mitm_localhost_webproxy.toml	99	18	1566	112	20	9	2021-01-29	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/lateral_movement_mounting_smb_share.toml	100	22	1555	98	24	8	2021-02-09	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_enable_root_account.toml	93	16	1556	112	18	8	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml	112	23	1556	98	25	9	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/credential_access_credentials_keychains.toml	129	23	1556	98	27	9	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml	94	17	1555	112	19	9	2021-02-09	2025-01-22	56409778+threat-punter@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_potential_macos_ssh_bruteforce.toml	93	12	961	112	14	6	2022-09-26	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/privilege_escalation_explicit_creds_via_scripting.toml	115	17	1555	112	19	8	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_dumping_hashes_bi_cmds.toml	93	16	1555	112	18	8	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml	114	16	1556	112	18	8	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml	104	28	1618	98	34	10	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/defense_evasion_install_root_certificate.toml	98	18	1556	112	20	8	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/defense_evasion_safari_config_change.toml	104	16	1560	112	18	8	2021-02-04	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_folder_action_scripts_runtime.toml	102	20	1618	98	22	11	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_directory_services_plugins_modification.toml	91	18	1555	112	20	8	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/defense_evasion_unload_endpointsecurity_kext.toml	104	17	1556	112	19	8	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/execution_shell_execution_via_apple_scripting.toml	94	17	1618	98	19	10	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/credential_access_systemkey_dumping.toml	96	19	1556	112	21	10	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_modification_sublime_app_plugin_or_script.toml	103	24	1556	98	26	8	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_creation_hidden_login_item_osascript.toml	114	22	1556	98	24	8	2021-02-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_docker_shortcuts_plist_modification.toml	95	19	1569	112	21	9	2021-01-26	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_promt_for_pwd_via_osascript.toml	105	25	1639	98	30	9	2020-11-17	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml	119	21	1566	98	23	8	2021-01-29	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/privilege_escalation_local_user_added_to_admin.toml	98	17	1566	112	17	9	2021-01-29	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/lateral_movement_vpn_connection_attempt.toml	98	22	1561	98	24	8	2021-02-03	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml	105	17	1554	112	19	8	2021-02-10	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml	105	16	1566	112	18	8	2021-01-29	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_screensaver_plist_file_modification.toml	100	18	1315	98	20	8	2021-10-07	2025-02-05	56409778+threat-punter@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/persistence_suspicious_calendar_modification.toml	105	17	1555	112	19	8	2021-02-09	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml	91	18	1569	112	20	8	2021-01-26	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml	106	6	368	112	6	5	2024-05-11	2025-01-22	48036388+defsecsentinel@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/macos/persistence_crontab_creation.toml	97	13	1113	98	15	7	2022-04-27	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/macos/execution_script_via_automator_workflows.toml	90	17	1569	98	19	8	2021-01-26	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_docker_escape_via_nsenter.toml	73	2	303	112	2	2	2024-07-15	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_user_or_group_creation_or_modification.toml	108	5	321	100	5	2	2024-06-27	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml	77	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_shell_via_meterpreter_linux.toml	123	13	615	112	15	5	2023-09-07	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/discovery_kernel_seeking.toml	107	3	118	98	3	3	2025-01-16	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml	104	9	574	98	11	5	2023-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_kernel_module_enumeration.toml	114	38	1779	105	46	12	2020-06-30	2025-01-29	31489089+rw-access@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_linux_group_creation.toml	109	13	692	100	16	6	2023-06-22	2025-02-03	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/persistence_message_of_the_day_creation.toml	158	22	740	100	26	6	2023-05-05	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_ssl_certificate_deletion.toml	113	3	258	112	3	3	2024-08-29	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml	136	20	622	106	23	5	2023-08-31	2025-01-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_shadow_file_modification.toml	106	3	208	100	3	2	2024-10-18	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_chattr_immutable_file.toml	118	22	1024	98	24	9	2022-07-25	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_tunneling_via_earthworm.toml	152	22	1490	98	24	9	2021-04-15	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_kworker_uid_elevation.toml	109	7	524	98	9	5	2023-12-07	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_cupsd_foomatic_rip_file_creation.toml	116	5	229	98	5	3	2024-09-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_shell_configuration_modification.toml	136	9	379	100	11	4	2024-04-30	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_network_event_post_compilation.toml	111	14	622	98	16	5	2023-08-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_pam_version_discovery.toml	125	5	131	98	5	3	2025-01-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/credential_access_proc_credential_dumping.toml	112	14	740	98	16	5	2023-05-05	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_rc_script_creation.toml	162	23	792	98	28	6	2023-03-14	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml	91	1	77	77	1	1	2025-02-26	2025-02-26	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_egress_connection_from_entrypoint_in_container.toml	95	3	303	98	3	3	2024-07-15	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_container_util_misconfiguration.toml	107	13	649	98	15	5	2023-08-04	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml	122	3	301	112	3	3	2024-07-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_potential_hack_tool_executed.toml	111	12	569	98	14	5	2023-10-23	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_linux_kworker_netcon.toml	129	11	567	106	13	5	2023-10-25	2025-01-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/discovery_port_scanning_activity_from_compromised_host.toml	77	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/credential_access_potential_linux_local_account_bruteforce.toml	97	15	657	98	17	5	2023-07-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_apt_package_manager_file_creation.toml	139	6	337	100	6	2	2024-06-11	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml	102	3	434	112	5	4	2024-03-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_pth_file_creation.toml	114	1	72	72	1	1	2025-03-03	2025-03-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_systemd_service_started.toml	202	6	355	100	9	5	2024-05-24	2025-02-03	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/discovery_esxi_software_via_find.toml	101	16	750	98	18	5	2023-04-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_docker_socket_discovery.toml	75	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_dpkg_unusual_execution.toml	122	5	303	98	5	3	2024-07-15	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_mount_execution.toml	103	18	753	98	20	5	2023-04-22	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml	136	18	678	98	20	5	2023-07-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml	106	3	131	112	3	3	2025-01-03	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_sudo_hijacking.toml	126	14	650	112	17	5	2023-08-03	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_tc_bpf_filter.toml	105	19	1036	