An overview of contributor trends.
Committed in past 6 months (a rookie = the first commit in past year)
No contributors in past 30 days.
Past 31 to 90 days (10):
Past 91 to 180 days (3):
Last contributors more than 6 months ago
| Commits (3m) |
Commit Days |
-
|
-
|
9
|
8
|
8
|
4
|
9
|
8
|
9
|
10
|
15
|
14
|
14
|
10
|
12
|
7
|
10
|
10
|
9
|
11
|
10
|
13
|
11
|
8
|
7
|
|
| 119343520+eric-forte-elastic@users.noreply.github.com | 4 | 44 |
-
|
-
|
|
|
|
-
|
|
|
-
|
|
|
|
|
|
|
-
|
|
|
|
|
|
|
|
|
-
|
| 64742097+samirbous@users.noreply.github.com | 5 | 138 |
-
|
-
|
|
|
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-
|
|
|
|
-
|
| 91139415+shashank-elastic@users.noreply.github.com | 6 | 108 |
-
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-
|
|
-
|
|
|
-
|
|
|
-
|
|
| 78494512+aegrah@users.noreply.github.com | 22 | 113 |
-
|
-
|
|
|
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 99630311+terrancedejesus@users.noreply.github.com | 9 | 167 |
-
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| traut@users.noreply.github.com | 4 | 5 |
-
|
-
|
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 109447885+sodhikirti07@users.noreply.github.com | 1 | 3 |
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| sergey@polzunov.com | 1 | 1 |
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| mikaayenson@users.noreply.github.com | 1 | 94 |
-
|
-
|
|
|
|
-
|
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 26856693+w0rk3r@users.noreply.github.com | 7 | 143 |
-
|
-
|
-
|
|
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 65730960+jvalente-salemstate@users.noreply.github.com | - | 4 |
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 105589633+rad9800@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 59296946+imays11@users.noreply.github.com | - | 44 |
-
|
-
|
-
|
-
|
-
|
|
|
|
|
|
|
|
|
-
|
-
|
-
|
|
-
|
-
|
|
|
-
|
|
-
|
|
| terrance.dejesus@elastic.co | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 72879786+protectionsmachine@users.noreply.github.com | - | 8 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| thijsxhaflaire31@hotmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| mika.ayenson@elastic.co | - | 17 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
|
|
-
|
|
-
|
|
-
|
|
-
|
|
|
|
|
-
|
| eric.forte@elastic.co | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 16747370+brokensound77@users.noreply.github.com | - | 18 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
|
|
|
-
|
|
-
|
|
-
|
|
|
-
|
-
|
-
|
-
|
| dante.gpap@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 61625853+ar3diu@users.noreply.github.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 56411054+joe-desimone@users.noreply.github.com | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
| 56378862+jesse-sant@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| krish.reddy91@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 109789828+anhuisec@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 10844131+jmcarlock@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 48036388+defsecsentinel@users.noreply.github.com | - | 11 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
|
-
|
|
-
|
-
|
-
|
-
|
-
|
| herrbez@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 23287722+susan-shu-c@users.noreply.github.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| alexcote1rocks@gmail.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| leandrojmp@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| bousseaden.samir@gmail.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 30438249+ajosh0504@users.noreply.github.com | - | 22 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
|
|
|
-
|
-
|
-
|
| 26614684+makowish@users.noreply.github.com | - | 10 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
|
|
|
-
|
| a.songer@protonmail.com | - | 16 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
-
|
-
|
| hilt@threatbear.co | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
-
|
| steven.ross@elastic.co | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
| a.alwashli@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
-
|
| 99642919+1337-42@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
-
|
-
|
| karl.godard@elastic.co | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
| 56399229+charlie-pichette@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| nicpenning@gmail.com | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| brokensound77@users.noreply.github.com | - | 132 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 10544080+xavigpich@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| jonhnathancesar@gmail.com | - | 70 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 36169753+tdefise@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| totalknob@users.noreply.github.com | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 57149392+jmikell821@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| randomuserid@users.noreply.github.com | - | 7 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 29960025+bfilar@users.noreply.github.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| pjhampton@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 43416543+abdelmoumene-hadfi@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| damiapoquet@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| stijnholzhauer+git@gmail.com | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| nikita.khristinin@elastic.co | - | 4 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| richard.boyd@elastic.co | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| austin@songer.pro | - | 14 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| trevormiller6@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| ozale272@newschool.edu | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| dennisperto@gmail.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| adrisr83@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 31489089+rw-access@users.noreply.github.com | - | 70 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 56409778+threat-punter@users.noreply.github.com | - | 20 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 7442091+peasead@users.noreply.github.com | - | 12 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| nkhristinin@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 57736958+dstepanic17@users.noreply.github.com | - | 6 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| cclauss@me.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 38275584+dishadasgupta@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| ogupte@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 56412096+bm11100@users.noreply.github.com | - | 37 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 36789353+skoetting@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| andrew.stucki@elastic.co | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 33020901+janniten@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| dcode@users.noreply.github.com | - | 2 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 58222969+seth-goodwin@users.noreply.github.com | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 56395104+kevinlog@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| shravaka@protonmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| yctercero@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| spong@users.noreply.github.com | - | 3 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 19266650+devonakerr@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| 54019610+benskelker@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| phra@users.noreply.github.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| seaerkin@gmail.com | - | 1 |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
| Commits (3m) |
Commit Days |
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
No commits in past 30 days.
10 contributors (60 commits):
| # | Contributor |
First Commit |
Latest Commit |
Commits Count |
File Updates (per extension) |
|---|---|---|---|---|---|
| 1. | 64742097+samirbous@users.noreply.github.com | 2020-07-08 | 2025-03-14 | 5 (8%) | toml (5) |
| 2. | 78494512+aegrah@users.noreply.github.com | 2023-01-18 | 2025-03-12 | 22 (36%) | toml (24) |
| 3. | 26856693+w0rk3r@users.noreply.github.com | 2022-11-01 | 2025-02-28 | 7 (11%) | toml (216), py (1) |
| 4. | 99630311+terrancedejesus@users.noreply.github.com | 2022-03-03 | 2025-03-11 | 9 (15%) | toml (17), md (12), yaml (3), json (1) |
| 5. | mikaayenson@users.noreply.github.com | 2022-02-22 | 2025-03-04 | 1 (1%) | toml (3) |
| 6. | 91139415+shashank-elastic@users.noreply.github.com | 2022-03-02 | 2025-03-14 | 6 (10%) | toml (43), py (2) |
| 7. | 119343520+eric-forte-elastic@users.noreply.github.com | 2023-02-07 | 2025-03-15 | 4 (6%) | md (7), toml (4), py (4), yaml (1) |
| 8. | traut@users.noreply.github.com | 2025-02-06 | 2025-03-07 | 4 (6%) | md (17), py (12), png (12), yaml (6), toml (2) |
| 9. | 109447885+sodhikirti07@users.noreply.github.com | 2024-06-19 | 2025-03-06 | 1 (1%) | toml (2) |
| 10. | sergey@polzunov.com | 2025-03-06 | 2025-03-06 | 1 (1%) | md (15), png (12) |
A contributor dependency is detected if two contributors have changed the same files in the past 90 days.
The number on lines shows the number of same files that both persons changed in past 90 days.
| Contributor 1 | Contributor 2 | # shared files | |
|---|---|---|---|
| 1. | traut@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
6 shared files
detection_rules/main.py detection_rules/custom_rules.py README.md pyproject.toml docs-dev/experimental-machine-learning/experimental-detections.md CLI.md |
| 2. | 26856693+w0rk3r@users.noreply.github.com | 64742097+samirbous@users.noreply.github.com |
2 shared files
rules/windows/defense_evasion_via_filter_manager.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml |
| 3. | 91139415+shashank-elastic@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
2 shared files
pyproject.toml tests/test_all_rules.py |
| 4. | 91139415+shashank-elastic@users.noreply.github.com | traut@users.noreply.github.com |
2 shared files
pyproject.toml tests/test_all_rules.py |
| 5. | 26856693+w0rk3r@users.noreply.github.com | traut@users.noreply.github.com |
2 shared files
pyproject.toml tests/test_all_rules.py |
| 6. | 91139415+shashank-elastic@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
1 shared file
pyproject.toml |
| 7. | 91139415+shashank-elastic@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
1 shared file
pyproject.toml |
| 8. | 26856693+w0rk3r@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
1 shared file
pyproject.toml |
| 9. | 26856693+w0rk3r@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
1 shared file
pyproject.toml |
| 10. | 99630311+terrancedejesus@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
1 shared file
pyproject.toml |
| 11. | 99630311+terrancedejesus@users.noreply.github.com | traut@users.noreply.github.com |
1 shared file
pyproject.toml |
| Contributor | # connections | # commits | |
|---|---|---|---|
| 1. | 26856693+w0rk3r@users.noreply.github.com | 5 | 7 |
| 2. | 99630311+terrancedejesus@users.noreply.github.com | 4 | 9 |
| 3. | 91139415+shashank-elastic@users.noreply.github.com | 4 | 6 |
| 4. | 119343520+eric-forte-elastic@users.noreply.github.com | 4 | 4 |
| 5. | traut@users.noreply.github.com | 4 | 4 |
| 6. | 64742097+samirbous@users.noreply.github.com | 1 | 5 |
| 7. | 78494512+aegrah@users.noreply.github.com | 0 | 22 |
| 8. | mikaayenson@users.noreply.github.com | 0 | 1 |
| 9. | 109447885+sodhikirti07@users.noreply.github.com | 0 | 1 |
| 10. | sergey@polzunov.com | 0 | 1 |
C-median: 4.0
A half of the contributors has more than 4.0 connections, and a half has less than this number.
C-mean: 3.6
An average number of connections a contributor has with other contributors.
C-index: 4.0
There are 4.0 contributors with 4.0 or more connections.
13 contributors (195 commits):
| # | Contributor |
First Commit |
Latest Commit |
Commits Count |
|---|---|---|---|---|
| 1. | 64742097+samirbous@users.noreply.github.com | 2020-07-08 | 2025-03-14 | 12 (6%) |
| 2. | 78494512+aegrah@users.noreply.github.com | 2023-01-18 | 2025-03-12 | 77 (39%) |
| 3. | 26856693+w0rk3r@users.noreply.github.com | 2022-11-01 | 2025-02-28 | 28 (14%) |
| 4. | 99630311+terrancedejesus@users.noreply.github.com | 2022-03-03 | 2025-03-11 | 35 (17%) |
| 5. | mikaayenson@users.noreply.github.com | 2022-02-22 | 2025-03-04 | 4 (2%) |
| 6. | 91139415+shashank-elastic@users.noreply.github.com | 2022-03-02 | 2025-03-14 | 22 (11%) |
| 7. | 59296946+imays11@users.noreply.github.com | 2022-04-07 | 2024-12-06 | 1 (<1%) |
| 8. | 119343520+eric-forte-elastic@users.noreply.github.com | 2023-02-07 | 2025-03-15 | 6 (3%) |
| 9. | traut@users.noreply.github.com | 2025-02-06 | 2025-03-07 | 6 (3%) |
| 10. | 65730960+jvalente-salemstate@users.noreply.github.com | 2024-05-30 | 2025-01-13 | 1 (<1%) |
| 11. | 109447885+sodhikirti07@users.noreply.github.com | 2024-06-19 | 2025-03-06 | 1 (<1%) |
| 12. | sergey@polzunov.com | 2025-03-06 | 2025-03-06 | 1 (<1%) |
| 13. | 105589633+rad9800@users.noreply.github.com | 2024-12-25 | 2024-12-25 | 1 (<1%) |
A contributor dependency is detected if two contributors have changed the same files in the past 180 days.
The number on lines shows the number of same files that both persons changed in past 180 days.
