elastic / detection-rules-dac-demo

Intro

File size measurements show the distribution of size of files.
Files are classified in four categories based on their size (lines of code): 1-100 (very small files), 101-200 (small files), 201-500 (medium size files), 501-1000 (long files), 1001+(very long files).
It is a good practice to keep files small. Long files may become "bloaters", code that have increased to such gargantuan proportions that they are hard to work with.

Learn more...

File Size Overall

There are 1,614 files with 160,389 lines of code.

2 very long files (2,193 lines of code)
2 long files (1,226 lines of code)
32 medium size files (8,742 lines of codeclsfd_ftr_w_mp_ins)
636 small files (78,831 lines of code)
942 very small files (69,397 lines of code)

Legend:

1001+

501-1000

201-500

101-200

1-100

explore: grouped by folders | grouped by size | sunburst | 3D view

File Size per Extension

1001+

501-1000

201-500

101-200

1-100

File Size per Logical Decomposition

primary

1001+

501-1000

201-500

101-200

1-100

Longest Files (Top 50)

File	# lines	# units
rule.py in detection_rules	1140	113
devtools.py in detection_rules	1053	44
docs.py in detection_rules	699	60
main.py in detection_rules	527	18
rule_validators.py in detection_rules	439	25
rule_loader.py in detection_rules	439	43
packaging.py in detection_rules	367	18
misc.py in detection_rules	344	17
kbwrap.py in detection_rules	332	5
ml.py in detection_rules	327	35
execution_posh_hacktool_functions.toml in rules/windows	319	-
eswrap.py in detection_rules	309	23
command_and_control_common_webservices.toml in rules/windows	307	-
utils.py in detection_rules	291	39
integrations.py in detection_rules	286	17
persistence_run_key_and_startup_broad.toml in rules/windows	284	-
command_and_control_new_terms_commonly_abused_rat_execution.toml in rules/windows	280	-
defense_evasion_communication_apps_suspicious_child_process.toml in rules/windows	271	-
discovery_posh_generic.toml in rules_building_block	268	-
parser.py in lib/kql/kql	265	31
persistence_suspicious_file_modifications.toml in rules/integrations/fim	252	-
ecs.py in detection_rules	245	21
resources.py in lib/kibana/kibana	243	32
ghwrap.py in detection_rules	241	18
execution_from_unusual_path_cmdline.toml in rules/windows	239	-
persistence_cron_job_creation.toml in rules/linux	228	-
persistence_etc_file_creation.toml in rules/linux	226	-
persistence_systemd_service_creation.toml in rules/linux	225	-
definitions.py in detection_rules/schemas	224	3
config.py in detection_rules	221	13
navigator.py in detection_rules	220	19
persistence_kde_autostart_modification.toml in rules/linux	214	-
defense_evasion_masquerading_business_apps_installer.toml in rules/windows	212	-
version_lock.py in detection_rules	212	11
__init__.py in detection_rules/schemas	210	37
persistence_systemd_service_started.toml in rules/linux	202	-
rule_formatter.py in detection_rules	200	10
exception.py in detection_rules	199	10
cli_utils.py in detection_rules	198	3
defense_evasion_network_connection_from_windows_binary.toml in rules/windows	193	-
threat_intel_indicator_match_hash.toml in rules/threat_intel	191	-
privilege_escalation_persistence_phantom_dll.toml in rules/windows	191	-
persistence_credential_access_modify_ssh_binaries.toml in rules/linux	191	-
command_and_control_suspicious_network_activity_from_unknown_executable.toml in rules/linux	191	-
execution_shell_evasion_linux_binary.toml in rules/linux	190	-
persistence_service_dll_unsigned.toml in rules/windows	189	-
credential_access_lsass_openprocess_api.toml in rules/windows	188	-
persistence_message_of_the_day_execution.toml in rules/linux	188	-
privilege_escalation_posh_token_impersonation.toml in rules/windows	186	-
defense_evasion_masquerading_browsers.toml in rules_building_block	186	-

Files With Most Units (Top 50)

File	# lines	# units
rule.py in detection_rules	1140	113
docs.py in detection_rules	699	60
devtools.py in detection_rules	1053	44
rule_loader.py in detection_rules	439	43
utils.py in detection_rules	291	39
__init__.py in detection_rules/schemas	210	37
ml.py in detection_rules	327	35
resources.py in lib/kibana/kibana	243	32
parser.py in lib/kql/kql	265	31
rule_validators.py in detection_rules	439	25
eswrap.py in detection_rules	309	23
ecs.py in detection_rules	245	21
navigator.py in detection_rules	220	19
packaging.py in detection_rules	367	18
generic_loader.py in detection_rules	125	18
mixins.py in detection_rules	158	18
main.py in detection_rules	527	18
ghwrap.py in detection_rules	241	18
evaluator.py in lib/kql/kql	112	18
remote_validation.py in detection_rules	147	17
misc.py in detection_rules	344	17
integrations.py in detection_rules	286	17
beats.py in detection_rules	184	17
eql2kql.py in lib/kql/kql	91	16
dsl.py in lib/kql/kql	82	15
config.py in detection_rules	221	13
kql2eql.py in lib/kql/kql	64	13
optimizer.py in lib/kql/kql	91	13
version_lock.py in detection_rules	212	11
ast.py in lib/kql/kql	91	11
attack.py in detection_rules	164	10
exception.py in detection_rules	199	10
rule_formatter.py in detection_rules	200	10
markdown.py in hunting	102	10
search.py in hunting	124	10
utils.py in hunting	79	8
run.py in hunting	49	7
__main__.py in hunting	161	7
endgame.py in detection_rules	62	6
action_connector.py in detection_rules	124	6
custom_schemas.py in detection_rules	66	6
__init__.py in lib/kql/kql	52	6
kbwrap.py in detection_rules	332	5
custom_rules.py in detection_rules	106	4
cli_utils.py in detection_rules	198	3
stack_compat.py in detection_rules/schemas	32	3
definitions.py in detection_rules/schemas	224	3
action.py in detection_rules	39	2
definitions.py in hunting	39	2
__main__.py in detection_rules	13	1