96	21	9	2022-07-13	2025-02-07	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_system_binary_file_permission_change.toml	100	3	118	98	3	3	2025-01-16	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_shell_openssl_client_or_server.toml	115	6	265	98	6	3	2024-08-22	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_suspicious_executable_running_system_commands.toml	119	14	678	112	17	5	2023-07-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_creation_of_hidden_files_directories.toml	78	4	208	98	4	3	2024-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml	103	1	75	75	1	1	2025-02-28	2025-02-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_user_credential_modification_via_echo.toml	69	1	76	76	1	1	2025-02-27	2025-02-27	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_file_mod_writable_dir.toml	114	35	1779	105	42	12	2020-06-30	2025-01-29	31489089+rw-access@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_dac_permissions.toml	109	7	482	100	7	4	2024-01-18	2025-02-03	91139415+shashank-elastic@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml	112	10	678	112	12	5	2023-07-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml	115	25	1556	100	28	9	2021-02-08	2025-02-03	64742097+samirbous@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/discovery_unusual_user_enumeration_via_id.toml	94	12	622	98	15	5	2023-08-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_systemd_service_creation.toml	225	22	701	100	26	5	2023-06-13	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/discovery_suid_sguid_enumeration.toml	118	13	650	98	16	5	2023-08-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/lateral_movement_telnet_network_activity_external.toml	118	32	1779	98	37	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_pluggable_authentication_module_source_download.toml	91	2	127	112	2	2	2025-01-07	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_dracut_module_creation.toml	146	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_potentially_overly_permissive_container_creation.toml	116	3	301	112	3	3	2024-07-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml	131	19	678	98	22	5	2023-07-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_init_d_file_creation.toml	167	25	740	98	28	5	2023-05-05	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_git_hook_process_execution.toml	142	4	320	112	4	3	2024-06-28	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_systemd_netcon.toml	120	7	463	98	9	5	2024-02-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_ld_so_creation.toml	127	3	131	112	3	3	2025-01-03	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/lateral_movement_ssh_it_worm_download.toml	113	11	574	98	13	5	2023-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_pluggable_authentication_module_creation.toml	119	4	337	112	4	2	2024-06-11	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_process_started_from_process_id_file.toml	89	19	1098	98	21	8	2022-05-12	2025-02-05	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml	120	6	229	98	6	3	2024-09-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_setuid_setgid_capability_set.toml	153	16	574	98	18	5	2023-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml	90	5	478	112	7	6	2024-01-22	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml	93	8	569	112	10	6	2023-10-23	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/credential_access_credential_dumping.toml	102	16	805	98	18	6	2023-03-01	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_unusual_sshd_child_process.toml	111	3	131	100	3	2	2025-01-03	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_cron_job_creation.toml	228	25	701	100	31	6	2023-06-13	2025-02-03	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/impact_potential_bruteforce_malware_infection.toml	109	1	77	77	1	1	2025-02-26	2025-02-26	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_etc_file_creation.toml	226	30	1024	98	33	10	2022-07-25	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/impact_potential_linux_ransomware_note_detected.toml	106	21	729	98	24	5	2023-05-16	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_process_capability_set_via_setcap.toml	102	3	342	112	3	3	2024-06-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_extract_initramfs_via_cpio.toml	115	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_python_tty_shell.toml	102	42	1779	98	49	14	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_private_key_password_searching_activity.toml	92	4	187	98	4	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml	92	12	720	112	14	6	2023-05-25	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml	114	15	649	98	17	5	2023-08-04	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/lateral_movement_telnet_network_activity_internal.toml	119	32	1779	98	37	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml	111	10	678	112	12	5	2023-07-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_web_server_sus_command_execution.toml	129	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml	120	5	251	98	5	4	2024-09-05	2025-02-05	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_linux_shell_activity_via_web_server.toml	171	19	740	98	22	4	2023-05-05	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_hex_payload_execution.toml	130	3	187	112	3	3	2024-11-08	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml	53	1	72	72	1	1	2025-03-03	2025-03-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_root_certificate_installation.toml	108	5	253	105	5	3	2024-09-03	2025-01-29	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_kernel_driver_load_by_non_root.toml	108	5	483	112	7	5	2024-01-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml	109	5	187	98	5	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml	122	6	229	98	6	3	2024-09-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/lateral_movement_unusual_remote_file_creation.toml	90	1	77	77	1	1	2025-02-26	2025-02-26	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_apt_package_manager_netcon.toml	133	9	463	98	11	5	2024-02-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_xdg_autostart_netcon.toml	131	6	338	98	6	3	2024-06-10	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_unusual_pkexec_execution.toml	124	3	114	111	3	3	2025-01-20	2025-01-23	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/persistence_tainted_kernel_module_load.toml	101	4	434	112	6	5	2024-03-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_bpf_probe_write_user.toml	101	1	105	105	1	1	2025-01-29	2025-01-29	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/discovery_proc_maps_read.toml	93	6	463	98	8	5	2024-02-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_base64_decoding_activity.toml	109	1	75	75	1	1	2025-02-28	2025-02-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_web_server_sus_destination_port.toml	114	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_sudo_cve_2019_14287.toml	101	13	622	98	15	5	2023-08-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_process_started_in_shared_memory_directory.toml	108	20	1099	98	22	8	2022-05-11	2025-02-05	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/impact_memory_swap_modification.toml	120	5	187	98	5	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_dynamic_linker_backup.toml	166	20	1036	98	22	10	2022-07-13	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_systemd_scheduled_timer_created.toml	183	24	701	100	28	5	2023-06-13	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_systemd_generator_creation.toml	135	5	321	100	5	2	2024-06-27	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_at_job_creation.toml	144	3	343	112	3	2	2024-06-05	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_potential_persistence_script_executable_bit_set.toml	138	7	321	100	7	3	2024-06-27	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml	109	7	478	98	9	5	2024-01-22	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_web_server_sus_child_spawned.toml	124	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_credential_access_modify_ssh_binaries.toml	191	27	1567	100	32	10	2021-01-28	2025-02-03	brokensound77@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/discovery_kernel_unpacking.toml	106	3	118	98	3	3	