| Contributor 1 | Contributor 2 | # shared files | |
|---|---|---|---|
| 1. | 26856693+w0rk3r@users.noreply.github.com | mikaayenson@users.noreply.github.com |
292 shared files
rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml rules/windows/credential_access_imageload_azureadconnectauthsvc.toml rules/macos/lateral_movement_mounting_smb_share.toml rules/linux/defense_evasion_potential_proot_exploits.toml rules/windows/collection_email_outlook_mailbox_via_com.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml rules/windows/persistence_via_application_shimming.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/linux/privilege_escalation_container_util_misconfiguration.toml rules/macos/persistence_finder_sync_plugin_pluginkit.toml rules/windows/execution_windows_cmd_shell_susp_args.toml rules/linux/persistence_systemd_netcon.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml rules/windows/defense_evasion_cve_2020_0601.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/windows/execution_windows_powershell_susp_args.toml rules/cross-platform/credential_access_forced_authentication_pipes.toml rules/linux/privilege_escalation_suspicious_passwd_file_write.toml rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules/windows/persistence_remote_password_reset.toml rules/windows/defense_evasion_lolbas_win_cdb_utility.toml rules/windows/initial_access_rdp_file_mail_attachment.toml rules/linux/discovery_polkit_version_discovery.toml rules/windows/credential_access_dnsnode_creation.toml rules/windows/persistence_suspicious_scheduled_task_runtime.toml rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml rules/linux/discovery_suspicious_which_command_execution.toml rules/windows/privilege_escalation_unquoted_service_path.toml rules/windows/defense_evasion_unusual_system_vp_child_program.toml rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml rules/linux/execution_shell_via_java_revshell_linux.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/windows/persistence_group_modification_by_system.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/linux/persistence_git_hook_process_execution.toml rules/linux/execution_system_binary_file_permission_change.toml rules/macos/credential_access_dumping_keychain_security.toml rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml rules/windows/defense_evasion_wsl_enabled_via_dism.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/windows/privilege_escalation_suspicious_dnshostname_update.toml rules/linux/defense_evasion_rename_esxi_files.toml rules/linux/command_and_control_linux_chisel_server_activity.toml rules/linux/credential_access_gdb_process_hooking.toml rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml rules/linux/privilege_escalation_linux_uid_int_max_bug.toml rules/linux/impact_esxi_process_kill.toml rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml rules/linux/execution_shell_openssl_client_or_server.toml rules/linux/defense_evasion_root_certificate_installation.toml rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml rules/linux/defense_evasion_rename_esxi_index_file.toml rules/linux/defense_evasion_directory_creation_in_bin.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_nc_listener_via_rlwrap.toml rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml rules/linux/discovery_linux_nping_activity.toml rules/windows/lateral_movement_incoming_wmi.toml rules/windows/execution_initial_access_foxmail_exploit.toml rules/linux/persistence_dynamic_linker_backup.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/windows/execution_com_object_xwizard.toml rules/linux/persistence_setuid_setgid_capability_set.toml rules/linux/command_and_control_curl_socks_proxy_detected.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules/linux/defense_evasion_dynamic_linker_file_creation.toml rules/windows/credential_access_adidns_wildcard.toml rules/linux/execution_shell_via_child_tcp_utility_linux.toml rules/windows/defense_evasion_masquerading_trusted_directory.toml rules/linux/persistence_process_capability_set_via_setcap.toml rules/linux/persistence_apt_package_manager_execution.toml rules/windows/discovery_high_number_ad_properties.toml rules/linux/credential_access_proc_credential_dumping.toml rules/windows/lateral_movement_remote_service_installed_winlog.toml rules/linux/defense_evasion_ssl_certificate_deletion.toml rules/network/discovery_potential_port_scan_detected.toml rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml rules/windows/execution_via_mmc_console_file_unusual_path.toml rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml rules/linux/execution_python_webserver_spawned.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/linux/defense_evasion_hex_payload_execution.toml ... |
| 2. | 91139415+shashank-elastic@users.noreply.github.com | mikaayenson@users.noreply.github.com |
131 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/linux/persistence_systemd_service_started.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/threat_intel/threat_intel_indicator_match_address.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/linux/persistence_cron_job_creation.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml rules/windows/execution_posh_hacktool_functions.toml rules/integrations/cloud_defend/container_workload_protection.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml rules/linux/command_and_control_linux_chisel_server_activity.toml rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml rules/macos/privilege_escalation_user_added_to_admin_group.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/linux/persistence_dynamic_linker_backup.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/windows/defense_evasion_rundll32_no_arguments.toml rules/linux/persistence_setuid_setgid_capability_set.toml rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/linux/persistence_shared_object_creation.toml rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules_building_block/command_and_control_non_standard_http_port.toml rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml rules/integrations/github/impact_github_repository_deleted.toml rules/integrations/aws/impact_s3_object_versioning_disabled.toml rules/integrations/github/execution_github_app_deleted.toml rules/linux/persistence_systemd_service_creation.toml rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml rules/linux/execution_unusual_pkexec_execution.toml rules/windows/credential_access_lsass_openprocess_api.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml rules/linux/privilege_escalation_sudo_token_via_process_injection.toml rules/threat_intel/threat_intel_indicator_match_hash.toml rules/linux/persistence_polkit_policy_creation.toml rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml rules/threat_intel/threat_intel_indicator_match_registry.toml rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml rules/integrations/okta/credential_access_user_impersonation_access.toml rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/windows/credential_access_persistence_network_logon_provider_modification.toml rules/macos/credential_access_high_volume_of_pbpaste.toml rules/threat_intel/threat_intel_indicator_match_url.toml rules/linux/persistence_kworker_file_creation.toml rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml rules/windows/defense_evasion_execution_lolbas_wuauclt.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/windows/command_and_control_ingress_transfer_bits.toml rules/windows/persistence_time_provider_mod.toml rules/windows/command_and_control_certreq_postdata.toml rules/windows/defense_evasion_from_unusual_directory.toml rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/windows/persistence_powershell_profiles.toml pyproject.toml rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml rules/linux/persistence_linux_user_added_to_privileged_group.toml rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml rules/linux/persistence_etc_file_creation.toml rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml ... |
| 3. | 78494512+aegrah@users.noreply.github.com | mikaayenson@users.noreply.github.com |
95 shared files
rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/network/discovery_potential_network_sweep_detected.toml rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml rules/linux/execution_unusual_path_invocation_from_command_line.toml rules/linux/discovery_polkit_version_discovery.toml rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml rules/linux/command_and_control_linux_kworker_netcon.toml rules/linux/execution_system_binary_file_permission_change.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/linux/persistence_openssl_passwd_hash_generation.toml rules/linux/persistence_pluggable_authentication_module_source_download.toml rules/linux/execution_shell_openssl_client_or_server.toml rules/linux/defense_evasion_root_certificate_installation.toml rules/integrations/fim/persistence_suspicious_file_modifications.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/linux/persistence_unusual_sshd_child_process.toml rules/linux/defense_evasion_dynamic_linker_file_creation.toml rules/linux/persistence_network_manager_dispatcher_persistence.toml rules/linux/persistence_apt_package_manager_execution.toml rules/linux/persistence_shared_object_creation.toml rules/cross-platform/execution_suspicious_java_netcon_childproc.toml rules/network/discovery_potential_port_scan_detected.toml rules/linux/persistence_systemd_service_creation.toml rules/linux/execution_executable_stack_execution.toml rules/linux/defense_evasion_interactive_shell_from_system_user.toml rules/linux/execution_unusual_pkexec_execution.toml rules/linux/defense_evasion_file_mod_writable_dir.toml rules/linux/persistence_grub_configuration_creation.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/linux/persistence_pluggable_authentication_module_creation.toml rules/linux/persistence_systemd_shell_execution.toml rules/linux/persistence_ssh_via_backdoored_system_user.toml rules/linux/persistence_shell_configuration_modification.toml rules/linux/persistence_kernel_object_file_creation.toml rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/persistence_boot_file_copy.toml rules/linux/persistence_xdg_autostart_netcon.toml rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml rules/linux/impact_potential_linux_ransomware_note_detected.toml rules/linux/persistence_udev_rule_creation.toml rules/linux/persistence_polkit_policy_creation.toml rules/linux/persistence_simple_web_server_creation.toml rules/linux/discovery_pam_version_discovery.toml rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml rules/linux/defense_evasion_acl_modification_via_setfacl.toml rules/linux/execution_network_event_post_compilation.toml rules/linux/persistence_dracut_module_creation.toml rules/linux/discovery_kernel_seeking.toml rules/linux/persistence_apt_package_manager_file_creation.toml rules/linux/discovery_pspy_process_monitoring_detected.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/persistence_manual_dracut_execution.toml rules/linux/privilege_escalation_dac_permissions.toml rules/linux/persistence_shadow_file_modification.toml rules/linux/defense_evasion_unusual_preload_env_vars.toml rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml rules/linux/persistence_yum_package_manager_plugin_file_creation.toml rules/linux/persistence_dpkg_unusual_execution.toml pyproject.toml rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml rules/linux/execution_unix_socket_communication.toml rules/linux/persistence_systemd_generator_creation.toml rules/linux/persistence_etc_file_creation.toml rules/linux/impact_memory_swap_modification.toml rules/linux/execution_file_execution_followed_by_deletion.toml rules/linux/discovery_kernel_module_enumeration.toml rules/linux/defense_evasion_ld_so_creation.toml rules/linux/persistence_extract_initramfs_via_cpio.toml rules/linux/persistence_grub_makeconfig.toml rules/linux/discovery_unusual_user_enumeration_via_id.toml rules/linux/defense_evasion_hidden_shared_object.toml rules/linux/persistence_dbus_service_creation.toml rules/linux/defense_evasion_hidden_file_dir_tmp.toml rules/linux/defense_evasion_hidden_directory_creation.toml rules/linux/persistence_simple_web_server_connection_accepted.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/linux/privilege_escalation_netcon_via_sudo_binary.toml rules/linux/defense_evasion_clear_kernel_ring_buffer.toml rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml rules/linux/persistence_potential_persistence_script_executable_bit_set.toml rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml rules/linux/discovery_kernel_unpacking.toml rules/linux/discovery_security_file_access_via_common_utility.toml rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml rules/linux/persistence_lkm_configuration_file_creation.toml rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml rules/linux/persistence_credential_access_modify_ssh_binaries.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml rules/linux/command_and_control_ip_forwarding_activity.toml rules/linux/persistence_user_or_group_creation_or_modification.toml rules/linux/defense_evasion_prctl_process_name_tampering.toml |
| 4. | 99630311+terrancedejesus@users.noreply.github.com | mikaayenson@users.noreply.github.com |
77 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/aws/defense_evasion_sqs_purge_queue.toml rules/integrations/github/impact_github_repository_deleted.toml rules/integrations/github/execution_github_app_deleted.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml rules/integrations/okta/credential_access_user_impersonation_access.toml rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml rules/integrations/endpoint/impact_elastic_ransomware_detected.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/cross-platform/guided_onboarding_sample_rule.toml pyproject.toml rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml rules/integrations/okta/initial_access_okta_fastpass_phishing.toml rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml rules/integrations/endpoint/elastic_endpoint_security.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml rules/integrations/github/execution_new_github_app_installed.toml rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml |
| 5. | 91139415+shashank-elastic@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
74 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules_building_block/execution_github_new_repo_interaction_for_user.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules_building_block/impact_github_user_blocked_from_organization.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules_building_block/impact_github_pat_access_revoked.toml rules_building_block/initial_access_github_new_user_agent_for_pat.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules_building_block/persistence_github_new_user_added_to_organization.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml .github/workflows/lock-versions.yml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/github/impact_github_repository_deleted.toml rules/integrations/github/execution_github_app_deleted.toml rules_building_block/initial_access_github_new_ip_address_for_pat.toml rules_building_block/initial_access_github_new_user_agent_for_user.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml rules_building_block/initial_access_github_new_ip_address_for_user.toml rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules_building_block/execution_github_repo_created.toml rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml rules/integrations/okta/credential_access_user_impersonation_access.toml rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules_building_block/execution_github_repo_interaction_from_new_ip.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules_building_block/persistence_github_new_pat_for_user.toml detection_rules/devtools.py rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml pyproject.toml rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml rules/integrations/okta/initial_access_okta_fastpass_phishing.toml rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules_building_block/execution_github_new_event_action_for_pat.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml rules_building_block/execution_github_new_repo_interaction_for_pat.toml rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml rules_building_block/impact_github_member_removed_from_organization.toml rules/integrations/github/execution_new_github_app_installed.toml |
| 6. | 91139415+shashank-elastic@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
59 shared files
rules/windows/defense_evasion_via_filter_manager.toml rules/windows/execution_command_shell_started_by_svchost.toml rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/command_and_control_linux_chisel_server_activity.toml rules/windows/privilege_escalation_uac_bypass_event_viewer.toml rules/windows/defense_evasion_suspicious_certutil_commands.toml rules/linux/persistence_dynamic_linker_backup.toml rules/windows/discovery_privileged_localgroup_membership.toml rules/linux/persistence_setuid_setgid_capability_set.toml rules/windows/execution_from_unusual_path_cmdline.toml rules/windows/persistence_via_update_orchestrator_service_hijack.toml rules/windows/defense_evasion_suspicious_zoom_child_process.toml rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml rules/windows/persistence_system_shells_via_services.toml rules/windows/defense_evasion_msbuild_making_network_connections.toml rules/windows/persistence_service_windows_service_winlog.toml rules/windows/credential_access_bruteforce_admin_account.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/persistence_message_of_the_day_execution.toml rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml rules/linux/privilege_escalation_sudo_token_via_process_injection.toml rules/linux/persistence_linux_backdoor_user_creation.toml rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/windows/privilege_escalation_named_pipe_impersonation.toml rules/linux/persistence_rc_script_creation.toml rules/linux/persistence_linux_shell_activity_via_web_server.toml rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml rules/linux/persistence_kworker_file_creation.toml rules/windows/defense_evasion_execution_lolbas_wuauclt.toml rules/windows/command_and_control_certreq_postdata.toml rules/windows/defense_evasion_from_unusual_directory.toml rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml pyproject.toml rules/linux/persistence_init_d_file_creation.toml rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml rules/linux/persistence_linux_user_added_to_privileged_group.toml rules/linux/persistence_etc_file_creation.toml rules/windows/credential_access_wireless_creds_dumping.toml rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml rules/linux/command_and_control_cat_network_activity.toml rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml rules/windows/privilege_escalation_uac_bypass_mock_windir.toml rules/windows/credential_access_lsass_memdump_handle_access.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/windows/execution_via_compiled_html_file.toml rules/linux/persistence_chkconfig_service_add.toml rules/windows/defense_evasion_amsi_bypass_dllhijack.toml rules/windows/lateral_movement_execution_via_file_shares_sequence.toml rules/windows/privilege_escalation_service_control_spawned_script_int.toml rules/linux/persistence_insmod_kernel_module_load.toml rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml rules/windows/privilege_escalation_unusual_parentchild_relationship.toml rules/linux/command_and_control_tunneling_via_earthworm.toml tests/test_all_rules.py rules/linux/command_and_control_linux_proxychains_activity.toml rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml |
| 7. | 78494512+aegrah@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
50 shared files
rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/network/discovery_potential_network_sweep_detected.toml rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml rules/linux/discovery_polkit_version_discovery.toml rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml rules/linux/execution_system_binary_file_permission_change.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/linux/execution_shell_openssl_client_or_server.toml rules/linux/defense_evasion_root_certificate_installation.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/linux/defense_evasion_dynamic_linker_file_creation.toml rules/linux/persistence_apt_package_manager_execution.toml rules/network/discovery_potential_port_scan_detected.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/persistence_xdg_autostart_netcon.toml rules/linux/impact_potential_linux_ransomware_note_detected.toml rules/linux/persistence_simple_web_server_creation.toml rules/linux/discovery_pam_version_discovery.toml rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml rules/linux/persistence_rc_script_creation.toml rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml rules/linux/defense_evasion_acl_modification_via_setfacl.toml rules/linux/execution_network_event_post_compilation.toml rules/linux/discovery_kernel_seeking.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/persistence_manual_dracut_execution.toml rules/linux/persistence_dpkg_unusual_execution.toml pyproject.toml rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml rules/linux/execution_unix_socket_communication.toml rules/linux/persistence_init_d_file_creation.toml rules/linux/persistence_etc_file_creation.toml rules/linux/impact_memory_swap_modification.toml rules/linux/execution_file_execution_followed_by_deletion.toml rules/linux/defense_evasion_ld_so_creation.toml rules/linux/discovery_unusual_user_enumeration_via_id.toml rules/linux/defense_evasion_hidden_shared_object.toml rules/linux/defense_evasion_hidden_file_dir_tmp.toml rules/linux/defense_evasion_hidden_directory_creation.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/linux/privilege_escalation_netcon_via_sudo_binary.toml rules/linux/defense_evasion_clear_kernel_ring_buffer.toml rules/linux/persistence_potential_persistence_script_executable_bit_set.toml rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml rules/linux/discovery_kernel_unpacking.toml rules/linux/discovery_security_file_access_via_common_utility.toml rules/linux/command_and_control_ip_forwarding_activity.toml |
| 8. | 91139415+shashank-elastic@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
15 shared files
rules/linux/persistence_message_of_the_day_creation.toml rules/linux/persistence_systemd_scheduled_timer_created.toml rules/linux/persistence_shared_object_creation.toml rules/linux/persistence_systemd_service_creation.toml rules/linux/execution_unusual_pkexec_execution.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/persistence_polkit_policy_creation.toml rules/linux/persistence_rc_script_creation.toml rules/linux/persistence_kworker_file_creation.toml pyproject.toml rules/linux/persistence_init_d_file_creation.toml rules/linux/persistence_etc_file_creation.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/linux/persistence_credential_access_modify_ssh_binaries.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml |
| 9. | 26856693+w0rk3r@users.noreply.github.com | 64742097+samirbous@users.noreply.github.com |
10 shared files
rules/windows/defense_evasion_via_filter_manager.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/windows/execution_powershell_susp_args_via_winscript.toml rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/windows/defense_evasion_audit_policy_disabled_winlog.toml pyproject.toml rules/windows/command_and_control_tool_transfer_via_curl.toml rules/windows/defense_evasion_indirect_exec_forfiles.toml rules/windows/execution_windows_script_from_internet.toml |
| 10. | 64742097+samirbous@users.noreply.github.com | mikaayenson@users.noreply.github.com |
8 shared files
rules/network/discovery_potential_syn_port_scan_detected.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/windows/execution_powershell_susp_args_via_winscript.toml rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/windows/defense_evasion_posh_obfuscation.toml pyproject.toml |
| 11. | traut@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
7 shared files
detection_rules/main.py README.md CLI.md detection_rules/custom_rules.py pyproject.toml docs-dev/experimental-machine-learning/experimental-detections.md detection_rules/cli_utils.py |
| 12. | 91139415+shashank-elastic@users.noreply.github.com | 64742097+samirbous@users.noreply.github.com |
5 shared files
rules/windows/defense_evasion_via_filter_manager.toml pyproject.toml rules/windows/defense_evasion_network_connection_from_windows_binary.toml rules/windows/defense_evasion_amsi_bypass_powershell.toml rules/windows/defense_evasion_posh_assembly_load.toml |
| 13. | traut@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
5 shared files
README.md detection_rules/devtools.py pyproject.toml .github/workflows/attack-coverage-update.yml .github/workflows/version-code-and-release.yml |
| 14. | 91139415+shashank-elastic@users.noreply.github.com | traut@users.noreply.github.com |
4 shared files
detection_rules/devtools.py pyproject.toml detection_rules/schemas/__init__.py tests/test_all_rules.py |
| 15. | 99630311+terrancedejesus@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
4 shared files
pyproject.toml hunting/index.yml .github/workflows/version-code-and-release.yml hunting/index.md |
| 16. | 119343520+eric-forte-elastic@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
3 shared files
README.md .github/workflows/kibana-mitre-update.yml pyproject.toml |
| 17. | 64742097+samirbous@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
2 shared files
rules/network/discovery_potential_syn_port_scan_detected.toml pyproject.toml |
| 18. | 91139415+shashank-elastic@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
2 shared files
detection_rules/ml.py pyproject.toml |
| 19. | 99630311+terrancedejesus@users.noreply.github.com | 64742097+samirbous@users.noreply.github.com |
2 shared files
detection_rules/etc/non-ecs-schema.json pyproject.toml |
| 20. | 78494512+aegrah@users.noreply.github.com | traut@users.noreply.github.com |
2 shared files
pyproject.toml .github/workflows/version-code-and-release.yml |
| 21. | mikaayenson@users.noreply.github.com | traut@users.noreply.github.com |
2 shared files
pyproject.toml tests/test_all_rules.py |
| 22. | traut@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
2 shared files
pyproject.toml tests/test_all_rules.py |
| 23. | 65730960+jvalente-salemstate@users.noreply.github.com | mikaayenson@users.noreply.github.com |
1 shared file
rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml |
| 24. | 105589633+rad9800@users.noreply.github.com | mikaayenson@users.noreply.github.com |
1 shared file
rules/windows/persistence_registry_uncommon.toml |
| 25. | sergey@polzunov.com | 91139415+shashank-elastic@users.noreply.github.com |
1 shared file
docs/versioning.md |
| 26. | 99630311+terrancedejesus@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
1 shared file
pyproject.toml |
| 27. | 64742097+samirbous@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
1 shared file
pyproject.toml |
| 28. | 64742097+samirbous@users.noreply.github.com | traut@users.noreply.github.com |
1 shared file
pyproject.toml |
| 29. | 78494512+aegrah@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
1 shared file
pyproject.toml |
| 30. | 119343520+eric-forte-elastic@users.noreply.github.com | mikaayenson@users.noreply.github.com |
1 shared file
pyproject.toml |
| 31. | 119343520+eric-forte-elastic@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
1 shared file
pyproject.toml |
| Contributor | # connections | # commits | |
|---|---|---|---|
| 1. | mikaayenson@users.noreply.github.com | 9 | 4 |
| 2. | 91139415+shashank-elastic@users.noreply.github.com | 8 | 22 |
| 3. | 78494512+aegrah@users.noreply.github.com | 7 | 77 |
| 4. | 99630311+terrancedejesus@users.noreply.github.com | 7 | 35 |
| 5. | 26856693+w0rk3r@users.noreply.github.com | 7 | 28 |
| 6. | 64742097+samirbous@users.noreply.github.com | 7 | 12 |
| 7. | 119343520+eric-forte-elastic@users.noreply.github.com | 7 | 6 |
| 8. | traut@users.noreply.github.com | 7 | 6 |
| 9. | 65730960+jvalente-salemstate@users.noreply.github.com | 1 | 1 |
| 10. | sergey@polzunov.com | 1 | 1 |
| 11. | 105589633+rad9800@users.noreply.github.com | 1 | 1 |
| 12. | 59296946+imays11@users.noreply.github.com | 0 | 1 |
| 13. | 109447885+sodhikirti07@users.noreply.github.com | 0 | 1 |
C-median: 7.0
A half of the contributors has more than 7.0 connections, and a half has less than this number.
C-mean: 5.6
An average number of connections a contributor has with other contributors.
C-index: 7.0
There are 7.0 contributors with 7.0 or more connections.
26 contributors (624 commits):
| # | Contributor |
First Commit |
Latest Commit |
Commits Count |
|---|---|---|---|---|
| 1. | 64742097+samirbous@users.noreply.github.com | 2020-07-08 | 2025-03-14 | 47 (7%) |
| 2. | 78494512+aegrah@users.noreply.github.com | 2023-01-18 | 2025-03-12 | 154 (24%) |
| 3. | 26856693+w0rk3r@users.noreply.github.com | 2022-11-01 | 2025-02-28 | 99 (15%) |
| 4. | 99630311+terrancedejesus@users.noreply.github.com | 2022-03-03 | 2025-03-11 | 102 (16%) |
| 5. | mikaayenson@users.noreply.github.com | 2022-02-22 | 2025-03-04 | 24 (3%) |
| 6. | 91139415+shashank-elastic@users.noreply.github.com | 2022-03-02 | 2025-03-14 | 68 (10%) |
| 7. | 59296946+imays11@users.noreply.github.com | 2022-04-07 | 2024-12-06 | 24 (3%) |
| 8. | 119343520+eric-forte-elastic@users.noreply.github.com | 2023-02-07 | 2025-03-15 | 22 (3%) |
| 9. | 72879786+protectionsmachine@users.noreply.github.com | 2024-08-08 | 2024-10-28 | 49 (7%) |
| 10. | 16747370+brokensound77@users.noreply.github.com | 2023-03-02 | 2024-07-11 | 4 (<1%) |
| 11. | mika.ayenson@elastic.co | 2022-09-21 | 2024-07-23 | 4 (<1%) |
| 12. | traut@users.noreply.github.com | 2025-02-06 | 2025-03-07 | 6 (<1%) |
| 13. | 65730960+jvalente-salemstate@users.noreply.github.com | 2024-05-30 | 2025-01-13 | 4 (<1%) |
| 14. | terrance.dejesus@elastic.co | 2024-03-01 | 2024-11-11 | 1 (<1%) |
| 15. | 109447885+sodhikirti07@users.noreply.github.com | 2024-06-19 | 2025-03-06 | 3 (<1%) |
| 16. | 56411054+joe-desimone@users.noreply.github.com | 2023-08-17 | 2024-07-08 | 2 (<1%) |
| 17. | 61625853+ar3diu@users.noreply.github.com | 2024-07-03 | 2024-07-10 | 2 (<1%) |
| 18. | sergey@polzunov.com | 2025-03-06 | 2025-03-06 | 1 (<1%) |
| 19. | 105589633+rad9800@users.noreply.github.com | 2024-12-25 | 2024-12-25 | 1 (<1%) |
| 20. | thijsxhaflaire31@hotmail.com | 2024-09-12 | 2024-09-12 | 1 (<1%) |
| 21. | eric.forte@elastic.co | 2024-07-23 | 2024-07-23 | 1 (<1%) |
| 22. | dante.gpap@gmail.com | 2024-07-11 | 2024-07-11 | 1 (<1%) |
| 23. | 56378862+jesse-sant@users.noreply.github.com | 2024-07-08 | 2024-07-08 | 1 (<1%) |
| 24. | krish.reddy91@gmail.com | 2024-06-20 | 2024-06-20 | 1 (<1%) |
| 25. | 109789828+anhuisec@users.noreply.github.com | 2024-06-13 | 2024-06-13 | 1 (<1%) |
| 26. | 10844131+jmcarlock@users.noreply.github.com | 2024-05-28 | 2024-05-28 | 1 (<1%) |
A contributor dependency is detected if two contributors have changed the same files in the past 365 days.
The number on lines shows the number of same files that both persons changed in past 365 days.
| Contributor 1 | Contributor 2 | # shared files | |
|---|---|---|---|
| 1. | 91139415+shashank-elastic@users.noreply.github.com | mika.ayenson@elastic.co |
1170 shared files
rules/integrations/github/persistence_github_org_owner_added.toml detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz rules/integrations/beaconing/command_and_control_beaconing.toml rules/windows/persistence_adobe_hijack_persistence.toml rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz rules/promotions/endgame_ransomware_detected.toml rules/windows/persistence_service_dll_unsigned.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules_building_block/defense_evasion_injection_from_msoffice.toml rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml rules/macos/lateral_movement_mounting_smb_share.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml rules_building_block/defense_evasion_unusual_process_path_wbem.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz rules/windows/execution_suspicious_pdf_reader.toml rules/windows/defense_evasion_disabling_windows_logs.toml rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml rules_building_block/execution_github_new_repo_interaction_for_user.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/windows/persistence_via_application_shimming.toml rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/integrations/aws/persistence_rds_cluster_creation.toml rules/macos/credential_access_kerberosdump_kcc.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/integrations/aws/credential_access_root_console_failure_brute_force.toml rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml detection_rules/etc/beats_schemas/main.json.gz rules_building_block/impact_github_user_blocked_from_organization.toml detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_unusual_dir_ads.toml rules_building_block/execution_unsigned_service_executable.toml rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml rules/network/discovery_potential_network_sweep_detected.toml rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml rules_building_block/impact_github_pat_access_revoked.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml rules/macos/persistence_enable_root_account.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/windows/execution_command_shell_started_by_svchost.toml detection_rules/etc/integration-manifests.json.gz rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/linux/privilege_escalation_sudo_hijacking.toml rules/windows/defense_evasion_wsl_bash_exec.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml rules/network/command_and_control_port_26_activity.toml rules/windows/command_and_control_remote_file_copy_scripts.toml rules/windows/defense_evasion_posh_encryption.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml rules/windows/credential_access_shadow_credentials.toml rules_building_block/collection_outlook_email_archive.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml rules/windows/persistence_remote_password_reset.toml detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz rules/windows/privilege_escalation_driver_newterm_imphash.toml rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/credential_access_lsass_memdump_file_created.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rules/linux/persistence_message_of_the_day_creation.toml rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml rules/windows/persistence_ms_outlook_vba_template.toml rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml rules/integrations/cloud_defend/container_workload_protection.toml rules/windows/credential_access_dcsync_newterm_subjectuser.toml rules/linux/persistence_linux_group_creation.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml rules_building_block/persistence_github_new_user_added_to_organization.toml rules/integrations/aws/ml_cloudtrail_rare_error_code.toml rules_building_block/lateral_movement_at.toml rules/linux/credential_access_collection_sensitive_files.toml detection_rules/etc/api_schemas/master/master.threat_match.json rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/promotions/credential_access_endgame_cred_dumping_prevented.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz rules/windows/execution_command_shell_started_by_unusual_process.toml ... |
| 2. | 91139415+shashank-elastic@users.noreply.github.com | mikaayenson@users.noreply.github.com |