Files With Long Lines (Top 50)

There are 1464 files with lines longer than 120 characters. In total, there are 25245 long lines.

File	# lines	# units	# long lines
initial_access_microsoft_365_abnormal_clientappid.toml in rules/integrations/o365	108	-	43
command_and_control_suspicious_network_activity_from_unknown_executable.toml in rules/linux	191	-	41
persistence_ec2_security_group_configuration_change_detection.toml in rules/integrations/aws	145	-	40
defense_evasion_sqs_purge_queue.toml in rules/integrations/aws	137	-	38
discovery_linux_hping_activity.toml in rules/linux	114	-	35
credential_access_ssh_backdoor_log.toml in rules/linux	151	-	35
initial_access_ml_auth_rare_source_ip_for_a_user.toml in rules/ml	122	-	34
credential_access_ml_suspicious_login_activity.toml in rules/ml	122	-	34
credential_access_ml_linux_anomalous_metadata_process.toml in rules/ml	117	-	34
credential_access_ml_auth_spike_in_logon_events.toml in rules/ml	125	-	34
credential_access_ml_linux_anomalous_metadata_user.toml in rules/ml	118	-	34
discovery_ml_linux_system_network_configuration_discovery.toml in rules/ml	115	-	34
execution_shell_via_meterpreter_linux.toml in rules/linux	123	-	34
defense_evasion_chattr_immutable_file.toml in rules/linux	118	-	34
persistence_xdg_autostart_netcon.toml in rules/linux	131	-	34
discovery_virtual_machine_fingerprinting.toml in rules/linux	113	-	34
defense_evasion_log_files_deleted.toml in rules/linux	129	-	34
privilege_escalation_linux_suspicious_symbolic_link.toml in rules/linux	123	-	34
defense_evasion_hidden_shared_object.toml in rules/linux	111	-	34
defense_evasion_disable_selinux_attempt.toml in rules/linux	111	-	34
defense_evasion_attempt_to_disable_syslog_service.toml in rules/linux	113	-	34
discovery_linux_nping_activity.toml in rules/linux	114	-	34
ml_packetbeat_rare_server_domain.toml in rules/ml	100	-	33
command_and_control_ml_packetbeat_rare_dns_question.toml in rules/ml	116	-	33
command_and_control_ml_packetbeat_rare_urls.toml in rules/ml	120	-	33
ml_linux_anomalous_network_port_activity.toml in rules/ml	100	-	33
privilege_escalation_ld_preload_shared_object_modif.toml in rules/linux	115	-	33
execution_unusual_pkexec_execution.toml in rules/linux	124	-	33
defense_evasion_hidden_file_dir_tmp.toml in rules/linux	125	-	33
persistence_kde_autostart_modification.toml in rules/linux	214	-	33
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml in rules/linux	115	-	33
command_and_control_beaconing.toml in rules/integrations/beaconing	92	-	32
discovery_ml_linux_system_network_connection_discovery.toml in rules/ml	115	-	32
discovery_ml_linux_system_process_discovery.toml in rules/ml	115	-	32
persistence_ml_windows_anomalous_process_all_hosts.toml in rules/ml	171	-	32
persistence_ml_windows_anomalous_process_creation.toml in rules/ml	159	-	32
ml_high_count_network_denies.toml in rules/ml	94	-	32
command_and_control_ml_packetbeat_rare_user_agent.toml in rules/ml	117	-	32
execution_ml_windows_anomalous_script.toml in rules/ml	118	-	32
privilege_escalation_ml_linux_anomalous_sudo_activity.toml in rules/ml	123	-	32
ml_rare_destination_country.toml in rules/ml	98	-	32
command_and_control_ml_packetbeat_dns_tunneling.toml in rules/ml	108	-	32
persistence_ml_rare_process_by_host_windows.toml in rules/ml	160	-	32
discovery_ml_linux_system_user_discovery.toml in rules/ml	114	-	32
resource_development_ml_linux_anomalous_compiler_activity.toml in rules/ml	118	-	32
lateral_movement_telnet_network_activity_internal.toml in rules/linux	119	-	32
credential_access_ml_windows_anomalous_metadata_user.toml in rules/ml	115	-	31
discovery_ml_linux_system_information_discovery.toml in rules/ml	115	-	31
persistence_ml_windows_anomalous_service.toml in rules/ml	116	-	31
discovery_users_domain_built_in_commands.toml in rules/macos	120	-	31