path	# lines of code
rules/network/command_and_control_accepted_default_telnet_port_connection.toml	102
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml	115
rules/network/lateral_movement_dns_server_overflow.toml	75
rules/network/command_and_control_fin7_c2_behavior.toml	56
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml	125
rules/network/command_and_control_halfbaked_beacon.toml	83
rules/network/command_and_control_download_rar_powershell_from_internet.toml	111
rules/network/command_and_control_cobalt_strike_beacon.toml	85
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml	106
rules/network/initial_access_unsecure_elasticsearch_node.toml	74
rules/network/command_and_control_port_26_activity.toml	77
rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml	86
rules/network/command_and_control_nat_traversal_port_activity.toml	67
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml	97
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml	97
rules/network/discovery_potential_port_scan_detected.toml	93
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml	108
rules/network/discovery_potential_network_sweep_detected.toml	93
rules/network/discovery_potential_syn_port_scan_detected.toml	93
rules/threat_intel/threat_intel_indicator_match_address.toml	157
rules/threat_intel/threat_intel_indicator_match_hash.toml	191
rules/threat_intel/threat_intel_rapid7_threat_command.toml	86
rules/threat_intel/threat_intel_indicator_match_email.toml	140
rules/threat_intel/threat_intel_indicator_match_url.toml	160
rules/threat_intel/threat_intel_indicator_match_registry.toml	146
rules/integrations/fim/persistence_suspicious_file_modifications.toml	252
rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml	75
rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml	80
rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml	80
rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml	78
rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml	74
rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml	82
rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml	74
rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml	76
rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml	74
rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml	74
rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml	59
rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml	62
rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml	133
rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml	111
rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml	133
rules/integrations/endpoint/elastic_endpoint_security.toml	101
rules/integrations/endpoint/impact_elastic_ransomware_detected.toml	120
rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml	111
rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml	120
rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml	139
rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml	139
rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml	86
rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml	89
rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml	90
rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml	85
rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml	90
rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml	93
rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml	85
rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml	90
rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml	88
rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml	85
rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml	86
rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml	86
rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml	88
rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml	86
rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml	93
rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml	86
rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml	86
rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml	89
rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml	91
rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml	102
rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml	89
rules/integrations/azure/persistence_azure_automation_account_created.toml	78
rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml	89
rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml	108
rules/integrations/azure/credential_access_storage_account_key_regenerated.toml	79
rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml	111
rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml	85
rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml	72
rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml	86
rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml	129
rules/integrations/azure/defense_evasion_suppression_rule_created.toml	76
rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml	66
rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml	80
rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml	110
rules/integrations/azure/impact_virtual_network_device_modified.toml	76
rules/integrations/azure/initial_access_external_guest_user_invite.toml	83
rules/integrations/azure/collection_update_event_hub_auth_rule.toml	83
rules/integrations/azure/defense_evasion_network_watcher_deletion.toml	80
rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml	122
rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml	74
rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml	74
rules/integrations/azure/credential_access_entra_password_spraying_non_interactive_sfa.toml	128
rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml	66
rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml	99
rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml	154
rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml	128
rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml	76
rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml	97
rules/integrations/azure/persistence_entra_service_principal_created.toml	103
rules/integrations/azure/command_and_control_entra_protection_anonymized_ip_reported.toml	88
rules/integrations/azure/execution_command_virtual_machine.toml	78
rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml	105
rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml	63
rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml	98
rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml	79
rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml	79
rules/integrations/azure/credential_access_key_vault_modified.toml	79
rules/integrations/azure/defense_evasion_event_hub_deletion.toml	79
rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml	78
rules/integrations/azure/persistence_azure_automation_webhook_created.toml	65
rules/integrations/azure/impact_kubernetes_pod_deleted.toml	69
rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml	94
rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml	80
rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml	116
rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml	104
rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml	81
rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml	84
rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml	105
rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml	78
rules/integrations/azure/impact_resource_group_deletion.toml	89
rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml	68
rules/integrations/azure/discovery_blob_container_access_mod.toml	80
rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml	90
rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml	86
rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml	88
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml	86
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml	86
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml	85
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml	86
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml	85
rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml	87
rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml	84
rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml	87
rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml	86
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml	85
rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml	86
rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml	85
rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml	85
rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml	86
rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml	86
rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml	86
rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml	85
rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml	85
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml	90
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml	91
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml	97
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml	97
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml	89
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml	88
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml	91
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml	90
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml	91
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml	94
rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml	91
rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml	86
rules/integrations/kubernetes/discovery_denied_service_account_request.toml	77
rules/integrations/kubernetes/execution_user_exec_to_pod.toml	81
rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml	80
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml	94
rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml	81
rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml	79
rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml	109
rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml	84
rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml	104
rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml	114
rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml	91
rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml	97
rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml	100
rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml	104
rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml	104
rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml	96
rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml	98
rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml	66
rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml	92
rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml	92
rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml	109
rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml	104
rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml	97
rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml	98
rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml	92
rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml	103
rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml	97
rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml	96
rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml	103
rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml	94
rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml	99
rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml	85
rules/integrations/aws/initial_access_console_login_root.toml	87
rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml	81
rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml	95
rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml	112
rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml	77
rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml	84
rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml	108
rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml	103
rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml	88
rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml	142
rules/integrations/aws/impact_rds_group_deletion.toml	75
rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml	103
rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml	98
rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml	82
rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml	104
rules/integrations/aws/impact_cloudtrail_logging_updated.toml	102
rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml	122
rules/integrations/aws/persistence_rds_instance_made_public.toml	96
rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml	123
rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml	127
rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml	87
rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml	116
rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml	124
rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml	76
rules/integrations/aws/ml_cloudtrail_error_message_spike.toml	96
rules/integrations/aws/impact_rds_instance_cluster_deletion.toml	87
rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml	93
rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml	82
rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml	104
rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml	79
rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml	106
rules/integrations/aws/impact_s3_object_versioning_disabled.toml	81
rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml	110
rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml	83
rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml	150
rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml	120
rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml	78
rules/integrations/aws/initial_access_password_recovery.toml	79
rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml	95
rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml	123
rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml	75
rules/integrations/aws/persistence_route_table_created.toml	79
rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml	83
rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml	101
rules/integrations/aws/collection_cloudtrail_logging_created.toml	78
rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml	88
rules/integrations/aws/exfiltration_rds_snapshot_export.toml	71
rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml	100
rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml	86
rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml	104
rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml	91
rules/integrations/aws/defense_evasion_rds_instance_restored.toml	91
rules/integrations/aws/ml_cloudtrail_rare_error_code.toml	97
rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml	97
rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml	96
rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml	88
rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml	108
rules/integrations/aws/persistence_redshift_instance_creation.toml	76
rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml	97
rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml	118
rules/integrations/aws/defense_evasion_sts_get_federation_token.toml	84
rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml	83
rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml	89
rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml	88
rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml	85
rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml	141
rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml	96
rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml	102
rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml	86
rules/integrations/aws/credential_access_root_console_failure_brute_force.toml	80
rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml	76
rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml	85
rules/integrations/aws/impact_iam_deactivate_mfa_device.toml	100
rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml	76
rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml	99
rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml	118
rules/integrations/aws/defense_evasion_sqs_purge_queue.toml	137
rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml	115
rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml	85
rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml	130
rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml	88
rules/integrations/aws/impact_rds_snapshot_deleted.toml	82
rules/integrations/aws/persistence_rds_db_instance_password_modified.toml	100
rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml	99
rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml	122
rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml	106
rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml	80
rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml	92
rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml	174
rules/integrations/aws/persistence_ec2_network_acl_creation.toml	85
rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml	141
rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml	126
rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml	145
rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml	97
rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml	152
rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml	99
rules/integrations/aws/privilege_escalation_sts_role_chaining.toml	108
rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml	85
rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml	76
rules/integrations/aws/impact_iam_group_deletion.toml	81
rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml	88
rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml	90
rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml	73
rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml	84
rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml	92
rules/integrations/aws/credential_access_iam_user_addition_to_group.toml	86
rules/integrations/aws/persistence_iam_group_creation.toml	87
rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml	143
rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml	81
rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml	80
rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml	116
rules/integrations/aws/persistence_rds_cluster_creation.toml	91
rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml	89
rules/integrations/aws/persistence_rds_group_creation.toml	79
rules/integrations/aws/persistence_rds_instance_creation.toml	73
rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml	75
rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml	83
rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml	99
rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml	77
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml	111
rules/integrations/aws/defense_evasion_waf_acl_deletion.toml	82
rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml	94
rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml	82
rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml	77
rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml	74
rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml	77
rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml	74
rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml	73
rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml	73
rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml	69
rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml	73
rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml	105
rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml	89
rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml	66
rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml	74
rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml	121
rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml	84
rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml	70
rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml	91
rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml	85
rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml	78
rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml	78
rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml	80
rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml	114
rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml	75
rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml	78
rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml	78
rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml	78
rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml	61
rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml	80
rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml	79
rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml	73
rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml	88
rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml	127
rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml	101
rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml	79
rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml	80
rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml	109
rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml	71
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml	89
rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml	76
rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml	89
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml	76
rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml	81
rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml	78
rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml	97
rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml	83
rules/integrations/okta/credential_access_user_impersonation_access.toml	63
rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml	91
rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml	73
rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml	103
rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml	114
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml	84
rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml	117
rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml	83
rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml	108
rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml	70
rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml	79
rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml	78
rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml	73
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml	83
rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml	77