864 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/beaconing/command_and_control_beaconing.toml rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml rules/promotions/endgame_ransomware_detected.toml rules/windows/persistence_service_dll_unsigned.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml rules/macos/lateral_movement_mounting_smb_share.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/threat_intel/threat_intel_indicator_match_address.toml rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/windows/persistence_via_application_shimming.toml rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/integrations/aws/persistence_rds_cluster_creation.toml rules/macos/credential_access_kerberosdump_kcc.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/integrations/aws/credential_access_root_console_failure_brute_force.toml rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_unusual_dir_ads.toml rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml rules/macos/persistence_enable_root_account.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/linux/privilege_escalation_sudo_hijacking.toml rules/windows/defense_evasion_wsl_bash_exec.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml rules/network/command_and_control_port_26_activity.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules/windows/persistence_remote_password_reset.toml rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rules/linux/persistence_message_of_the_day_creation.toml rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml rules/windows/persistence_ms_outlook_vba_template.toml rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml rules/integrations/cloud_defend/container_workload_protection.toml rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml rules/linux/persistence_linux_group_creation.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml rules/linux/credential_access_collection_sensitive_files.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/promotions/credential_access_endgame_cred_dumping_prevented.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/windows/execution_command_shell_started_by_unusual_process.toml rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/apm/apm_403_response_to_a_post.toml rules/windows/defense_evasion_clearing_windows_event_logs.toml rules/linux/command_and_control_linux_kworker_netcon.toml rules/promotions/execution_endgame_exploit_detected.toml rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/macos/credential_access_dumping_keychain_security.toml rules/macos/persistence_docker_shortcuts_plist_modification.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml rules/windows/privilege_escalation_expired_driver_loaded.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/windows/privilege_escalation_suspicious_dnshostname_update.toml rules/linux/defense_evasion_rename_esxi_files.toml rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml rules/windows/defense_evasion_masquerading_werfault.toml rules/linux/credential_access_gdb_process_hooking.toml rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml rules/ml/credential_access_ml_suspicious_login_activity.toml rules/windows/persistence_local_scheduled_job_creation.toml rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml rules/linux/impact_esxi_process_kill.toml rules/integrations/azure/impact_resource_group_deletion.toml rules/macos/privilege_escalation_local_user_added_to_admin.toml rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml rules/promotions/endgame_malware_detected.toml ... |
| 3. | mika.ayenson@elastic.co | mikaayenson@users.noreply.github.com |
797 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/beaconing/command_and_control_beaconing.toml rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml rules/promotions/endgame_ransomware_detected.toml rules/windows/persistence_service_dll_unsigned.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml rules/macos/lateral_movement_mounting_smb_share.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/windows/persistence_via_application_shimming.toml rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/integrations/aws/persistence_rds_cluster_creation.toml detection_rules/main.py rules/macos/credential_access_kerberosdump_kcc.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/integrations/aws/credential_access_root_console_failure_brute_force.toml rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_unusual_dir_ads.toml rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml rules/network/discovery_potential_network_sweep_detected.toml rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml rules/macos/persistence_enable_root_account.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/linux/privilege_escalation_sudo_hijacking.toml rules/windows/defense_evasion_wsl_bash_exec.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml rules/network/command_and_control_port_26_activity.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules/windows/persistence_remote_password_reset.toml rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rules/linux/persistence_message_of_the_day_creation.toml rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml rules/windows/persistence_ms_outlook_vba_template.toml rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml rules/integrations/cloud_defend/container_workload_protection.toml rules/linux/persistence_linux_group_creation.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml rules/linux/credential_access_collection_sensitive_files.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/promotions/credential_access_endgame_cred_dumping_prevented.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/windows/execution_command_shell_started_by_unusual_process.toml rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/apm/apm_403_response_to_a_post.toml rules/windows/defense_evasion_clearing_windows_event_logs.toml rules/linux/command_and_control_linux_kworker_netcon.toml rules/promotions/execution_endgame_exploit_detected.toml rules/macos/credential_access_dumping_keychain_security.toml rules/macos/persistence_docker_shortcuts_plist_modification.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml rules/windows/privilege_escalation_expired_driver_loaded.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/windows/privilege_escalation_suspicious_dnshostname_update.toml rules/linux/defense_evasion_rename_esxi_files.toml rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml rules/windows/defense_evasion_masquerading_werfault.toml rules/linux/credential_access_gdb_process_hooking.toml rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml rules/ml/credential_access_ml_suspicious_login_activity.toml rules/windows/persistence_local_scheduled_job_creation.toml rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml rules/linux/impact_esxi_process_kill.toml rules/integrations/azure/impact_resource_group_deletion.toml rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml rules/promotions/endgame_malware_detected.toml rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml rules/linux/execution_potential_hack_tool_executed.toml rules/windows/credential_access_posh_veeam_sql.toml rules/linux/execution_nc_listener_via_rlwrap.toml ... |
| 4. | 26856693+w0rk3r@users.noreply.github.com | 91139415+shashank-elastic@users.noreply.github.com |
538 shared files
rules/windows/persistence_adobe_hijack_persistence.toml rules/macos/lateral_movement_mounting_smb_share.toml rules_building_block/defense_evasion_unusual_process_path_wbem.toml rules/windows/execution_suspicious_pdf_reader.toml rules/windows/defense_evasion_disabling_windows_logs.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/windows/persistence_via_application_shimming.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_unusual_dir_ads.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/windows/execution_command_shell_started_by_svchost.toml detection_rules/etc/integration-manifests.json.gz rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/windows/defense_evasion_posh_compressed.toml rules/windows/defense_evasion_wsl_bash_exec.toml rules/windows/command_and_control_remote_file_copy_scripts.toml rules/windows/defense_evasion_posh_encryption.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml rules/windows/credential_access_shadow_credentials.toml rules_building_block/collection_outlook_email_archive.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml rules/windows/persistence_remote_password_reset.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/credential_access_lsass_memdump_file_created.toml rules/windows/persistence_ms_outlook_vba_template.toml rules/windows/credential_access_dcsync_newterm_subjectuser.toml rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml rules_building_block/lateral_movement_at.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/windows/execution_command_shell_started_by_unusual_process.toml rules/windows/defense_evasion_clearing_windows_event_logs.toml rules_building_block/defense_evasion_cmstp_execution.toml rules/macos/credential_access_dumping_keychain_security.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/windows/privilege_escalation_suspicious_dnshostname_update.toml rules/linux/defense_evasion_rename_esxi_files.toml detection_rules/schemas/definitions.py rules/windows/defense_evasion_masquerading_werfault.toml rules/linux/credential_access_gdb_process_hooking.toml rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml rules/windows/persistence_local_scheduled_job_creation.toml rules/linux/impact_esxi_process_kill.toml rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml rules/windows/credential_access_mimikatz_memssp_default_logs.toml rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml rules/windows/credential_access_mod_wdigest_security_provider.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_nc_listener_via_rlwrap.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml rules/windows/defense_evasion_amsienable_key_mod.toml rules/windows/execution_pdf_written_file.toml rules/linux/discovery_linux_nping_activity.toml rules/windows/discovery_privileged_localgroup_membership.toml rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml rules/windows/defense_evasion_create_mod_root_certificate.toml rules/windows/defense_evasion_rundll32_no_arguments.toml rules/windows/defense_evasion_suspicious_scrobj_load.toml rules/windows/lateral_movement_unusual_dns_service_children.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules_building_block/discovery_system_service_discovery.toml rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml rules/windows/execution_from_unusual_path_cmdline.toml rules/windows/persistence_run_key_and_startup_broad.toml rules/windows/defense_evasion_suspicious_zoom_child_process.toml rules/windows/persistence_app_compat_shim.toml rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml rules/windows/defense_evasion_installutil_beacon.toml rules/windows/impact_high_freq_file_renames_by_kernel.toml rules/linux/persistence_apt_package_manager_execution.toml rules/windows/discovery_high_number_ad_properties.toml rules/linux/credential_access_proc_credential_dumping.toml rules/windows/lateral_movement_remote_service_installed_winlog.toml rules/windows/defense_evasion_mshta_beacon.toml rules/windows/persistence_system_shells_via_services.toml rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml rules/windows/execution_via_mmc_console_file_unusual_path.toml rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/windows/credential_access_spn_attribute_modified.toml rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml rules/windows/persistence_services_registry.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/windows/impact_backup_file_deletion.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/windows/persistence_scheduled_task_creation_winlog.toml rules/windows/lateral_movement_remote_services.toml rules/windows/credential_access_veeam_commands.toml rules/windows/defense_evasion_injection_msbuild.toml ... |
| 5. | 26856693+w0rk3r@users.noreply.github.com | mika.ayenson@elastic.co |
504 shared files
rules/windows/persistence_adobe_hijack_persistence.toml rules/macos/lateral_movement_mounting_smb_share.toml rules_building_block/defense_evasion_unusual_process_path_wbem.toml rules/windows/execution_suspicious_pdf_reader.toml rules/windows/defense_evasion_disabling_windows_logs.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/windows/persistence_via_application_shimming.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_unusual_dir_ads.toml rules/network/discovery_potential_network_sweep_detected.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/windows/execution_command_shell_started_by_svchost.toml detection_rules/etc/integration-manifests.json.gz rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/windows/defense_evasion_wsl_bash_exec.toml rules/windows/command_and_control_remote_file_copy_scripts.toml rules/windows/defense_evasion_posh_encryption.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml rules/windows/credential_access_shadow_credentials.toml rules_building_block/collection_outlook_email_archive.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml rules/windows/persistence_remote_password_reset.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/credential_access_lsass_memdump_file_created.toml rules/windows/persistence_ms_outlook_vba_template.toml rules/windows/credential_access_dcsync_newterm_subjectuser.toml rules_building_block/lateral_movement_at.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/windows/execution_command_shell_started_by_unusual_process.toml rules/windows/defense_evasion_clearing_windows_event_logs.toml rules_building_block/defense_evasion_cmstp_execution.toml rules/macos/credential_access_dumping_keychain_security.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/windows/privilege_escalation_suspicious_dnshostname_update.toml rules/linux/defense_evasion_rename_esxi_files.toml rules/windows/defense_evasion_masquerading_werfault.toml rules/linux/credential_access_gdb_process_hooking.toml rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml rules/windows/persistence_local_scheduled_job_creation.toml rules/linux/impact_esxi_process_kill.toml rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml rules/windows/credential_access_mimikatz_memssp_default_logs.toml rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml rules/windows/credential_access_mod_wdigest_security_provider.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_nc_listener_via_rlwrap.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/windows/defense_evasion_amsienable_key_mod.toml rules/windows/execution_pdf_written_file.toml rules/linux/discovery_linux_nping_activity.toml rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml rules/windows/defense_evasion_create_mod_root_certificate.toml rules/windows/defense_evasion_rundll32_no_arguments.toml rules/windows/defense_evasion_suspicious_scrobj_load.toml rules/windows/lateral_movement_unusual_dns_service_children.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules_building_block/discovery_system_service_discovery.toml rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml rules/windows/execution_from_unusual_path_cmdline.toml rules/windows/persistence_run_key_and_startup_broad.toml rules/windows/defense_evasion_suspicious_zoom_child_process.toml rules/windows/persistence_app_compat_shim.toml rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml rules/windows/defense_evasion_installutil_beacon.toml rules/windows/impact_high_freq_file_renames_by_kernel.toml rules/linux/persistence_apt_package_manager_execution.toml rules/windows/discovery_high_number_ad_properties.toml rules/linux/credential_access_proc_credential_dumping.toml rules/windows/lateral_movement_remote_service_installed_winlog.toml rules/windows/defense_evasion_mshta_beacon.toml rules/windows/persistence_system_shells_via_services.toml rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/windows/credential_access_spn_attribute_modified.toml rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml rules/windows/persistence_services_registry.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/windows/impact_backup_file_deletion.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/windows/persistence_scheduled_task_creation_winlog.toml rules/windows/lateral_movement_remote_services.toml rules/windows/credential_access_veeam_commands.toml rules/windows/defense_evasion_injection_msbuild.toml rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml rules/windows/defense_evasion_msxsl_network.toml rules/windows/command_and_control_encrypted_channel_freesslcert.toml rules/windows/defense_evasion_disabling_windows_defender_powershell.toml rules/windows/lateral_movement_incoming_winrm_shell_execution.toml rules/windows/defense_evasion_timestomp_sysmon.toml rules_building_block/discovery_generic_process_discovery.toml ... |
| 6. | 26856693+w0rk3r@users.noreply.github.com | mikaayenson@users.noreply.github.com |
437 shared files
rules/windows/credential_access_imageload_azureadconnectauthsvc.toml rules/macos/lateral_movement_mounting_smb_share.toml rules/linux/discovery_suid_sguid_enumeration.toml rules/windows/persistence_via_application_shimming.toml rules/windows/initial_access_suspicious_ms_exchange_process.toml rules/windows/defense_evasion_dotnet_compiler_parent_process.toml rules/windows/execution_initial_access_wps_dll_exploit.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/windows/execution_windows_cmd_shell_susp_args.toml rules/linux/defense_evasion_mount_execution.toml rules/windows/defense_evasion_unusual_dir_ads.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml rules/macos/lateral_movement_vpn_connection_attempt.toml rules/macos/persistence_creation_hidden_login_item_osascript.toml rules/windows/defense_evasion_wsl_bash_exec.toml rules/windows/execution_windows_powershell_susp_args.toml rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml rules/macos/persistence_creation_modif_launch_deamon_sequence.toml rules/windows/persistence_remote_password_reset.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/initial_access_rdp_file_mail_attachment.toml rules/windows/persistence_ms_outlook_vba_template.toml rules/linux/discovery_polkit_version_discovery.toml rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/linux/persistence_git_hook_process_execution.toml rules/windows/execution_command_shell_started_by_unusual_process.toml rules/windows/defense_evasion_clearing_windows_event_logs.toml rules/macos/credential_access_dumping_keychain_security.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/windows/privilege_escalation_suspicious_dnshostname_update.toml rules/linux/defense_evasion_rename_esxi_files.toml rules/windows/defense_evasion_masquerading_werfault.toml rules/linux/credential_access_gdb_process_hooking.toml rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml rules/windows/persistence_local_scheduled_job_creation.toml rules/linux/impact_esxi_process_kill.toml rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml rules/linux/defense_evasion_root_certificate_installation.toml rules/linux/defense_evasion_directory_creation_in_bin.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_nc_listener_via_rlwrap.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml rules/linux/discovery_linux_nping_activity.toml rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml rules/windows/defense_evasion_rundll32_no_arguments.toml rules/windows/defense_evasion_suspicious_scrobj_load.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml rules/windows/execution_from_unusual_path_cmdline.toml rules/linux/defense_evasion_dynamic_linker_file_creation.toml rules/windows/persistence_run_key_and_startup_broad.toml rules/linux/persistence_process_capability_set_via_setcap.toml rules/windows/persistence_app_compat_shim.toml rules/windows/defense_evasion_installutil_beacon.toml rules/linux/persistence_apt_package_manager_execution.toml rules/windows/discovery_high_number_ad_properties.toml rules/linux/credential_access_proc_credential_dumping.toml rules/windows/lateral_movement_remote_service_installed_winlog.toml rules/windows/defense_evasion_mshta_beacon.toml rules/linux/defense_evasion_ssl_certificate_deletion.toml rules/windows/execution_via_mmc_console_file_unusual_path.toml rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml rules/windows/persistence_services_registry.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/linux/defense_evasion_hex_payload_execution.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/windows/persistence_scheduled_task_creation_winlog.toml rules/windows/lateral_movement_remote_services.toml rules/windows/credential_access_veeam_commands.toml rules/windows/execution_powershell_susp_args_via_winscript.toml rules/windows/defense_evasion_injection_msbuild.toml rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml rules/windows/defense_evasion_msxsl_network.toml rules/windows/command_and_control_encrypted_channel_freesslcert.toml rules/windows/defense_evasion_disabling_windows_defender_powershell.toml rules/windows/lateral_movement_incoming_winrm_shell_execution.toml rules/windows/defense_evasion_timestomp_sysmon.toml rules/linux/persistence_ssh_key_generation.toml rules/macos/execution_installer_package_spawned_network_event.toml rules/linux/privilege_escalation_sudo_token_via_process_injection.toml rules/macos/privilege_escalation_applescript_with_admin_privs.toml rules/linux/persistence_linux_backdoor_user_creation.toml rules/linux/persistence_simple_web_server_creation.toml rules/windows/lateral_movement_dcom_mmc20.toml rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/windows/credential_access_suspicious_lsass_access_memdump.toml ... |