2025-01-16	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml	101	1	63	63	1	1	2025-03-12	2025-03-12	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml	107	16	750	98	18	5	2023-04-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_process_backgrounded_by_unusual_parent.toml	123	1	100	100	1	1	2025-02-03	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_unix_socket_communication.toml	88	6	208	69	6	3	2024-10-18	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_unusual_preload_env_vars.toml	127	2	131	112	2	2	2025-01-03	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml	83	1	77	77	1	1	2025-02-26	2025-02-26	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml	126	2	113	112	2	2	2025-01-21	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/credential_access_collection_sensitive_files.toml	159	19	1556	112	22	9	2021-02-08	2025-01-22	64742097+samirbous@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/discovery_sudo_allowed_command_enumeration.toml	96	16	650	98	18	5	2023-08-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_virtual_machine_fingerprinting.toml	113	30	1779	112	36	11	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_rc_local_error_via_syslog.toml	90	3	320	112	3	2	2024-06-28	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml	128	8	524	100	10	4	2023-12-07	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_shell_via_background_process.toml	111	14	586	98	16	5	2023-10-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_unusual_path_invocation_from_command_line.toml	114	3	118	100	3	2	2025-01-16	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_acl_modification_via_setfacl.toml	83	5	208	98	5	3	2024-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_ssh_netcon.toml	115	5	338	98	5	3	2024-06-10	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_pkexec_envar_hijack.toml	109	18	1203	98	20	9	2022-01-27	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_git_hook_execution.toml	128	4	301	112	4	3	2024-07-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_enlightenment_window_manager.toml	94	6	482	98	6	4	2024-01-18	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_authorized_keys_file_deletion.toml	73	1	76	76	1	1	2025-02-27	2025-02-27	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_shadow_file_read.toml	118	19	973	112	21	8	2022-09-14	2025-01-22	91139415+shashank-elastic@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml	106	6	427	100	8	4	2024-03-13	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_simple_web_server_creation.toml	131	4	131	100	4	3	2025-01-03	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_insmod_kernel_module_load.toml	160	23	1036	98	26	10	2022-07-13	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_openssl_passwd_hash_generation.toml	103	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_network_manager_dispatcher_persistence.toml	140	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_git_hook_netcon.toml	134	3	301	112	3	2	2024-07-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml	133	6	229	98	6	3	2024-09-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_ip_forwarding_activity.toml	84	5	187	98	5	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_polkit_policy_creation.toml	112	3	114	111	3	3	2025-01-20	2025-01-23	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml	116	7	407	98	9	6	2024-04-02	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_rc_local_service_already_running.toml	103	3	320	112	3	2	2024-06-28	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_shell_via_java_revshell_linux.toml	120	17	678	98	20	5	2023-07-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml	78	7	434	98	9	5	2024-03-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_log_files_deleted.toml	129	28	1618	98	33	10	2020-12-08	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_ping_sweep_detected.toml	100	8	574	112	10	5	2023-10-18	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_python_webserver_spawned.toml	116	4	187	98	4	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_dynamic_linker_file_creation.toml	134	5	277	98	5	3	2024-08-10	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_grub_configuration_creation.toml	129	2	117	112	2	2	2025-01-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_chkconfig_service_add.toml	173	27	1024	98	29	10	2022-07-25	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_boot_file_copy.toml	137	3	114	100	3	2	2025-01-20	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml	124	3	303	112	3	3	2024-07-15	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_message_of_the_day_execution.toml	188	22	740	100	25	5	2023-05-05	2025-02-03	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml	101	7	482	98	7	4	2024-01-18	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_kworker_file_creation.toml	175	12	524	98	15	6	2023-12-07	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_directory_creation_in_bin.toml	108	4	187	98	4	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml	119	9	482	98	9	4	2024-01-18	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_overlayfs_local_privesc.toml	98	13	653	98	15	5	2023-07-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/impact_data_encrypted_via_openssl.toml	98	12	682	98	14	5	2023-07-02	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_linux_hping_activity.toml	114	20	1077	98	22	8	2022-06-02	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml	117	13	682	98	15	5	2023-07-02	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_rename_esxi_files.toml	99	12	750	98	14	4	2023-04-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/impact_esxi_process_kill.toml	95	13	750	98	15	5	2023-04-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_suspicious_which_command_execution.toml	82	7	434	98	9	5	2024-03-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_suspicious_file_opened_through_editor.toml	127	6	434	98	8	6	2024-03-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_interpreter_tty_upgrade.toml	103	10	574	98	12	5	2023-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_linux_uid_int_max_bug.toml	98	15	650	98	17	5	2023-08-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_aws_cli_endpoint_url_used.toml	75	2	259	112	2	2	2024-08-28	2025-01-22	99630311+terrancedejesus@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_simple_web_server_connection_accepted.toml	124	2	131	112	2	2	2025-01-03	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_hidden_directory_creation.toml	121	5	187	98	5	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_hidden_file_dir_tmp.toml	125	43	1779	98	49	13	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml	132	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_sda_disk_mount_non_root.toml	100	15	650	98	17	5	2023-08-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_suspicious_mining_process_creation_events.toml	98	14	785	98	16	5	2023-03-21	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_linux_chisel_server_activity.toml	145	14	623	98	16	5	2023-08-30	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_site_and_user_customize_file_creation.toml	109	1	72	72	1	1	2025-03-03	2025-03-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml	191	24	700	100	29	7	2023-06-14	2025-02-03	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/command_and_control_cat_network_activity.toml	148	15	604	98	18	5	2023-09-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/collection_linux_clipboard_activity.toml	80	2	208	112	2	2	2024-10-18	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_shell_via_udp_cli_utility_linux.toml	132	12	615	112	15	5	2023-09-07	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_ssh_via_backdoored_system_user.toml	113	2	127	112	2	2	2025-01-07	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/discovery_dynamic_linker_via_od.toml	100	8	463	98	10	5	2024-02-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_grub_makeconfig.toml	109	2	117	112	2	2	2025-01-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/discovery_esxi_software_via_grep.toml	101	17	750	98	19	5	2023-04-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_pspy_process_monitoring_detected.toml	98	12	658	105	14	5	2023-07-26	2025-01-29	