rules/integrations/okta/impact_possible_okta_dos_attack.toml	74
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml	82
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml	84
rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml	64
rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml	116
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml	75
rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml	74
rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml	59
rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml	99
rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml	79
rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml	102
rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml	74
rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml	70
rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml	85
rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml	86
rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml	78
rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml	83
rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml	101
rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml	81
rules/integrations/okta/initial_access_okta_fastpass_phishing.toml	72
rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml	76
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml	83
rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml	67
rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml	74
rules/integrations/azure_openai/azure_openai_model_theft_detection.toml	69
rules/integrations/beaconing/command_and_control_beaconing.toml	92
rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml	87
rules/integrations/github/persistence_github_org_owner_added.toml	73
rules/integrations/github/impact_github_repository_deleted.toml	69
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml	75
rules/integrations/github/persistence_organization_owner_role_granted.toml	71
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml	73
rules/integrations/github/execution_new_github_app_installed.toml	69
rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml	71
rules/integrations/github/execution_github_app_deleted.toml	64
rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml	96
rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml	92
rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml	95
rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml	96
rules/integrations/gcp/impact_gcp_iam_role_deletion.toml	78
rules/integrations/gcp/persistence_gcp_service_account_created.toml	78
rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml	81
rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml	77
rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml	82
rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml	76
rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml	82
rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml	87
rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml	77
rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml	79
rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml	82
rules/integrations/gcp/impact_gcp_service_account_deleted.toml	78
rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml	78
rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml	82
rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml	69
rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml	82
rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml	79
rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml	79
rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml	81
rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml	77
rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml	76
rules/integrations/gcp/impact_gcp_service_account_disabled.toml	78
rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml	79
rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml	93
rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml	68
rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml	88
rules/cross-platform/execution_potential_widespread_malware_infection.toml	75
rules/cross-platform/impact_hosts_file_modified.toml	98
rules/cross-platform/command_and_control_non_standard_ssh_port.toml	93
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml	67
rules/cross-platform/persistence_shell_profile_modification.toml	90
rules/cross-platform/multiple_alerts_different_tactics_host.toml	63
rules/cross-platform/credential_access_forced_authentication_pipes.toml	94
rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml	82
rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml	92
rules/cross-platform/execution_suspicious_java_netcon_childproc.toml	113
rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml	70
rules/cross-platform/discovery_security_software_grep.toml	125
rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml	85
rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml	82
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml	102
rules/cross-platform/persistence_ssh_authorized_keys_modification.toml	120
rules/cross-platform/execution_revershell_via_shell_cmd.toml	84
rules/cross-platform/multiple_alerts_involving_user.toml	66
rules/cross-platform/guided_onboarding_sample_rule.toml	62
rules/cross-platform/initial_access_azure_o365_with_network_alert.toml	98
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml	73
rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml	121
rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml	83
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml	95
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml	81
rules/cross-platform/defense_evasion_timestomp_touch.toml	84
rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml	100
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml	72
rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml	144
rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml	67
rules/promotions/credential_access_endgame_cred_dumping_detected.toml	72
rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml	67
rules/promotions/endgame_malware_prevented.toml	58
rules/promotions/endgame_malware_detected.toml	57
rules/promotions/endgame_adversary_behavior_detected.toml	57
rules/promotions/execution_endgame_exploit_prevented.toml	80
rules/promotions/endgame_ransomware_detected.toml	56
rules/promotions/privilege_escalation_endgame_process_injection_detected.toml	68
rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml	67
rules/promotions/external_alerts.toml	90
rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml	67
rules/promotions/endgame_ransomware_prevented.toml	57
rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml	67
rules/promotions/execution_endgame_exploit_detected.toml	78
rules/promotions/credential_access_endgame_cred_dumping_prevented.toml	71
rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml	87
rules/windows/privilege_escalation_suspicious_dnshostname_update.toml	89
rules/windows/privilege_escalation_newcreds_logon_rare_process.toml	78
rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml	125
rules/windows/credential_access_domain_backup_dpapi_private_keys.toml	70
rules/windows/defense_evasion_posh_compressed.toml	159
rules/windows/defense_evasion_wsl_filesystem.toml	80
rules/windows/execution_psexec_lateral_movement_command.toml	109
rules/windows/privilege_escalation_disable_uac_registry.toml	141
rules/windows/persistence_appcertdlls_registry.toml	110
rules/windows/defense_evasion_indirect_exec_forfiles.toml	78
rules/windows/execution_enumeration_via_wmiprvse.toml	126