| 7. | 78494512+aegrah@users.noreply.github.com | mikaayenson@users.noreply.github.com |
171 shared files
rules/linux/persistence_at_job_creation.toml rules/linux/defense_evasion_mount_execution.toml rules/network/discovery_potential_network_sweep_detected.toml rules/linux/privilege_escalation_sudo_hijacking.toml rules/linux/execution_unusual_path_invocation_from_command_line.toml rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml rules/linux/persistence_message_of_the_day_creation.toml rules/linux/discovery_polkit_version_discovery.toml rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/linux/persistence_git_hook_process_execution.toml rules/linux/command_and_control_linux_kworker_netcon.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/linux/persistence_openssl_passwd_hash_generation.toml rules/linux/persistence_pluggable_authentication_module_source_download.toml rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml rules/linux/defense_evasion_root_certificate_installation.toml rules/linux/defense_evasion_directory_creation_in_bin.toml rules/linux/persistence_git_hook_netcon.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules/linux/defense_evasion_dynamic_linker_file_creation.toml rules/linux/persistence_network_manager_dispatcher_persistence.toml rules/linux/persistence_process_capability_set_via_setcap.toml rules/linux/persistence_apt_package_manager_execution.toml rules/linux/persistence_shared_object_creation.toml rules/cross-platform/execution_suspicious_java_netcon_childproc.toml rules/linux/defense_evasion_ssl_certificate_deletion.toml rules/linux/persistence_systemd_service_creation.toml rules/linux/execution_unusual_pkexec_execution.toml rules/linux/persistence_grub_configuration_creation.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/linux/defense_evasion_hex_payload_execution.toml rules/linux/persistence_rc_local_service_already_running.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/linux/persistence_pluggable_authentication_module_creation.toml rules/linux/persistence_systemd_shell_execution.toml rules/linux/persistence_kernel_object_file_creation.toml rules/linux/persistence_ssh_key_generation.toml rules/linux/persistence_simple_web_server_creation.toml rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/linux/privilege_escalation_docker_escape_via_nsenter.toml rules/linux/persistence_git_hook_file_creation.toml rules/linux/privilege_escalation_shadow_file_read.toml rules/linux/discovery_kernel_seeking.toml rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/persistence_manual_dracut_execution.toml rules/linux/credential_access_potential_linux_local_account_bruteforce.toml rules/linux/privilege_escalation_dac_permissions.toml rules/linux/persistence_shadow_file_modification.toml rules/linux/persistence_yum_package_manager_plugin_file_creation.toml rules/linux/persistence_dpkg_unusual_execution.toml rules/linux/defense_evasion_log_files_deleted.toml pyproject.toml rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml rules/linux/persistence_init_d_file_creation.toml rules/linux/persistence_systemd_generator_creation.toml rules/linux/execution_file_execution_followed_by_deletion.toml rules/linux/defense_evasion_chattr_immutable_file.toml rules/linux/discovery_esxi_software_via_grep.toml rules/linux/persistence_extract_initramfs_via_cpio.toml rules/linux/persistence_grub_makeconfig.toml rules/linux/persistence_git_hook_execution.toml rules/linux/execution_cupsd_foomatic_rip_file_creation.toml rules/linux/defense_evasion_hidden_file_dir_tmp.toml rules/linux/defense_evasion_hidden_directory_creation.toml rules/linux/persistence_simple_web_server_connection_accepted.toml rules/linux/discovery_suspicious_memory_grep_activity.toml rules/linux/persistence_unusual_pam_grantor.toml rules/linux/defense_evasion_clear_kernel_ring_buffer.toml rules/linux/persistence_potential_persistence_script_executable_bit_set.toml rules/linux/discovery_kernel_unpacking.toml rules/linux/persistence_insmod_kernel_module_load.toml rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml rules/linux/discovery_private_key_password_searching_activity.toml rules/linux/persistence_ssh_netcon.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml rules/linux/persistence_user_or_group_creation_or_modification.toml rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml rules/linux/persistence_systemd_service_started.toml rules/linux/persistence_cron_job_creation.toml rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml rules/linux/persistence_systemd_netcon.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml rules/linux/persistence_user_password_change.toml rules/linux/discovery_suspicious_which_command_execution.toml rules/linux/collection_linux_clipboard_activity.toml rules/linux/persistence_systemd_scheduled_timer_created.toml rules/linux/execution_system_binary_file_permission_change.toml rules/linux/execution_suspicious_executable_running_system_commands.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/linux/execution_shell_openssl_client_or_server.toml ... |
| 8. | 99630311+terrancedejesus@users.noreply.github.com | mikaayenson@users.noreply.github.com |
147 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/threat_intel/threat_intel_indicator_match_address.toml rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml rules/linux/command_and_control_aws_cli_endpoint_url_used.toml rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml README.md rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml .github/workflows/lock-versions.yml rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/aws/defense_evasion_sqs_purge_queue.toml rules/integrations/github/impact_github_repository_deleted.toml rules/integrations/github/execution_github_app_deleted.toml rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml rules/cross-platform/execution_potential_widespread_malware_infection.toml rules/threat_intel/threat_intel_rapid7_threat_command.toml rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml .github/workflows/manual-backport.yml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml rules/integrations/endpoint/impact_elastic_ransomware_detected.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/threat_intel/threat_intel_indicator_match_url.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/windows/credential_access_dcsync_user_backdoor.toml detection_rules/devtools.py rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/cross-platform/guided_onboarding_sample_rule.toml .github/workflows/add-guidelines.yml pyproject.toml rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml .github/workflows/release-fleet.yml rules/integrations/endpoint/elastic_endpoint_security.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml .github/CODEOWNERS rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml .github/workflows/pythonpackage.yml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml .github/PULL_REQUEST_GUIDELINES/hunt_tuning_guidelines.md rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml detection_rules/rule.py rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml .github/workflows/backport.yml rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml ... |
| 9. | 91139415+shashank-elastic@users.noreply.github.com | eric.forte@elastic.co |
136 shared files
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz detection_rules/etc/beats_schemas/main.json.gz detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz detection_rules/etc/integration-manifests.json.gz detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz detection_rules/etc/api_schemas/master/master.threat_match.json rules/integrations/okta/impact_possible_okta_dos_attack.toml detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml .github/workflows/lock-versions.yml detection_rules/etc/api_schemas/master/master.threshold.json rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml detection_rules/etc/packages.yaml detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz rules_building_block/execution_aws_lambda_function_updated.toml detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules_building_block/discovery_userdata_request_from_ec2_instance.toml detection_rules/etc/api_schemas/master/master.query.json rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz detection_rules/etc/version.lock.json detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz detection_rules/etc/api_schemas/master/master.base.json rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml detection_rules/etc/integration-schemas.json.gz detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz detection_rules/etc/api_schemas/master/master.machine_learning.json detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/linux/persistence_unusual_pam_grantor.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz detection_rules/etc/stack-schema-map.yaml rules/linux/persistence_systemd_service_started.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/linux/persistence_cron_job_creation.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml ... |
| 10. | eric.forte@elastic.co | mika.ayenson@elastic.co |
136 shared files
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz detection_rules/etc/beats_schemas/main.json.gz detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz detection_rules/etc/integration-manifests.json.gz detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz detection_rules/etc/api_schemas/master/master.threat_match.json rules/integrations/okta/impact_possible_okta_dos_attack.toml detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml .github/workflows/lock-versions.yml detection_rules/etc/api_schemas/master/master.threshold.json rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml detection_rules/etc/packages.yaml detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz rules_building_block/execution_aws_lambda_function_updated.toml detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules_building_block/discovery_userdata_request_from_ec2_instance.toml detection_rules/etc/api_schemas/master/master.query.json rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz detection_rules/etc/version.lock.json detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz detection_rules/etc/api_schemas/master/master.base.json rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml detection_rules/etc/integration-schemas.json.gz detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz detection_rules/etc/api_schemas/master/master.machine_learning.json detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/linux/persistence_unusual_pam_grantor.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz detection_rules/etc/stack-schema-map.yaml rules/linux/persistence_systemd_service_started.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/linux/persistence_cron_job_creation.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml ... |
| 11. | 91139415+shashank-elastic@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
134 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/threat_intel/threat_intel_indicator_match_address.toml rules_building_block/execution_github_new_repo_interaction_for_user.toml rules_building_block/impact_github_user_blocked_from_organization.toml rules_building_block/impact_github_pat_access_revoked.toml detection_rules/etc/integration-manifests.json.gz rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml rules_building_block/persistence_github_new_user_added_to_organization.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml detection_rules/schemas/definitions.py rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml .github/workflows/lock-versions.yml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/github/impact_github_repository_deleted.toml rules/integrations/github/execution_github_app_deleted.toml rules_building_block/initial_access_github_new_ip_address_for_pat.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml rules/threat_intel/threat_intel_rapid7_threat_command.toml rules_building_block/execution_aws_lambda_function_updated.toml rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules_building_block/initial_access_github_new_ip_address_for_user.toml rules_building_block/discovery_userdata_request_from_ec2_instance.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules_building_block/execution_github_repo_created.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml .github/workflows/kibana-mitre-update.yml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/threat_intel/threat_intel_indicator_match_url.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/windows/persistence_startup_folder_scripts.toml rules/windows/credential_access_dcsync_user_backdoor.toml detection_rules/devtools.py rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/cross-platform/guided_onboarding_sample_rule.toml .github/workflows/add-guidelines.yml pyproject.toml rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml detection_rules/etc/integration-schemas.json.gz rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml rules/integrations/endpoint/elastic_endpoint_security.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml .github/workflows/pythonpackage.yml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules_building_block/execution_github_new_event_action_for_pat.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules_building_block/initial_access_github_new_user_agent_for_pat.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml detection_rules/rule.py rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml rules_building_block/discovery_generic_registry_query.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml .github/workflows/backport.yml rules/windows/defense_evasion_msbuild_making_network_connections.toml rules_building_block/initial_access_github_new_user_agent_for_user.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml ... |
| 12. | 78494512+aegrah@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
103 shared files
rules/linux/defense_evasion_mount_execution.toml rules/network/discovery_potential_network_sweep_detected.toml detection_rules/etc/integration-manifests.json.gz rules/linux/discovery_polkit_version_discovery.toml rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/linux/persistence_git_hook_process_execution.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml rules/linux/defense_evasion_root_certificate_installation.toml rules/linux/defense_evasion_directory_creation_in_bin.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules/linux/defense_evasion_dynamic_linker_file_creation.toml rules/linux/persistence_process_capability_set_via_setcap.toml rules/linux/persistence_apt_package_manager_execution.toml rules/linux/defense_evasion_ssl_certificate_deletion.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/linux/defense_evasion_hex_payload_execution.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/linux/persistence_message_of_the_day_execution.toml rules/linux/persistence_ssh_key_generation.toml rules/linux/persistence_simple_web_server_creation.toml rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/linux/persistence_git_hook_file_creation.toml rules/linux/discovery_kernel_seeking.toml rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/persistence_manual_dracut_execution.toml rules/linux/credential_access_potential_linux_local_account_bruteforce.toml rules/linux/persistence_dpkg_unusual_execution.toml rules/linux/defense_evasion_log_files_deleted.toml pyproject.toml rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml rules/linux/persistence_init_d_file_creation.toml detection_rules/etc/integration-schemas.json.gz rules/linux/execution_file_execution_followed_by_deletion.toml rules/linux/defense_evasion_chattr_immutable_file.toml rules/linux/discovery_esxi_software_via_grep.toml rules/linux/persistence_git_hook_execution.toml rules/linux/execution_cupsd_foomatic_rip_file_creation.toml rules/linux/defense_evasion_hidden_file_dir_tmp.toml rules/linux/defense_evasion_hidden_directory_creation.toml rules/linux/discovery_suspicious_memory_grep_activity.toml rules/linux/defense_evasion_clear_kernel_ring_buffer.toml rules/linux/persistence_potential_persistence_script_executable_bit_set.toml rules/linux/discovery_kernel_unpacking.toml rules/linux/persistence_insmod_kernel_module_load.toml rules/linux/discovery_private_key_password_searching_activity.toml rules/linux/persistence_ssh_netcon.toml rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml rules/linux/persistence_systemd_netcon.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml rules/linux/discovery_suspicious_which_command_execution.toml rules/linux/execution_system_binary_file_permission_change.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/linux/execution_shell_openssl_client_or_server.toml rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml rules/linux/persistence_setuid_setgid_capability_set.toml rules/linux/command_and_control_curl_socks_proxy_detected.toml rules/network/discovery_potential_port_scan_detected.toml rules/linux/execution_python_webserver_spawned.toml rules/linux/discovery_yum_dnf_plugin_detection.toml rules/linux/defense_evasion_disable_apparmor_attempt.toml rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/persistence_xdg_autostart_netcon.toml rules/linux/discovery_sudo_allowed_command_enumeration.toml rules/linux/impact_potential_linux_ransomware_note_detected.toml rules/linux/discovery_pam_version_discovery.toml rules/linux/persistence_rc_script_creation.toml rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml rules/linux/defense_evasion_acl_modification_via_setfacl.toml rules/linux/execution_network_event_post_compilation.toml rules/linux/defense_evasion_creation_of_hidden_files_directories.toml rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml rules/linux/discovery_esxi_software_via_find.toml rules/linux/privilege_escalation_sda_disk_mount_non_root.toml rules/linux/execution_unix_socket_communication.toml rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml rules/linux/persistence_linux_user_added_to_privileged_group.toml rules/linux/persistence_etc_file_creation.toml rules/linux/impact_memory_swap_modification.toml rules/linux/defense_evasion_ld_so_creation.toml rules/linux/discovery_unusual_user_enumeration_via_id.toml rules/linux/defense_evasion_hidden_shared_object.toml rules/linux/execution_egress_connection_from_entrypoint_in_container.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/linux/privilege_escalation_netcon_via_sudo_binary.toml rules/linux/persistence_chkconfig_service_add.toml rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml rules/linux/discovery_security_file_access_via_common_utility.toml ... |