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_kernel_module_removal.toml	126	39	1779	98	46	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_suspicious_memory_grep_activity.toml	77	4	208	98	4	3	2024-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_manual_dracut_execution.toml	120	3	114	98	3	3	2025-01-20	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_abnormal_process_id_file_created.toml	140	33	1098	100	38	9	2022-05-12	2025-02-03	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_uid_change_post_compilation.toml	99	11	622	98	13	5	2023-08-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_kde_autostart_modification.toml	214	31	1555	98	34	9	2021-02-09	2025-02-05	64742097+samirbous@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml	115	15	649	98	17	5	2023-08-04	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_writable_docker_socket.toml	99	12	657	98	14	5	2023-07-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml	123	15	650	98	18	5	2023-08-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_udev_rule_creation.toml	124	9	434	100	11	4	2024-03-06	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/impact_process_kill_threshold.toml	89	21	1020	357	25	8	2022-07-29	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml	113	37	1779	98	43	13	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_kernel_object_file_creation.toml	113	3	131	100	3	2	2025-01-03	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_netcon_via_sudo_binary.toml	111	9	483	98	11	5	2024-01-17	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_remote_code_execution_via_postgresql.toml	107	17	684	98	20	5	2023-06-30	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_dbus_service_creation.toml	139	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_rename_esxi_index_file.toml	98	12	750	98	14	4	2023-04-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_git_hook_file_creation.toml	141	5	320	112	5	3	2024-06-28	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml	141	6	320	100	6	3	2024-06-28	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_shell_evasion_linux_binary.toml	190	28	1085	98	35	8	2022-05-25	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_nc_listener_via_rlwrap.toml	109	11	569	98	13	5	2023-10-23	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml	103	4	255	106	4	3	2024-09-01	2025-01-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml	117	13	581	98	15	5	2023-10-11	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml	65	1	75	75	1	1	2025-02-28	2025-02-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml	78	1	75	75	1	1	2025-02-28	2025-02-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/defense_evasion_interactive_shell_from_system_user.toml	114	3	187	105	3	2	2024-11-08	2025-01-29	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml	90	12	720	112	14	6	2023-05-25	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml	115	36	1779	98	42	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_yum_package_manager_plugin_file_creation.toml	137	6	323	100	6	2	2024-06-25	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_sudo_token_via_process_injection.toml	110	14	650	98	16	5	2023-08-03	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml	98	3	258	112	3	3	2024-08-29	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/command_and_control_linux_chisel_client_activity.toml	146	16	623	98	18	5	2023-08-30	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_unshare_namespace_manipulation.toml	109	14	786	98	16	5	2023-03-20	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_security_file_access_via_common_utility.toml	100	5	187	98	5	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_linux_proxychains_activity.toml	122	7	434	98	9	5	2024-03-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_apt_package_manager_execution.toml	139	10	463	98	12	5	2024-02-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_executable_stack_execution.toml	89	2	117	112	2	2	2025-01-17	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/discovery_polkit_version_discovery.toml	98	3	114	98	3	3	2025-01-20	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml	114	19	678	98	22	6	2023-07-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml	104	6	482	98	6	4	2024-01-18	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_hidden_shared_object.toml	111	19	1027	98	21	9	2022-07-22	2025-02-05	48036388+defsecsentinel@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/credential_access_gdb_process_hooking.toml	83	6	434	98	8	5	2024-03-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_shared_object_creation.toml	170	19	701	100	23	6	2023-06-13	2025-02-03	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_netcon_from_rwx_mem_region_binary.toml	112	6	427	98	8	5	2024-03-13	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_yum_dnf_plugin_detection.toml	103	5	323	98	5	3	2024-06-25	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_ssh_key_generation.toml	104	5	342	112	5	4	2024-06-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/execution_perl_tty_shell.toml	100	32	1779	112	38	12	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_kthreadd_masquerading.toml	104	7	463	98	9	5	2024-02-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/credential_access_gdb_init_process_hooking.toml	100	7	434	98	9	5	2024-03-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_process_capabilities.toml	93	8	482	98	8	4	2024-01-18	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_shell_via_child_tcp_utility_linux.toml	115	7	513	98	9	6	2023-12-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_disable_selinux_attempt.toml	111	37	1779	98	43	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_shell_via_suspicious_binary.toml	124	19	678	98	21	5	2023-07-06	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml	130	6	482	98	6	4	2024-01-18	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/privilege_escalation_suspicious_passwd_file_write.toml	113	6	474	98	8	5	2024-01-26	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_linux_backdoor_user_creation.toml	132	19	692	98	22	5	2023-06-22	2025-02-05	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/initial_access_first_time_public_key_authentication.toml	71	1	75	75	1	1	2025-02-28	2025-02-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml	138	19	911	98	23	7	2022-11-15	2025-02-05	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_systemd_shell_execution.toml	110	2	114	112	2	2	2025-01-20	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_kernel_driver_load.toml	103	3	434	112	5	4	2024-03-06	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml	143	6	321	98	6	4	2024-06-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_prctl_process_name_tampering.toml	103	2	121	112	2	2	2025-01-13	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/persistence_unusual_pam_grantor.toml	98	4	337	112	7	5	2024-06-11	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml	113	38	1779	98	44	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/execution_file_execution_followed_by_deletion.toml	107	13	622	98	15	5	2023-08-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml	131	4	229	98	4	3	2024-09-27	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml	148	17	623	98	19	5	2023-08-30	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_kill_command_executed.toml	96	1	75	75	1	1	2025-02-28	2025-02-28	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/command_and_control_curl_socks_proxy_detected.toml	112	3	187	98	3	3	2024-11-08	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/discovery_linux_nping_activity.toml	114	20	1027	98	22	8	2022-07-22	2025-02-05	99630311+terrancedejesus@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_lkm_configuration_file_creation.toml	114	2	131	112	2	2	2025-01-03	2025-01-22	78494512+aegrah@users.noreply.github.com	mikaayenson@users.noreply.github.com
rules/linux/defense_evasion_potential_proot_exploits.toml	101	15	755	98	17	5	2023-04-20	2025-02-05	91139415+shashank-elastic@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_linux_ssh_x11_forwarding.toml	118	5	208	98	5	4	2024-10-18	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/credential_access_ssh_backdoor_log.toml	151	26	1559	103	29	9	2021-02-05	2025-01-31	64742097+samirbous@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml	106	11	587	98	13	5	2023-10-05	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/persistence_linux_user_account_creation.toml	108	13	692	100	16	6	2023-06-22	2025-02-03	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules/linux/defense_evasion_file_deletion_via_shred.toml	100	37	1779	98	43	12	2020-06-30	2025-02-05	31489089+rw-access@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml	160	17	623	98	20	5	2023-08-30	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml	101	4	255	105	4	3	2024-09-01	2025-01-29	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules/linux/persistence_linux_user_added_to_privileged_group.toml	130	21	692	98	24	5	2023-06-22	2025-02-05	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_clear_kernel_ring_buffer.toml	106	12	562	98	14	5	2023-10-30	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules/linux/defense_evasion_disable_apparmor_attempt.toml	107	15	622	98	17	5	2023-08-31	2025-02-05	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
detection_rules/packaging.py	367	53	1779	100	61	10	2020-06-30	2025-02-03	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/ml.py	327	5	1441	65	6	4	2021-06-03	2025-03-10	brokensound77@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/docs.py	699	22	1687	68	22	7	2020-09-30	2025-03-07	brokensound77@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/config.py	221	3	281	259	3	1	2024-08-06	2024-08-28	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/attack.py	164	14	1779	356	17	6	2020-06-30	2024-05-23	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/generic_loader.py	125	1	281	281	1	1	2024-08-06	2024-08-06	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/exception.py	199	1	281	281	1	1	2024-08-06	2024-08-06	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/remote_validation.py	147	3	523	281	3	3	2023-12-08	2024-08-06	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/cli_utils.py	198	20	1527	70	20	9	2021-03-09	2025-03-05	31489089+rw-access@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/mixins.py	158	12	1512	281	12	5	2021-03-24	2024-08-06	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/ecs.py	245	19	1779	182	20	7	2020-06-30	2024-11-13	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/__main__.py	13	7	1779	356	11	5	2020-06-30	2024-05-23	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/endgame.py	62	3	938	356	5	3	2022-10-19	2024-05-23	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/rule_validators.py	439	29	1484	128	29	7	2021-04-21	2025-01-06	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/rule_loader.py	439	36	1779	70	39	8	2020-06-30	2025-03-05	31489089+rw-access@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/devtools.py	1053	90	1680	68	99	11	2020-10-07	2025-03-07	brokensound77@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/schemas/registry_package.py	40	6	1527	356	6	5	2021-03-09	2024-05-23	brokensound77@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/schemas/stack_compat.py	32	2	1052	827	2	2	2022-06-27	2023-02-07	brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
detection_rules/schemas/__init__.py	210	47	1756	70	49	9	2020-07-23	2025-03-05	31489089+rw-access@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/schemas/definitions.py	224	56	1527	191	59	14	2021-03-09	2024-11-04	brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
detection_rules/__init__.py	36	15	1779	70	17	6	2020-06-30	2025-03-05	31489089+rw-access@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/utils.py	291	36	1779	281	40	6	2020-06-30	2024-08-06	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/navigator.py	220	7	1167	281	8	5	2022-03-04	2024-08-06	brokensound77@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/action_connector.py	124	1	281	281	1	1	2024-08-06	2024-08-06	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/rule.py	1140	120	1779	79	139	11	2020-06-30	2025-02-24	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/misc.py	344	40	1779	281	46	7	2020-06-30	2024-08-06	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/version_lock.py	212	19	1359	281	24	6	2021-08-24	2024-08-06	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/rule_formatter.py	200	18	1779	112	19	7	2020-06-30	2025-01-22	31489089+rw-access@users.noreply.github.com	mikaayenson@users.noreply.github.com
detection_rules/integrations.py	286	24	1010	96	28	7	2022-08-08	2025-02-07	mikaayenson@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/kbwrap.py	332	27	1680	65	28	8	2020-10-07	2025-03-10	brokensound77@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/main.py	527	48	1779	65	56	11	2020-06-30	2025-03-10	31489089+rw-access@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/ghwrap.py	241	4	1441	888	4	2	2021-06-03	2022-12-08	brokensound77@users.noreply.github.com	mikaayenson@users.noreply.github.com
detection_rules/custom_rules.py	106	3	281	65	3	2	2024-08-06	2025-03-10	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/beats.py	184	20	1779	182	21	10	2020-06-30	2024-11-13	31489089+rw-access@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/eswrap.py	309	30	1779	70	31	7	2020-06-30	2025-03-05	31489089+rw-access@users.noreply.github.com	traut@users.noreply.github.com
detection_rules/custom_schemas.py	66	2	281	259	2	1	2024-08-06	2024-08-28	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/etc/example_test_config.yaml	6	1	281	281	1	1	2024-08-06	2024-08-06	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/etc/packages.yaml	31	6	364	156	9	4	2024-05-15	2024-12-09	mikaayenson@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/etc/_config.yaml	10	1	281	281	1	1	2024-08-06	2024-08-06	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
detection_rules/etc/__init__.py	1	1	888	888	1	1	2022-12-08	2022-12-08	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
detection_rules/etc/stack-schema-map.yaml	28	31	1108	100	36	7	2022-05-02	2025-02-03	mikaayenson@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
detection_rules/action.py	39	1	281	281	1	1	2024-08-06	2024-08-06	119343520+eric-forte-elastic@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
pyproject.toml	62	52	1204	60	70	10	2022-01-26	2025-03-15	richard.boyd@elastic.co	119343520+eric-forte-elastic@users.noreply.github.com
rules_building_block/defense_evasion_file_permission_modification.toml	57	6	636	357	8	3	2023-08-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_linux_modprobe_enumeration.toml	72	12	628	208	14	4	2023-08-25	2024-10-18	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules_building_block/discovery_hosts_file_access.toml	48	6	665	357	8	4	2023-07-19	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml	60	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_system_service_discovery.toml	56	8	581	84	10	4	2023-10-11	2025-02-19	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/defense_evasion_powershell_clear_logs_script.toml	97	11	666	198	11	3	2023-07-18	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml	74	10	628	208	12	4	2023-08-25	2024-10-18	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules_building_block/execution_settingcontent_ms_file_creation.toml	72	9	624	198	11	3	2023-08-29	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/impact_github_user_blocked_from_organization.toml	43	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_posh_defender_tampering.toml	88	3	243	119	3	2	2024-09-13	2025-01-15	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_net_share_discovery_winlog.toml	62	9	653	84	11	3	2023-07-31	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/persistence_iam_instance_request_to_iam_service.toml	112	2	189	186	2	1	2024-11-06	2024-11-09	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules_building_block/execution_aws_lambda_function_updated.toml	64	4	347	254	7	4	2024-06-01	2024-09-02	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml	70	7	665	357	9	4	2023-07-19	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_signal_unusual_user_host.toml	51	4	581	254	6	3	2023-10-11	2024-09-02	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_service_disabled_registry.toml	64	5	617	357	7	3	2023-09-05	