| 13. | 91139415+shashank-elastic@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
99 shared files
rules/linux/defense_evasion_mount_execution.toml rules/network/discovery_potential_network_sweep_detected.toml detection_rules/etc/integration-manifests.json.gz rules/linux/privilege_escalation_sudo_hijacking.toml rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml rules/linux/persistence_message_of_the_day_creation.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/linux/command_and_control_linux_kworker_netcon.toml rules/linux/command_and_control_linux_ssh_x11_forwarding.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules/linux/persistence_apt_package_manager_execution.toml rules/linux/persistence_shared_object_creation.toml rules/cross-platform/execution_suspicious_java_netcon_childproc.toml rules/linux/persistence_systemd_service_creation.toml rules/linux/execution_unusual_pkexec_execution.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/linux/persistence_message_of_the_day_execution.toml rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules_building_block/discovery_potential_memory_seeking_activity.toml rules/linux/privilege_escalation_shadow_file_read.toml rules/linux/execution_abnormal_process_id_file_created.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/credential_access_potential_linux_local_account_bruteforce.toml rules/linux/privilege_escalation_dac_permissions.toml rules/linux/defense_evasion_log_files_deleted.toml pyproject.toml rules/cross-platform/discovery_security_software_grep.toml rules/linux/persistence_init_d_file_creation.toml detection_rules/etc/integration-schemas.json.gz rules/linux/execution_file_execution_followed_by_deletion.toml rules/linux/defense_evasion_chattr_immutable_file.toml rules/linux/discovery_esxi_software_via_grep.toml rules/linux/defense_evasion_hidden_file_dir_tmp.toml rules/linux/persistence_unusual_pam_grantor.toml rules/linux/defense_evasion_clear_kernel_ring_buffer.toml rules/linux/persistence_insmod_kernel_module_load.toml rules_building_block/discovery_capnetraw_capability.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml rules/linux/persistence_systemd_service_started.toml rules/linux/persistence_cron_job_creation.toml rules/linux/persistence_systemd_netcon.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml rules/linux/discovery_suspicious_which_command_execution.toml rules/linux/persistence_systemd_scheduled_timer_created.toml rules/linux/execution_suspicious_executable_running_system_commands.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/integrations/fim/persistence_suspicious_file_modifications.toml rules/linux/persistence_setuid_setgid_capability_set.toml rules/network/discovery_potential_port_scan_detected.toml rules/linux/defense_evasion_file_mod_writable_dir.toml rules_building_block/discovery_linux_sysctl_enumeration.toml rules/linux/persistence_shell_configuration_modification.toml rules/linux/defense_evasion_disable_apparmor_attempt.toml rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/discovery_sudo_allowed_command_enumeration.toml rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml rules/linux/impact_potential_linux_ransomware_note_detected.toml rules/linux/persistence_udev_rule_creation.toml rules/linux/persistence_polkit_policy_creation.toml rules/linux/persistence_rc_script_creation.toml rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml rules/cross-platform/execution_suspicious_jar_child_process.toml rules_building_block/discovery_linux_modprobe_enumeration.toml rules/linux/execution_network_event_post_compilation.toml rules/linux/discovery_pspy_process_monitoring_detected.toml rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml rules/cross-platform/command_and_control_non_standard_ssh_port.toml rules/linux/discovery_esxi_software_via_find.toml rules/linux/privilege_escalation_sda_disk_mount_non_root.toml rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml rules/linux/persistence_linux_user_added_to_privileged_group.toml rules/linux/persistence_etc_file_creation.toml rules/linux/execution_potentially_overly_permissive_container_creation.toml rules/linux/discovery_kernel_module_enumeration.toml rules_building_block/discovery_kernel_module_enumeration_via_proc.toml rules/linux/discovery_unusual_user_enumeration_via_id.toml rules/linux/defense_evasion_hidden_shared_object.toml rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/linux/privilege_escalation_netcon_via_sudo_binary.toml rules/linux/persistence_chkconfig_service_add.toml rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml rules/linux/persistence_credential_access_modify_ssh_binaries.toml tests/test_all_rules.py rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml |
| 14. | mika.ayenson@elastic.co | 99630311+terrancedejesus@users.noreply.github.com |
95 shared files
rules/integrations/github/persistence_github_org_owner_added.toml rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules_building_block/execution_github_new_repo_interaction_for_user.toml rules_building_block/impact_github_user_blocked_from_organization.toml rules_building_block/impact_github_pat_access_revoked.toml detection_rules/etc/integration-manifests.json.gz rules/integrations/github/persistence_organization_owner_role_granted.toml rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml rules_building_block/persistence_github_new_user_added_to_organization.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml .github/workflows/lock-versions.yml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/github/impact_github_repository_deleted.toml rules/integrations/github/execution_github_app_deleted.toml rules_building_block/initial_access_github_new_ip_address_for_pat.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml rules_building_block/execution_aws_lambda_function_updated.toml rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules_building_block/initial_access_github_new_ip_address_for_user.toml rules_building_block/discovery_userdata_request_from_ec2_instance.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules_building_block/execution_github_repo_created.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/windows/persistence_startup_folder_scripts.toml detection_rules/devtools.py rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/cross-platform/guided_onboarding_sample_rule.toml rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml detection_rules/etc/integration-schemas.json.gz rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rules/integrations/endpoint/elastic_endpoint_security.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules_building_block/execution_github_new_event_action_for_pat.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules_building_block/initial_access_github_new_user_agent_for_pat.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml rules_building_block/discovery_generic_registry_query.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/windows/defense_evasion_msbuild_making_network_connections.toml rules_building_block/initial_access_github_new_user_agent_for_user.toml rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml rules/integrations/okta/credential_access_user_impersonation_access.toml rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml rules/windows/defense_evasion_process_termination_followed_by_deletion.toml rules_building_block/execution_github_repo_interaction_from_new_ip.toml rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml rules_building_block/persistence_github_new_pat_for_user.toml rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml rules/integrations/okta/initial_access_okta_fastpass_phishing.toml rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml rules_building_block/execution_github_new_repo_interaction_for_pat.toml tests/test_all_rules.py rules_building_block/impact_github_member_removed_from_organization.toml rules/integrations/github/execution_new_github_app_installed.toml rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml |
| 15. | mika.ayenson@elastic.co | 78494512+aegrah@users.noreply.github.com |
87 shared files
rules/linux/defense_evasion_mount_execution.toml rules/network/discovery_potential_network_sweep_detected.toml detection_rules/etc/integration-manifests.json.gz rules/linux/privilege_escalation_sudo_hijacking.toml rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml rules/linux/persistence_message_of_the_day_creation.toml rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml rules/linux/command_and_control_linux_kworker_netcon.toml rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rules/linux/execution_potential_hack_tool_executed.toml rules/linux/execution_remote_code_execution_via_postgresql.toml rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rules/linux/persistence_apt_package_manager_execution.toml rules/linux/persistence_shared_object_creation.toml rules/cross-platform/execution_suspicious_java_netcon_childproc.toml rules/linux/persistence_systemd_service_creation.toml rules/linux/persistence_apt_package_manager_netcon.toml rules/linux/defense_evasion_kernel_module_removal.toml rules/linux/persistence_message_of_the_day_execution.toml rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules_building_block/discovery_potential_memory_seeking_activity.toml rules/linux/privilege_escalation_shadow_file_read.toml rules/linux/execution_abnormal_process_id_file_created.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/credential_access_potential_linux_local_account_bruteforce.toml rules/linux/defense_evasion_log_files_deleted.toml rules/cross-platform/discovery_security_software_grep.toml rules/linux/persistence_init_d_file_creation.toml detection_rules/etc/integration-schemas.json.gz rules/linux/execution_file_execution_followed_by_deletion.toml rules/linux/defense_evasion_chattr_immutable_file.toml rules/linux/discovery_esxi_software_via_grep.toml rules/linux/defense_evasion_hidden_file_dir_tmp.toml rules/linux/persistence_unusual_pam_grantor.toml rules/linux/defense_evasion_clear_kernel_ring_buffer.toml rules/linux/persistence_insmod_kernel_module_load.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml rules/linux/persistence_systemd_service_started.toml rules/linux/persistence_cron_job_creation.toml rules/linux/persistence_systemd_netcon.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml rules/linux/discovery_suspicious_which_command_execution.toml rules/linux/persistence_systemd_scheduled_timer_created.toml rules/linux/execution_suspicious_executable_running_system_commands.toml rules/linux/credential_access_ssh_backdoor_log.toml rules/linux/persistence_setuid_setgid_capability_set.toml rules/network/discovery_potential_port_scan_detected.toml rules/linux/defense_evasion_file_mod_writable_dir.toml rules_building_block/discovery_linux_sysctl_enumeration.toml rules/linux/persistence_shell_configuration_modification.toml rules/linux/defense_evasion_disable_apparmor_attempt.toml rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml rules/linux/persistence_kde_autostart_modification.toml rules/linux/discovery_sudo_allowed_command_enumeration.toml rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml rules/linux/impact_potential_linux_ransomware_note_detected.toml rules/linux/persistence_udev_rule_creation.toml rules/linux/persistence_rc_script_creation.toml rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml rules/cross-platform/execution_suspicious_jar_child_process.toml rules_building_block/discovery_linux_modprobe_enumeration.toml rules/linux/execution_network_event_post_compilation.toml rules/linux/discovery_pspy_process_monitoring_detected.toml rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml rules/cross-platform/command_and_control_non_standard_ssh_port.toml rules/linux/discovery_esxi_software_via_find.toml rules/linux/privilege_escalation_sda_disk_mount_non_root.toml rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml rules/linux/persistence_linux_user_added_to_privileged_group.toml rules/linux/persistence_etc_file_creation.toml rules/linux/discovery_kernel_module_enumeration.toml rules_building_block/discovery_kernel_module_enumeration_via_proc.toml rules/linux/discovery_unusual_user_enumeration_via_id.toml rules/linux/defense_evasion_hidden_shared_object.toml rules/linux/command_and_control_linux_chisel_client_activity.toml rules/linux/privilege_escalation_netcon_via_sudo_binary.toml rules/linux/persistence_chkconfig_service_add.toml rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml rules/linux/persistence_credential_access_modify_ssh_binaries.toml tests/test_all_rules.py rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml |
| 16. | eric.forte@elastic.co | mikaayenson@users.noreply.github.com |
56 shared files
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml .github/workflows/lock-versions.yml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml detection_rules/etc/packages.yaml rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/linux/persistence_unusual_pam_grantor.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml rules/linux/persistence_systemd_service_started.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/linux/persistence_cron_job_creation.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml docs/versioning.md rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml rules/integrations/okta/credential_access_user_impersonation_access.toml rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml rules/integrations/okta/initial_access_okta_fastpass_phishing.toml rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml |
| 17. | eric.forte@elastic.co | 99630311+terrancedejesus@users.noreply.github.com |
55 shared files
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml detection_rules/etc/integration-manifests.json.gz rules/integrations/okta/impact_possible_okta_dos_attack.toml rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml .github/workflows/lock-versions.yml rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml rules_building_block/execution_aws_lambda_function_updated.toml rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml rules_building_block/discovery_userdata_request_from_ec2_instance.toml rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml detection_rules/etc/integration-schemas.json.gz rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml rules/integrations/okta/credential_access_user_impersonation_access.toml rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml rules/integrations/okta/initial_access_okta_fastpass_phishing.toml rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml |
| 18. | 91139415+shashank-elastic@users.noreply.github.com | 109447885+sodhikirti07@users.noreply.github.com |
48 shared files
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml rules/integrations/aws/ml_cloudtrail_rare_error_code.toml rules/ml/credential_access_ml_suspicious_login_activity.toml rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml rules/ml/credential_access_ml_auth_spike_in_logon_events.toml rules/ml/initial_access_ml_windows_anomalous_user_name.toml rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml rules/integrations/aws/ml_cloudtrail_error_message_spike.toml rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml rules/ml/execution_ml_windows_anomalous_script.toml rules/ml/ml_packetbeat_rare_server_domain.toml rules/ml/command_and_control_ml_packetbeat_rare_urls.toml rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml rules/ml/ml_high_count_network_denies.toml rules/ml/ml_high_count_network_events.toml rules/ml/initial_access_ml_auth_rare_user_logon.toml rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml rules/ml/discovery_ml_linux_system_user_discovery.toml rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml rules/ml/ml_spike_in_traffic_to_a_country.toml rules/ml/discovery_ml_linux_system_process_discovery.toml rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml rules/ml/persistence_ml_windows_anomalous_process_creation.toml rules/ml/ml_windows_anomalous_network_activity.toml rules/ml/discovery_ml_linux_system_network_connection_discovery.toml rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml rules/ml/persistence_ml_rare_process_by_host_linux.toml rules/ml/discovery_ml_linux_system_information_discovery.toml rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml rules/ml/ml_linux_anomalous_network_port_activity.toml rules/ml/ml_rare_destination_country.toml rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml rules/ml/ml_linux_anomalous_network_activity.toml rules/ml/persistence_ml_windows_anomalous_path_activity.toml rules/ml/initial_access_ml_linux_anomalous_user_name.toml rules/ml/persistence_ml_windows_anomalous_service.toml rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml rules/ml/persistence_ml_rare_process_by_host_windows.toml |
| 19. | mika.ayenson@elastic.co | 109447885+sodhikirti07@users.noreply.github.com |
48 shared files
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml rules/integrations/aws/ml_cloudtrail_rare_error_code.toml rules/ml/credential_access_ml_suspicious_login_activity.toml rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml rules/ml/credential_access_ml_auth_spike_in_logon_events.toml rules/ml/initial_access_ml_windows_anomalous_user_name.toml rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml rules/integrations/aws/ml_cloudtrail_error_message_spike.toml rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml rules/ml/execution_ml_windows_anomalous_script.toml rules/ml/ml_packetbeat_rare_server_domain.toml rules/ml/command_and_control_ml_packetbeat_rare_urls.toml rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml rules/ml/ml_high_count_network_denies.toml rules/ml/ml_high_count_network_events.toml rules/ml/initial_access_ml_auth_rare_user_logon.toml rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml rules/ml/discovery_ml_linux_system_user_discovery.toml rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml rules/ml/ml_spike_in_traffic_to_a_country.toml rules/ml/discovery_ml_linux_system_process_discovery.toml rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml rules/ml/persistence_ml_windows_anomalous_process_creation.toml rules/ml/ml_windows_anomalous_network_activity.toml rules/ml/discovery_ml_linux_system_network_connection_discovery.toml rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml rules/ml/persistence_ml_rare_process_by_host_linux.toml rules/ml/discovery_ml_linux_system_information_discovery.toml rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml rules/ml/ml_linux_anomalous_network_port_activity.toml rules/ml/ml_rare_destination_country.toml rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml rules/ml/ml_linux_anomalous_network_activity.toml rules/ml/persistence_ml_windows_anomalous_path_activity.toml rules/ml/initial_access_ml_linux_anomalous_user_name.toml rules/ml/persistence_ml_windows_anomalous_service.toml rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml rules/ml/persistence_ml_rare_process_by_host_windows.toml |
| 20. | 16747370+brokensound77@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
47 shared files
hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md hunting/README.md hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml hunting/windows/queries/execution_via_remote_services_by_client_address.toml hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml tests/test_hunt_data.py hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md hunting/index.md hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md .github/CODEOWNERS hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml hunting/generate_markdown.py hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml hunting/windows/docs/execution_via_remote_services_by_client_address.md hunting/windows/docs/excessive_smb_network_activity_by_process_id.md hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml tests/test_specific_rules.py hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml hunting/windows/docs/windows_logon_activity_by_source_ip.md hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Makefile hunting/windows/queries/windows_logon_activity_by_source_ip.toml hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md |
| 21. | 64742097+samirbous@users.noreply.github.com | mikaayenson@users.noreply.github.com |
45 shared files
rules/windows/credential_access_imageload_azureadconnectauthsvc.toml rules/windows/execution_initial_access_wps_dll_exploit.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/windows/execution_windows_cmd_shell_susp_args.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml rules/windows/execution_windows_powershell_susp_args.toml rules/network/command_and_control_port_26_activity.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/initial_access_rdp_file_mail_attachment.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml rules/windows/execution_via_mmc_console_file_unusual_path.toml rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml rules/windows/execution_powershell_susp_args_via_winscript.toml rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml rules/network/command_and_control_fin7_c2_behavior.toml rules/windows/defense_evasion_msiexec_child_proc_netcon.toml rules/network/command_and_control_accepted_default_telnet_port_connection.toml rules/windows/defense_evasion_posh_obfuscation.toml rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml pyproject.toml rules/network/command_and_control_download_rar_powershell_from_internet.toml rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml rules/windows/execution_initial_access_via_msc_file.toml rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/windows/command_and_control_common_webservices.toml rules/windows/defense_evasion_lolbas_win_cdb_utility.toml rules/windows/credential_access_suspicious_lsass_access_generic.toml rules/windows/execution_initial_access_foxmail_exploit.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml rules/network/discovery_potential_port_scan_detected.toml rules/network/command_and_control_nat_traversal_port_activity.toml rules/windows/defense_evasion_microsoft_defender_tampering.toml rules/windows/persistence_msi_installer_task_startup.toml rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml rules/windows/command_and_control_tunnel_vscode.toml rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml |
| 22. | 64742097+samirbous@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
44 shared files
rules/windows/credential_access_imageload_azureadconnectauthsvc.toml rules/windows/execution_initial_access_wps_dll_exploit.toml rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/windows/execution_windows_cmd_shell_susp_args.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml detection_rules/etc/integration-manifests.json.gz rules/windows/execution_windows_powershell_susp_args.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/initial_access_rdp_file_mail_attachment.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml detection_rules/schemas/definitions.py rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml rules/windows/impact_high_freq_file_renames_by_kernel.toml rules/windows/execution_via_mmc_console_file_unusual_path.toml rules/windows/execution_powershell_susp_args_via_winscript.toml rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/windows/impact_ransomware_file_rename_smb.toml rules/windows/defense_evasion_audit_policy_disabled_winlog.toml rules/windows/impact_ransomware_note_file_over_smb.toml rules/windows/defense_evasion_msiexec_child_proc_netcon.toml rules/network/command_and_control_accepted_default_telnet_port_connection.toml rules/windows/defense_evasion_posh_obfuscation.toml pyproject.toml detection_rules/etc/integration-schemas.json.gz rules/windows/command_and_control_tool_transfer_via_curl.toml rules/windows/defense_evasion_posh_assembly_load.toml rules/windows/execution_initial_access_via_msc_file.toml rules/windows/defense_evasion_via_filter_manager.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/windows/defense_evasion_lolbas_win_cdb_utility.toml rules/windows/credential_access_suspicious_lsass_access_generic.toml rules/windows/credential_access_regback_sam_security_hives.toml rules/windows/execution_initial_access_foxmail_exploit.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/network/discovery_potential_port_scan_detected.toml rules/windows/defense_evasion_microsoft_defender_tampering.toml rules/windows/command_and_control_headless_browser.toml rules/windows/command_and_control_tunnel_vscode.toml rules/windows/defense_evasion_network_connection_from_windows_binary.toml rules/windows/defense_evasion_indirect_exec_forfiles.toml rules/windows/privilege_escalation_persistence_phantom_dll.toml rules/windows/execution_windows_script_from_internet.toml |
| 23. | 91139415+shashank-elastic@users.noreply.github.com | 64742097+samirbous@users.noreply.github.com |
44 shared files
rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/windows/defense_evasion_script_via_html_app.toml rules/network/discovery_potential_network_sweep_detected.toml rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml detection_rules/etc/integration-manifests.json.gz rules/network/command_and_control_port_26_activity.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml detection_rules/schemas/definitions.py rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml rules/windows/impact_high_freq_file_renames_by_kernel.toml rules/windows/execution_via_mmc_console_file_unusual_path.toml rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml rules/windows/impact_ransomware_file_rename_smb.toml rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml rules/windows/impact_ransomware_note_file_over_smb.toml rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml rules/network/command_and_control_fin7_c2_behavior.toml rules/network/command_and_control_accepted_default_telnet_port_connection.toml rules/windows/defense_evasion_posh_obfuscation.toml rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml pyproject.toml rules/network/command_and_control_download_rar_powershell_from_internet.toml detection_rules/etc/integration-schemas.json.gz rules/windows/defense_evasion_posh_assembly_load.toml rules/windows/execution_initial_access_via_msc_file.toml rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml rules/windows/defense_evasion_via_filter_manager.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/windows/command_and_control_common_webservices.toml rules/windows/credential_access_suspicious_lsass_access_generic.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml rules/network/discovery_potential_port_scan_detected.toml rules/network/command_and_control_nat_traversal_port_activity.toml rules/windows/defense_evasion_microsoft_defender_tampering.toml rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml rules/windows/command_and_control_headless_browser.toml rules/windows/command_and_control_tunnel_vscode.toml rules/windows/defense_evasion_network_connection_from_windows_binary.toml rules/windows/privilege_escalation_persistence_phantom_dll.toml rules/windows/defense_evasion_amsi_bypass_powershell.toml |
| 24. | 109447885+sodhikirti07@users.noreply.github.com | mikaayenson@users.noreply.github.com |
37 shared files
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml rules/ml/credential_access_ml_suspicious_login_activity.toml rules/ml/credential_access_ml_auth_spike_in_logon_events.toml rules/ml/initial_access_ml_windows_anomalous_user_name.toml rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml rules/ml/execution_ml_windows_anomalous_script.toml rules/ml/ml_packetbeat_rare_server_domain.toml rules/ml/command_and_control_ml_packetbeat_rare_urls.toml rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml rules/ml/ml_high_count_network_denies.toml rules/ml/ml_high_count_network_events.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml rules/ml/discovery_ml_linux_system_user_discovery.toml rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml rules/ml/ml_spike_in_traffic_to_a_country.toml rules/ml/discovery_ml_linux_system_process_discovery.toml rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml rules/ml/ml_windows_anomalous_network_activity.toml rules/ml/discovery_ml_linux_system_network_connection_discovery.toml rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml rules/ml/persistence_ml_rare_process_by_host_linux.toml rules/ml/discovery_ml_linux_system_information_discovery.toml rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml rules/ml/ml_linux_anomalous_network_port_activity.toml rules/ml/ml_rare_destination_country.toml rules/ml/ml_linux_anomalous_network_activity.toml rules/ml/persistence_ml_windows_anomalous_path_activity.toml rules/ml/initial_access_ml_linux_anomalous_user_name.toml rules/ml/persistence_ml_windows_anomalous_service.toml rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml |
| 25. | mika.ayenson@elastic.co | 64742097+samirbous@users.noreply.github.com |
35 shared files
rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rules/network/discovery_potential_network_sweep_detected.toml rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml detection_rules/etc/integration-manifests.json.gz rules/network/command_and_control_port_26_activity.toml rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml rules/windows/persistence_sysmon_wmi_event_subscription.toml rules/windows/impact_high_freq_file_renames_by_kernel.toml rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml rules/windows/impact_ransomware_file_rename_smb.toml rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml rules/windows/impact_ransomware_note_file_over_smb.toml rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml rules/network/command_and_control_fin7_c2_behavior.toml rules/network/command_and_control_accepted_default_telnet_port_connection.toml rules/network/command_and_control_download_rar_powershell_from_internet.toml detection_rules/etc/integration-schemas.json.gz rules/windows/execution_initial_access_via_msc_file.toml rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml rules/windows/defense_evasion_via_filter_manager.toml rules/network/discovery_potential_syn_port_scan_detected.toml rules/windows/command_and_control_common_webservices.toml rules/windows/credential_access_suspicious_lsass_access_generic.toml rules/windows/lateral_movement_remote_file_copy_hidden_share.toml rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml rules/network/discovery_potential_port_scan_detected.toml rules/network/command_and_control_nat_traversal_port_activity.toml rules/windows/defense_evasion_microsoft_defender_tampering.toml rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml rules/windows/command_and_control_headless_browser.toml rules/windows/defense_evasion_network_connection_from_windows_binary.toml rules/windows/privilege_escalation_persistence_phantom_dll.toml rules/windows/defense_evasion_amsi_bypass_powershell.toml |
| 26. | 10844131+jmcarlock@users.noreply.github.com | mika.ayenson@elastic.co |
32 shared files
rules/integrations/beaconing/command_and_control_beaconing.toml rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml |
| 27. | 10844131+jmcarlock@users.noreply.github.com | 91139415+shashank-elastic@users.noreply.github.com |
32 shared files
rules/integrations/beaconing/command_and_control_beaconing.toml rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml |
| 28. | 10844131+jmcarlock@users.noreply.github.com | mikaayenson@users.noreply.github.com |
31 shared files
rules/integrations/beaconing/command_and_control_beaconing.toml rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml |
| 29. | 99630311+terrancedejesus@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
31 shared files
hunting/linux/queries/persistence_via_git_hook_pager.toml hunting/linux/queries/persistence_via_shell_modification_persistence.toml hunting/aws/docs/signin_single_factor_console_login_via_federated_session.md detection_rules/etc/integration-manifests.json.gz hunting/aws/docs/iam_assume_role_creation_with_attached_policy.md hunting/linux/queries/persistence_via_package_manager.toml hunting/linux/queries/login_activity_by_source_address.toml hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md hunting/linux/docs/login_activity_by_source_address.md hunting/aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md pyproject.toml detection_rules/etc/integration-schemas.json.gz hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md hunting/index.yml hunting/index.md hunting/linux/docs/persistence_via_shell_modification_persistence.md hunting/linux/docs/persistence_via_udev.md hunting/linux/docs/persistence_via_xdg_autostart_modifications.md hunting/aws/docs/lambda_add_permissions_for_write_actions_to_function.md hunting/linux/docs/persistence_via_package_manager.md hunting/linux/queries/persistence_via_xdg_autostart_modifications.toml hunting/aws/docs/sts_suspicious_federated_temporary_credential_request.md hunting/linux/docs/persistence_via_git_hook_pager.md hunting/linux/docs/persistence_via_sysv_init.md hunting/linux/queries/persistence_via_udev.toml hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md .github/workflows/version-code-and-release.yml hunting/okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md tests/test_all_rules.py |
| 30. | 119343520+eric-forte-elastic@users.noreply.github.com | mikaayenson@users.noreply.github.com |
20 shared files
detection_rules/main.py lib/kibana/kibana/__init__.py README.md CLI.md detection_rules/rule_formatter.py detection_rules/devtools.py pyproject.toml tests/test_mappings.py detection_rules/packaging.py detection_rules/misc.py lib/kibana/kibana/connector.py detection_rules/mappings.py detection_rules/eswrap.py detection_rules/rule.py tests/test_packages.py detection_rules/etc/test_cli.bash detection_rules/integrations.py detection_rules/cli_utils.py lib/kibana/pyproject.toml tests/test_all_rules.py |
| 31. | 59296946+imays11@users.noreply.github.com | mikaayenson@users.noreply.github.com |
16 shared files
rules/integrations/aws/persistence_rds_db_instance_password_modified.toml rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml rules/integrations/aws/defense_evasion_rds_instance_restored.toml rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml rules/integrations/aws/persistence_rds_instance_made_public.toml rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml rules/integrations/aws/impact_s3_object_versioning_disabled.toml rules/integrations/aws/impact_rds_snapshot_deleted.toml rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml rules/integrations/aws/privilege_escalation_sts_role_chaining.toml |
| 32. | mika.ayenson@elastic.co | 119343520+eric-forte-elastic@users.noreply.github.com |
16 shared files
detection_rules/main.py detection_rules/endgame.py detection_rules/__main__.py detection_rules/devtools.py detection_rules/packaging.py detection_rules/version_lock.py detection_rules/ecs.py detection_rules/rule_loader.py detection_rules/misc.py detection_rules/mappings.py detection_rules/ml.py detection_rules/utils.py detection_rules/attack.py detection_rules/integrations.py detection_rules/schemas/__init__.py tests/test_all_rules.py |