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_installutil_command_activity.toml	54	8	624	84	10	3	2023-08-29	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/persistence_web_server_sus_file_creation.toml	121	1	69	69	1	1	2025-03-06	2025-03-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules_building_block/defense_evasion_unsigned_bits_client.toml	58	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_getconf_execution.toml	49	1	118	118	1	1	2025-01-16	2025-01-16	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules_building_block/command_and_control_certutil_network_connection.toml	143	11	566	100	13	3	2023-10-26	2025-02-03	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_generic_account_groups.toml	94	8	653	357	11	4	2023-07-31	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_injection_from_msoffice.toml	82	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_unusual_process_path_wbem.toml	57	8	609	84	10	3	2023-09-13	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_win_network_connections.toml	62	8	653	357	10	4	2023-07-31	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml	54	3	575	357	5	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml	98	12	581	84	14	4	2023-10-11	2025-02-19	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/defense_evasion_unusual_process_extension.toml	73	7	609	357	9	3	2023-09-13	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml	94	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml	60	4	575	281	6	3	2023-10-17	2024-08-06	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_linux_sysctl_enumeration.toml	70	12	628	208	14	4	2023-08-25	2024-10-18	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules_building_block/defense_evasion_masquerading_browsers.toml	186	10	625	121	12	3	2023-08-28	2025-01-13	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml	98	5	577	357	7	3	2023-10-15	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_security_software_wmic.toml	84	11	581	84	13	4	2023-10-11	2025-02-19	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/collection_common_compressed_archived_file.toml	117	7	581	121	9	5	2023-10-11	2025-01-13	16747370+brokensound77@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/command_and_control_bitsadmin_activity.toml	85	10	617	84	12	3	2023-09-05	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/lateral_movement_at.toml	66	10	617	84	12	3	2023-09-05	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/initial_access_github_new_ip_address_for_user.toml	54	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/persistence_startup_folder_lnk.toml	62	4	617	357	6	3	2023-09-05	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml	72	4	482	188	4	3	2024-01-18	2024-11-07	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/credential_access_win_private_key_access.toml	86	12	617	84	14	3	2023-09-05	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/initial_access_github_new_user_agent_for_pat.toml	55	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml	59	1	320	320	1	1	2024-06-28	2024-06-28	59296946+imays11@users.noreply.github.com	59296946+imays11@users.noreply.github.com
rules_building_block/execution_wmi_wbemtest.toml	48	8	609	84	10	3	2023-09-13	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/execution_unsigned_service_executable.toml	72	10	653	357	12	4	2023-07-31	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_generic_deletion.toml	62	7	653	357	9	3	2023-07-31	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/collection_outlook_email_archive.toml	64	10	617	84	12	3	2023-09-05	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml	61	8	575	84	10	3	2023-10-17	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/execution_linux_segfault.toml	52	3	559	357	5	3	2023-11-02	2024-05-22	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/execution_github_repo_interaction_from_new_ip.toml	51	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_outlook_suspicious_child.toml	100	1	119	119	1	1	2025-01-15	2025-01-15	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_remote_system_discovery_commands_windows.toml	95	7	581	198	9	4	2023-10-11	2024-10-28	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_masquerading_vlc_dll.toml	69	7	623	344	9	3	2023-08-30	2024-06-04	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/impact_github_member_removed_from_organization.toml	43	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/command_and_control_non_standard_http_port.toml	135	12	665	100	14	5	2023-07-19	2025-02-03	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/persistence_transport_agent_exchange.toml	115	10	653	198	12	3	2023-07-31	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/collection_files_staged_in_recycle_bin_root.toml	55	10	624	198	12	3	2023-08-29	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/lateral_movement_wmic_remote.toml	73	13	609	84	15	3	2023-09-13	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/execution_github_new_repo_interaction_for_pat.toml	52	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml	46	8	624	84	10	3	2023-08-29	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml	52	6	628	357	8	4	2023-08-25	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_invalid_codesign_imageload.toml	54	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/credential_access_mdmp_file_unusual_extension.toml	75	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_dll_hijack.toml	97	8	636	357	10	3	2023-08-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_service_path_registry.toml	87	8	617	198	10	3	2023-09-05	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/execution_github_new_event_action_for_pat.toml	51	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_services_exe_path.toml	84	11	617	84	13	3	2023-09-05	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml	63	6	617	254	8	3	2023-09-05	2024-09-02	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml	77	6	575	198	8	3	2023-10-17	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_generic_registry_query.toml	68	12	653	146	14	6	2023-07-31	2024-12-19	26856693+w0rk3r@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
rules_building_block/initial_access_github_new_user_agent_for_user.toml	54	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml	61	4	575	357	6	3	2023-10-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_write_dac_access.toml	73	10	622	84	12	3	2023-08-31	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_net_view.toml	101	9	581	198	11	5	2023-10-11	2024-10-28	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_posh_password_policy.toml	111	10	636	198	12	3	2023-08-17	2024-10-28	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/impact_github_pat_access_revoked.toml	43	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_generic_process_discovery.toml	55	14	653	84	16	4	2023-07-31	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_potential_memory_seeking_activity.toml	60	4	463	208	6	3	2024-02-06	2024-10-18	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