| 33. | 119343520+eric-forte-elastic@users.noreply.github.com | 91139415+shashank-elastic@users.noreply.github.com |
15 shared files
detection_rules/schemas/definitions.py .github/workflows/kibana-mitre-update.yml detection_rules/rule_formatter.py detection_rules/devtools.py pyproject.toml detection_rules/packaging.py detection_rules/ecs.py detection_rules/rule.py tests/test_transform_fields.py detection_rules/ml.py detection_rules/rule_validators.py detection_rules/etc/test_cli.bash detection_rules/beats.py detection_rules/schemas/__init__.py tests/test_all_rules.py |
| 34. | 16747370+brokensound77@users.noreply.github.com | mikaayenson@users.noreply.github.com |
15 shared files
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml CLI.md rules/linux/persistence_kworker_file_creation.toml rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml rules/linux/persistence_suspicious_file_opened_through_editor.toml .github/CODEOWNERS detection_rules/misc.py lib/kibana/kibana/connector.py rules/macos/credential_access_promt_for_pwd_via_osascript.toml rules/linux/execution_shell_via_child_tcp_utility_linux.toml rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Makefile lib/kibana/pyproject.toml |
| 35. | 119343520+eric-forte-elastic@users.noreply.github.com | traut@users.noreply.github.com |
14 shared files
detection_rules/main.py README.md CLI.md detection_rules/custom_rules.py detection_rules/devtools.py pyproject.toml detection_rules/rule_loader.py detection_rules/eswrap.py detection_rules/integrations.py detection_rules/__init__.py detection_rules/schemas/__init__.py docs-dev/experimental-machine-learning/experimental-detections.md detection_rules/cli_utils.py tests/test_all_rules.py |
| 36. | mikaayenson@users.noreply.github.com | traut@users.noreply.github.com |
11 shared files
detection_rules/main.py README.md CLI.md detection_rules/devtools.py pyproject.toml .github/CODEOWNERS detection_rules/eswrap.py detection_rules/integrations.py .github/workflows/version-code-and-release.yml detection_rules/cli_utils.py tests/test_all_rules.py |
| 37. | 26856693+w0rk3r@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
11 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/schemas/definitions.py rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml rules/windows/lateral_movement_direct_outbound_smb_connection.toml rules/windows/persistence_startup_folder_scripts.toml rules/windows/credential_access_dcsync_user_backdoor.toml detection_rules/devtools.py pyproject.toml detection_rules/etc/integration-schemas.json.gz rules/windows/defense_evasion_msbuild_making_network_connections.toml tests/test_all_rules.py |
| 38. | 16747370+brokensound77@users.noreply.github.com | 91139415+shashank-elastic@users.noreply.github.com |
11 shared files
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/linux/persistence_message_of_the_day_execution.toml rules/linux/persistence_kworker_file_creation.toml rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml rules/linux/persistence_suspicious_file_opened_through_editor.toml rules/macos/credential_access_promt_for_pwd_via_osascript.toml rules/linux/execution_shell_via_child_tcp_utility_linux.toml rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Makefile |
| 39. | 59296946+imays11@users.noreply.github.com | 91139415+shashank-elastic@users.noreply.github.com |
10 shared files
rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml rules/integrations/aws/impact_s3_object_versioning_disabled.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml rules/integrations/aws/impact_iam_deactivate_mfa_device.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml |
| 40. | 16747370+brokensound77@users.noreply.github.com | mika.ayenson@elastic.co |
9 shared files
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/linux/persistence_message_of_the_day_execution.toml rules/linux/persistence_kworker_file_creation.toml rules/linux/persistence_suspicious_file_opened_through_editor.toml detection_rules/misc.py rules/macos/credential_access_promt_for_pwd_via_osascript.toml rules/linux/execution_shell_via_child_tcp_utility_linux.toml rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml |
| 41. | traut@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
8 shared files
.github/paths-labeller.yml README.md detection_rules/devtools.py pyproject.toml .github/CODEOWNERS .github/workflows/attack-coverage-update.yml .github/workflows/version-code-and-release.yml tests/test_all_rules.py |
| 42. | 59296946+imays11@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
8 shared files
rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml detection_rules/etc/non-ecs-schema.json rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml |
| 43. | 99630311+terrancedejesus@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
8 shared files
detection_rules/schemas/definitions.py README.md .github/workflows/kibana-mitre-update.yml detection_rules/devtools.py pyproject.toml detection_rules/rule.py tests/test_specific_rules.py tests/test_all_rules.py |
| 44. | 16747370+brokensound77@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
8 shared files
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rules/linux/persistence_message_of_the_day_execution.toml rules/linux/persistence_kworker_file_creation.toml rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml rules/linux/persistence_suspicious_file_opened_through_editor.toml rules/macos/credential_access_promt_for_pwd_via_osascript.toml rules/linux/execution_shell_via_child_tcp_utility_linux.toml rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml |
| 45. | 64742097+samirbous@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
7 shared files
rules/network/discovery_potential_network_sweep_detected.toml detection_rules/etc/integration-manifests.json.gz rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml pyproject.toml detection_rules/etc/integration-schemas.json.gz rules/network/discovery_potential_syn_port_scan_detected.toml rules/network/discovery_potential_port_scan_detected.toml |
| 46. | 64742097+samirbous@users.noreply.github.com | 99630311+terrancedejesus@users.noreply.github.com |
7 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/schemas/definitions.py rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml pyproject.toml detection_rules/etc/integration-schemas.json.gz rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml detection_rules/etc/non-ecs-schema.json |
| 47. | mika.ayenson@elastic.co | traut@users.noreply.github.com |
6 shared files
detection_rules/main.py detection_rules/devtools.py detection_rules/rule_loader.py detection_rules/integrations.py detection_rules/schemas/__init__.py tests/test_all_rules.py |
| 48. | eric.forte@elastic.co | 78494512+aegrah@users.noreply.github.com |
6 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/etc/integration-schemas.json.gz rules/linux/persistence_unusual_pam_grantor.toml rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml rules/linux/persistence_systemd_service_started.toml rules/linux/persistence_cron_job_creation.toml |
| 49. | 91139415+shashank-elastic@users.noreply.github.com | traut@users.noreply.github.com |
6 shared files
detection_rules/docs.py detection_rules/devtools.py pyproject.toml .github/workflows/attack-coverage-update.yml detection_rules/schemas/__init__.py tests/test_all_rules.py |
| 50. | 91139415+shashank-elastic@users.noreply.github.com | thijsxhaflaire31@hotmail.com |
5 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/schemas/definitions.py detection_rules/etc/integration-schemas.json.gz rules/macos/privilege_escalation_user_added_to_admin_group.toml rules/macos/credential_access_high_volume_of_pbpaste.toml |
| 51. | 26856693+w0rk3r@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
5 shared files
detection_rules/schemas/definitions.py detection_rules/devtools.py pyproject.toml detection_rules/integrations.py tests/test_all_rules.py |
| 52. | 119343520+eric-forte-elastic@users.noreply.github.com | 16747370+brokensound77@users.noreply.github.com |
5 shared files
CLI.md detection_rules/misc.py lib/kibana/kibana/connector.py tests/test_specific_rules.py lib/kibana/pyproject.toml |
| 53. | 65730960+jvalente-salemstate@users.noreply.github.com | mika.ayenson@elastic.co |
4 shared files
rules/integrations/beaconing/command_and_control_beaconing.toml rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml |
| 54. | 65730960+jvalente-salemstate@users.noreply.github.com | 91139415+shashank-elastic@users.noreply.github.com |
4 shared files
rules/integrations/beaconing/command_and_control_beaconing.toml rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml |
| 55. | 65730960+jvalente-salemstate@users.noreply.github.com | mikaayenson@users.noreply.github.com |
4 shared files
rules/integrations/beaconing/command_and_control_beaconing.toml rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml |
| 56. | 26856693+w0rk3r@users.noreply.github.com | traut@users.noreply.github.com |
4 shared files
detection_rules/devtools.py pyproject.toml detection_rules/integrations.py tests/test_all_rules.py |
| 57. | 26856693+w0rk3r@users.noreply.github.com | thijsxhaflaire31@hotmail.com |
3 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/schemas/definitions.py detection_rules/etc/integration-schemas.json.gz |
| 58. | 64742097+samirbous@users.noreply.github.com | thijsxhaflaire31@hotmail.com |
3 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/schemas/definitions.py detection_rules/etc/integration-schemas.json.gz |
| 59. | thijsxhaflaire31@hotmail.com | 99630311+terrancedejesus@users.noreply.github.com |
3 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/schemas/definitions.py detection_rules/etc/integration-schemas.json.gz |
| 60. | 16747370+brokensound77@users.noreply.github.com | 78494512+aegrah@users.noreply.github.com |
3 shared files
rules/linux/persistence_message_of_the_day_execution.toml rules/linux/persistence_kworker_file_creation.toml hunting/index.md |
| 61. | 78494512+aegrah@users.noreply.github.com | traut@users.noreply.github.com |
3 shared files
pyproject.toml .github/workflows/version-code-and-release.yml tests/test_all_rules.py |
| 62. | sergey@polzunov.com | 119343520+eric-forte-elastic@users.noreply.github.com |
3 shared files
docs/custom-rules.md docs/developing.md docs/rule-insights.md |
| 63. | 26856693+w0rk3r@users.noreply.github.com | eric.forte@elastic.co |
2 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/etc/integration-schemas.json.gz |
| 64. | 64742097+samirbous@users.noreply.github.com | eric.forte@elastic.co |
2 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/etc/integration-schemas.json.gz |
| 65. | thijsxhaflaire31@hotmail.com | eric.forte@elastic.co |
2 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/etc/integration-schemas.json.gz |
| 66. | thijsxhaflaire31@hotmail.com | mika.ayenson@elastic.co |
2 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/etc/integration-schemas.json.gz |
| 67. | thijsxhaflaire31@hotmail.com | 78494512+aegrah@users.noreply.github.com |
2 shared files
detection_rules/etc/integration-manifests.json.gz detection_rules/etc/integration-schemas.json.gz |
| 68. | 91139415+shashank-elastic@users.noreply.github.com | 61625853+ar3diu@users.noreply.github.com |
2 shared files
rules/windows/credential_access_lsass_memdump_file_created.toml rules/windows/collection_email_outlook_mailbox_via_com.toml |
| 69. | mika.ayenson@elastic.co | 61625853+ar3diu@users.noreply.github.com |
2 shared files
rules/windows/credential_access_lsass_memdump_file_created.toml rules/windows/collection_email_outlook_mailbox_via_com.toml |
| 70. | 61625853+ar3diu@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
2 shared files
rules/windows/credential_access_lsass_memdump_file_created.toml rules/windows/collection_email_outlook_mailbox_via_com.toml |
| 71. | 119343520+eric-forte-elastic@users.noreply.github.com | 64742097+samirbous@users.noreply.github.com |
2 shared files
detection_rules/schemas/definitions.py pyproject.toml |
| 72. | 56411054+joe-desimone@users.noreply.github.com | mikaayenson@users.noreply.github.com |
2 shared files
rules/linux/persistence_ssh_key_generation.toml rules/windows/credential_access_lsass_openprocess_api.toml |
| 73. | 56411054+joe-desimone@users.noreply.github.com | 26856693+w0rk3r@users.noreply.github.com |
2 shared files
rules/linux/persistence_ssh_key_generation.toml rules/windows/credential_access_lsass_openprocess_api.toml |
| 74. | traut@users.noreply.github.com | 16747370+brokensound77@users.noreply.github.com |
2 shared files
CLI.md .github/CODEOWNERS |
| 75. | 26856693+w0rk3r@users.noreply.github.com | 10844131+jmcarlock@users.noreply.github.com |
2 shared files
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml |
| 76. | 78494512+aegrah@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
2 shared files
pyproject.toml tests/test_all_rules.py |
| 77. | mika.ayenson@elastic.co | 59296946+imays11@users.noreply.github.com |
2 shared files
rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml rules/integrations/aws/impact_iam_deactivate_mfa_device.toml |
| 78. | thijsxhaflaire31@hotmail.com | mikaayenson@users.noreply.github.com |
2 shared files
rules/macos/privilege_escalation_user_added_to_admin_group.toml rules/macos/credential_access_high_volume_of_pbpaste.toml |
| 79. | 10844131+jmcarlock@users.noreply.github.com | 65730960+jvalente-salemstate@users.noreply.github.com |
1 shared file
rules/integrations/beaconing/command_and_control_beaconing.toml |
| 80. | 119343520+eric-forte-elastic@users.noreply.github.com | thijsxhaflaire31@hotmail.com |
1 shared file
detection_rules/schemas/definitions.py |
| 81. | 99630311+terrancedejesus@users.noreply.github.com | krish.reddy91@gmail.com |
1 shared file
rules/threat_intel/threat_intel_rapid7_threat_command.toml |
| 82. | krish.reddy91@gmail.com | 91139415+shashank-elastic@users.noreply.github.com |
1 shared file
rules/threat_intel/threat_intel_rapid7_threat_command.toml |
| 83. | krish.reddy91@gmail.com | mikaayenson@users.noreply.github.com |
1 shared file
rules/threat_intel/threat_intel_rapid7_threat_command.toml |
| 84. | 78494512+aegrah@users.noreply.github.com | 56411054+joe-desimone@users.noreply.github.com |
1 shared file
rules/linux/persistence_ssh_key_generation.toml |
| 85. | 91139415+shashank-elastic@users.noreply.github.com | terrance.dejesus@elastic.co |
1 shared file
detection_rules/etc/version.lock.json |
| 86. | terrance.dejesus@elastic.co | eric.forte@elastic.co |
1 shared file
detection_rules/etc/version.lock.json |
| 87. | terrance.dejesus@elastic.co | mika.ayenson@elastic.co |
1 shared file
detection_rules/etc/version.lock.json |
| 88. | 64742097+samirbous@users.noreply.github.com | 16747370+brokensound77@users.noreply.github.com |
1 shared file
rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml |
| 89. | 64742097+samirbous@users.noreply.github.com | traut@users.noreply.github.com |
1 shared file
pyproject.toml |
| 90. | 91139415+shashank-elastic@users.noreply.github.com | dante.gpap@gmail.com |
1 shared file
rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml |
| 91. | mika.ayenson@elastic.co | dante.gpap@gmail.com |
1 shared file
rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml |
| 92. | dante.gpap@gmail.com | mikaayenson@users.noreply.github.com |
1 shared file
rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml |
| 93. | 72879786+protectionsmachine@users.noreply.github.com | 119343520+eric-forte-elastic@users.noreply.github.com |
1 shared file
rta/linux_discovery_command_from_sus_dir.py |
| 94. | 61625853+ar3diu@users.noreply.github.com | mikaayenson@users.noreply.github.com |
1 shared file
rules/windows/collection_email_outlook_mailbox_via_com.toml |
| 95. | 10844131+jmcarlock@users.noreply.github.com | 109447885+sodhikirti07@users.noreply.github.com |
1 shared file
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml |
| 96. | 26856693+w0rk3r@users.noreply.github.com | 109447885+sodhikirti07@users.noreply.github.com |
1 shared file
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml |
| 97. | 91139415+shashank-elastic@users.noreply.github.com | 105589633+rad9800@users.noreply.github.com |
1 shared file
rules/windows/persistence_registry_uncommon.toml |
| 98. | mika.ayenson@elastic.co | 105589633+rad9800@users.noreply.github.com |
1 shared file
rules/windows/persistence_registry_uncommon.toml |
| 99. | 26856693+w0rk3r@users.noreply.github.com | 105589633+rad9800@users.noreply.github.com |
1 shared file
rules/windows/persistence_registry_uncommon.toml |
| 100. | 105589633+rad9800@users.noreply.github.com | mikaayenson@users.noreply.github.com |
1 shared file
rules/windows/persistence_registry_uncommon.toml |
| Contributor | # connections | # commits | |
|---|---|---|---|
| 1. | 91139415+shashank-elastic@users.noreply.github.com | 23 | 68 |
| 2. | mika.ayenson@elastic.co | 22 | 4 |
| 3. | mikaayenson@users.noreply.github.com | 21 | 24 |
| 4. | 26856693+w0rk3r@users.noreply.github.com | 17 | 99 |
| 5. | 99630311+terrancedejesus@users.noreply.github.com | 16 | 102 |
| 6. | 64742097+samirbous@users.noreply.github.com | 14 | 47 |
| 7. | 78494512+aegrah@users.noreply.github.com | 12 | 154 |
| 8. | 119343520+eric-forte-elastic@users.noreply.github.com | 12 | 22 |
| 9. | eric.forte@elastic.co | 11 | 1 |
| 10. | traut@users.noreply.github.com | 9 | 6 |
| 11. | 16747370+brokensound77@users.noreply.github.com | 9 | 4 |
| 12. | thijsxhaflaire31@hotmail.com | 9 | 1 |
| 13. | 59296946+imays11@users.noreply.github.com | 8 | 24 |
| 14. | 61625853+ar3diu@users.noreply.github.com | 8 | 2 |
| 15. | dante.gpap@gmail.com | 7 | 1 |
| 16. | 10844131+jmcarlock@users.noreply.github.com | 6 | 1 |
| 17. | 65730960+jvalente-salemstate@users.noreply.github.com | 5 | 4 |
| 18. | 109447885+sodhikirti07@users.noreply.github.com | 5 | 3 |
| 19. | 56411054+joe-desimone@users.noreply.github.com | 5 | 2 |
| 20. | sergey@polzunov.com | 5 | 1 |
| 21. | 105589633+rad9800@users.noreply.github.com | 4 | 1 |
| 22. | terrance.dejesus@elastic.co | 3 | 1 |
| 23. | krish.reddy91@gmail.com | 3 | 1 |
| 24. | 109789828+anhuisec@users.noreply.github.com | 3 | 1 |
| 25. | 72879786+protectionsmachine@users.noreply.github.com | 1 | 49 |
| 26. | 56378862+jesse-sant@users.noreply.github.com | 0 | 1 |
C-median: 8.0
A half of the contributors has more than 8.0 connections, and a half has less than this number.
C-mean: 9.5
An average number of connections a contributor has with other contributors.
C-index: 9.0
There are 9.0 contributors with 9.0 or more connections.