rules_building_block/collection_posh_compression.toml	123	13	666	121	13	3	2023-07-18	2025-01-13	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml	51	4	285	84	4	2	2024-08-02	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_suspicious_proc_enumeration.toml	73	8	628	357	10	4	2023-08-25	2024-05-22	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_windows_system_information_discovery.toml	64	15	666	84	17	5	2023-07-18	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_process_discovery_via_builtin_tools.toml	54	7	665	357	9	4	2023-07-19	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/collection_archive_data_zip_imageload.toml	62	7	666	357	9	3	2023-07-18	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_posh_generic.toml	268	16	666	119	16	4	2023-07-18	2025-01-15	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/persistence_github_new_user_added_to_organization.toml	47	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_of_domain_groups.toml	49	6	628	357	8	4	2023-08-25	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/credential_access_mdmp_file_creation.toml	91	6	575	121	8	3	2023-10-17	2025-01-13	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/defense_evasion_download_susp_extension.toml	85	5	595	357	7	3	2023-09-27	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/lateral_movement_posh_winrm_activity.toml	107	12	636	119	12	3	2023-08-17	2025-01-15	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_linux_system_information_discovery.toml	47	7	665	357	9	4	2023-07-19	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_linux_system_owner_user_discovery.toml	51	6	665	357	8	4	2023-07-19	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_capnetraw_capability.toml	77	6	482	188	6	3	2024-01-18	2024-11-07	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/privilege_escalation_trap_execution.toml	52	6	628	357	8	4	2023-08-25	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_system_time_discovery.toml	56	9	581	84	11	4	2023-10-11	2025-02-19	78494512+aegrah@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml	138	4	581	357	6	4	2023-10-11	2024-05-22	78494512+aegrah@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/execution_github_new_repo_interaction_for_user.toml	51	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml	70	12	609	84	14	3	2023-09-13	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/initial_access_github_new_ip_address_for_pat.toml	55	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/defense_evasion_cmstp_execution.toml	62	11	624	84	13	3	2023-08-29	2025-02-19	26856693+w0rk3r@users.noreply.github.com	26856693+w0rk3r@users.noreply.github.com
rules_building_block/persistence_creation_of_kernel_module.toml	49	7	628	357	9	4	2023-08-25	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/execution_github_repo_created.toml	43	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml	61	2	365	357	4	3	2024-05-14	2024-05-22	99630311+terrancedejesus@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_internet_capabilities.toml	57	8	636	357	10	4	2023-08-17	2024-05-22	26856693+w0rk3r@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/persistence_github_new_pat_for_user.toml	55	4	478	156	7	4	2024-01-22	2024-12-09	59296946+imays11@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
rules_building_block/discovery_system_network_connections.toml	45	7	665	357	9	4	2023-07-19	2024-05-22	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
hunting/run.py	49	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/azure/queries/entra_authentication_attempts_behind_rare_user_agents.toml	75	1	64	64	1	1	2025-03-11	2025-03-11	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/azure/queries/entra_authentication_attempts_from_abused_hosting_service_providers.toml	85	1	82	82	1	1	2025-02-21	2025-02-21	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/azure/queries/entra_device_code_authentication_from_unusual_principal.toml	50	1	82	82	1	1	2025-02-21	2025-02-21	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/azure/queries/entra_unusual_client_app_auth_request_on_behalf_of_user.toml	55	1	64	64	1	1	2025-03-11	2025-03-11	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/azure/queries/entra_excessive_non_interactive_sfa_sign_ins_across_users.toml	55	1	64	64	1	1	2025-03-11	2025-03-11	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/markdown.py	102	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/search.py	124	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml	39	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml	65	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml	45	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml	28	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml	28	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml	39	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml	31	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/execution_via_remote_services_by_client_address.toml	27	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml	27	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml	39	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml	27	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml	63	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml	30	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml	26	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml	30	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml	45	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml	36	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml	33	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml	23	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml	27	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml	48	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/windows_logon_activity_by_source_ip.toml	29	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml	31	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml	49	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml	40	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml	34	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml	29	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml	26	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml	45	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml	30	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml	45	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml	26	4	336	252	4	2	2024-06-12	2024-09-04	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml	46	1	153	153	1	1	2024-12-12	2024-12-12	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/s3_public_bucket_rapid_object_access_attempts.toml	30	2	252	223	2	1	2024-09-04	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/sns_topic_message_published_by_rare_user.toml	32	1	83	83	1	1	2025-02-20	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ssm_rare_sendcommand_code_execution.toml	27	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ec2_discovery_multi_region_describe_instance_calls.toml	31	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/lambda_add_permissions_for_write_actions_to_function.toml	30	2	252	210	2	1	2024-09-04	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ec2_modify_instance_attribute_user_data.toml	27	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/iam_assume_role_creation_with_attached_policy.toml	32	2	252	210	2	1	2024-09-04	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml	29	2	106	99	2	1	2025-01-28	2025-02-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/iam_user_creation_with_administrator_policy_assigned.toml	31	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/sns_topic_created_by_rare_user.toml	32	1	83	83	1	1	2025-02-20	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/sns_email_subscription_by_rare_user.toml	31	1	83	83	1	1	2025-02-20	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/iam_user_activity_with_no_mfa_session.toml	25	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/multiple_service_logging_deleted_or_stopped.toml	29	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ssm_sendcommand_api_used_by_ec2_instance.toml	27	2	252	210	2	1	2024-09-04	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/servicequotas_discovery_multi_region_get_service_quota_calls.toml	37	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ec2_high_instance_deployment_count_attempts.toml	37	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/signin_single_factor_console_login_via_federated_session.toml	27	2	252	210	2	1	2024-09-04	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ssm_start_remote_session_to_ec2_instance.toml	25	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/secretsmanager_high_frequency_get_secret_value.toml	30	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/sns_direct_to_phone_messaging_spike.toml	35	1	83	83	1	1	2025-02-20	2025-02-20	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/ec2_suspicious_get_user_password_request.toml	28	1	252	252	1	1	2024-09-04	2024-09-04	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml	32	1	189	189	1	1	2024-11-06	2024-11-06	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/aws/queries/sts_suspicious_federated_temporary_credential_request.toml	31	2	252	210	2	1	2024-09-04	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/__main__.py	161	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml	35	1	243	243	1	1	2024-09-13	2024-09-13	91139415+shashank-elastic@users.noreply.github.com	91139415+shashank-elastic@users.noreply.github.com
hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml	35	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml	28	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml	30	2	323	313	2	1	2024-06-25	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/__init__.py	1	1	376	376	1	1	2024-05-03	2024-05-03	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
hunting/utils.py	79	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml	35	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/persistence_rare_domain_with_user_authentication.toml	30	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/credential_access_rapid_reset_password_requests_for_different_users.toml	30	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/initial_access_impossible_travel_sign_on.toml	30	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/initial_access_higher_than_average_failed_authentication.toml	37	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml	35	2	223	210	2	1	2024-10-03	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml	36	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/persistence_multi_factor_push_notification_bombing.toml	28	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml	30	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml	36	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/okta/queries/initial_access_password_spraying_from_repeat_source.toml	35	1	223	223	1	1	2024-10-03	2024-10-03	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/macos/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml	27	1	308	308	1	1	2024-07-10	2024-07-10	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml	32	3	336	313	3	2	2024-06-12	2024-07-05	16747370+brokensound77@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/definitions.py	39	2	223	210	2	1	2024-10-03	2024-10-16	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_general_kernel_manipulation.toml	73	1	98	98	1	1	2025-02-05	2025-02-05	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_rpm_dpkg_installer_packages.toml	76	1	127	127	1	1	2025-01-07	2025-01-07	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_systemd_timers.toml	180	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml	85	3	313	121	3	2	2024-07-05	2025-01-13	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_xdg_autostart_modifications.toml	115	2	313	107	2	2	2024-07-05	2025-01-27	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_package_manager.toml	85	3	313	107	3	2	2024-07-05	2025-01-27	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_sysv_init.toml	71	1	310	310	1	1	2024-07-08	2024-07-08	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/low_volume_external_network_connections_from_process.toml	38	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_loadable_kernel_modules.toml	74	1	127	127	1	1	2025-01-07	2025-01-07	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/privilege_escalation_via_suid_binaries.toml	54	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_udev.toml	90	3	313	107	3	2	2024-07-05	2025-01-27	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml	39	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/login_activity_by_source_address.toml	30	2	313	103	2	2	2024-07-05	2025-01-31	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml	30	2	313	127	2	2	2024-07-05	2025-01-07	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml	28	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml	28	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml	30	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/low_volume_modifications_to_critical_system_binaries.toml	36	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_grub_bootloader.toml	101	1	107	107	1	1	2025-01-27	2025-01-27	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml	65	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/privilege_escalation_via_existing_sudoers.toml	21	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_rc_local.toml	66	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_message_of_the_day.toml	67	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_web_shell.toml	48	1	127	127	1	1	2025-01-07	2025-01-07	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_network_manager_dispatcher_script.toml	65	1	97	97	1	1	2025-02-06	2025-02-06	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_policykit.toml	64	1	98	98	1	1	2025-02-05	2025-02-05	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/excessive_ssh_network_activity_unique_destinations.toml	29	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_cron.toml	97	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_dynamic_linker_hijacking.toml	89	1	127	127	1	1	2025-01-07	2025-01-07	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_shell_modification_persistence.toml	99	2	313	307	2	2	2024-07-05	2024-07-11	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_unusual_system_binary_parent.toml	28	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_desktop_bus.toml	78	1	98	98	1	1	2025-02-05	2025-02-05	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_initramfs.toml	66	1	107	107	1	1	2025-01-27	2025-01-27	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/persistence_via_user_group_creation_modification.toml	38	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_reverse_bind_shells.toml	46	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_malicious_docker_container.toml	68	1	127	127	1	1	2025-01-07	2025-01-07	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/defense_evasion_via_multi_dot_process_execution.toml	27	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_git_hook_pager.toml	77	2	313	107	2	2	2024-07-05	2025-01-27	99630311+terrancedejesus@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/execution_uncommon_process_execution_from_suspicious_directory.toml	46	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/privilege_escalation_via_process_capabilities.toml	47	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/low_volume_gtfobins_external_network_connections.toml	35	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
hunting/linux/queries/persistence_via_pluggable_authentication_module.toml	78	2	127	107	2	1	2025-01-07	2025-01-27	78494512+aegrah@users.noreply.github.com	78494512+aegrah@users.noreply.github.com
hunting/linux/queries/low_volume_process_injection_syscalls_by_executable.toml	27	1	313	313	1	1	2024-07-05	2024-07-05	99630311+terrancedejesus@users.noreply.github.com	99630311+terrancedejesus@users.noreply.github.com
lib/kibana/pyproject.toml	26	7	425	194	8	3	2024-03-15	2024-11-01	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kibana/kibana/connector.py	33	5	425	194	6	3	2024-03-15	2024-11-01	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kibana/kibana/resources.py	243	3	425	281	4	3	2024-03-15	2024-08-06	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kibana/kibana/__init__.py	8	4	425	194	5	3	2024-03-15	2024-11-01	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kibana/kibana/definitions.py	53	1	383	383	1	1	2024-04-26	2024-04-26	16747370+brokensound77@users.noreply.github.com	16747370+brokensound77@users.noreply.github.com
lib/kql/pyproject.toml	28	3	425	404	4	2	2024-03-15	2024-04-05	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kql/kql/kql2eql.py	64	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/dsl.py	82	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/evaluator.py	112	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/parser.py	265	2	425	405	3	2	2024-03-15	2024-04-04	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kql/kql/eql2kql.py	91	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/kql.g	40	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/errors.py	4	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/__init__.py	52	3	425	394	4	2	2024-03-15	2024-04-15	mikaayenson@users.noreply.github.com	119343520+eric-forte-elastic@users.noreply.github.com
lib/kql/kql/optimizer.py	91	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com
lib/kql/kql/ast.py	91	1	425	425	2	1	2024-03-15	2024-03-15	mikaayenson@users.noreply.github.com	mikaayenson@users.noreply.github.com