rules/windows/persistence_sysmon_wmi_event_subscription.toml	84
rules/windows/execution_ms_office_written_file.toml	109
rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml	138
rules/windows/privilege_escalation_uac_bypass_com_clipup.toml	117
rules/windows/credential_access_dump_registry_hives.toml	96
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml	104
rules/windows/privilege_escalation_unquoted_service_path.toml	89
rules/windows/persistence_ms_office_addins_file.toml	88
rules/windows/execution_suspicious_psexesvc.toml	93
rules/windows/defense_evasion_iis_httplogging_disabled.toml	90
rules/windows/defense_evasion_injection_msbuild.toml	91
rules/windows/defense_evasion_create_mod_root_certificate.toml	135
rules/windows/defense_evasion_suspicious_managedcode_host_process.toml	92
rules/windows/persistence_browser_extension_install.toml	96
rules/windows/credential_access_iis_connectionstrings_dumping.toml	92
rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml	119
rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml	102
rules/windows/collection_winrar_encryption.toml	118
rules/windows/persistence_scheduled_task_updated.toml	90
rules/windows/defense_evasion_wsl_bash_exec.toml	114
rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml	88
rules/windows/defense_evasion_workfolders_control_execution.toml	90
rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml	87
rules/windows/initial_access_execution_via_office_addins.toml	133
rules/windows/credential_access_veeam_commands.toml	109
rules/windows/persistence_registry_uncommon.toml	171
rules/windows/persistence_evasion_registry_ifeo_injection.toml	113
rules/windows/defense_evasion_network_connection_from_windows_binary.toml	191
rules/windows/persistence_service_windows_service_winlog.toml	123
rules/windows/privilege_escalation_via_token_theft.toml	130
rules/windows/persistence_priv_escalation_via_accessibility_features.toml	163
rules/windows/defense_evasion_process_termination_followed_by_deletion.toml	151
rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml	167
rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml	158
rules/windows/collection_posh_mailbox.toml	120
rules/windows/defense_evasion_microsoft_defender_tampering.toml	132
rules/windows/execution_suspicious_cmd_wmi.toml	98
rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml	83
rules/windows/discovery_adfind_command_activity.toml	124
rules/windows/defense_evasion_clearing_windows_security_logs.toml	70
rules/windows/defense_evasion_defender_disabled_via_registry.toml	114
rules/windows/credential_access_remote_sam_secretsdump.toml	96
rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml	100
rules/windows/defense_evasion_msiexec_child_proc_netcon.toml	92
rules/windows/privilege_escalation_uac_bypass_event_viewer.toml	149
rules/windows/initial_access_xsl_script_execution_via_com.toml	93
rules/windows/command_and_control_tunnel_vscode.toml	89
rules/windows/lateral_movement_cmd_service.toml	105
rules/windows/defense_evasion_msbuild_making_network_connections.toml	136
rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml	97
rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml	83
rules/windows/defense_evasion_windows_filtering_platform.toml	135
rules/windows/persistence_group_modification_by_system.toml	85
rules/windows/defense_evasion_sccm_scnotification_dll.toml	71
rules/windows/defense_evasion_posh_obfuscation_backtick.toml	85
rules/windows/execution_windows_powershell_susp_args.toml	140
rules/windows/initial_access_exploit_jetbrains_teamcity.toml	125
rules/windows/collection_posh_clipboard_capture.toml	136
rules/windows/credential_access_kerberoasting_unusual_process.toml	159
rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml	92
rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml	147
rules/windows/execution_downloaded_shortcut_files.toml	89
rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml	82
rules/windows/execution_pdf_written_file.toml	115
rules/windows/execution_command_shell_started_by_svchost.toml	152
rules/windows/discovery_posh_suspicious_api_functions.toml	172
rules/windows/execution_initial_access_via_msc_file.toml	100
rules/windows/execution_initial_access_foxmail_exploit.toml	97
rules/windows/privilege_escalation_create_process_with_token_unpriv.toml	98
rules/windows/defense_evasion_suspicious_short_program_name.toml	116
rules/windows/defense_evasion_wsl_kalilinux.toml	95
rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml	156
rules/windows/initial_access_webshell_screenconnect_server.toml	107
rules/windows/lateral_movement_remote_file_copy_hidden_share.toml	91
rules/windows/defense_evasion_code_signing_policy_modification_registry.toml	117
rules/windows/defense_evasion_hide_encoded_executable_registry.toml	84
rules/windows/defense_evasion_wsl_child_process.toml	107
rules/windows/collection_mailbox_export_winlog.toml	109
rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml	115
rules/windows/privilege_escalation_installertakeover.toml	129
rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml	123
rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml	278
rules/windows/discovery_posh_invoke_sharefinder.toml	127
rules/windows/defense_evasion_clearing_windows_event_logs.toml	103
rules/windows/command_and_control_teamviewer_remote_file_copy.toml	119
rules/windows/lateral_movement_via_wsus_update.toml	89
rules/windows/execution_windows_script_from_internet.toml	108
rules/windows/execution_via_compiled_html_file.toml	153
rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml	103
rules/windows/lateral_movement_rdp_sharprdp_target.toml	88
rules/windows/persistence_msoffice_startup_registry.toml	95
rules/windows/defense_evasion_run_virt_windowssandbox.toml	65
rules/windows/credential_access_adidns_wpad_record.toml	93
rules/windows/credential_access_imageload_azureadconnectauthsvc.toml	93
rules/windows/defense_evasion_disabling_windows_defender_powershell.toml	111
rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml	152
rules/windows/lateral_movement_remote_service_installed_winlog.toml	112
rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml	135
rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml	105
rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml	103
rules/windows/defense_evasion_sip_provider_mod.toml	93
rules/windows/defense_evasion_timestomp_sysmon.toml	93
rules/windows/impact_backup_file_deletion.toml	113
rules/windows/persistence_via_wmi_stdregprov_run_services.toml	183
rules/windows/privilege_escalation_via_rogue_named_pipe.toml	86
rules/windows/credential_access_lsass_memdump_handle_access.toml	152
rules/windows/discovery_high_number_ad_properties.toml	81
rules/windows/persistence_local_scheduled_task_scripting.toml	84
rules/windows/credential_access_disable_kerberos_preauth.toml	114
rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml	86
rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml	86
rules/windows/privilege_escalation_krbrelayup_service_creation.toml	98
rules/windows/credential_access_lsass_memdump_file_created.toml	147
rules/windows/exfiltration_smb_rare_destination.toml	120
rules/windows/persistence_via_update_orchestrator_service_hijack.toml	155
rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml	87
rules/windows/execution_command_shell_via_rundll32.toml	116
rules/windows/persistence_user_account_added_to_privileged_group_ad.toml	98
rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml	119
rules/windows/execution_powershell_susp_args_via_winscript.toml	88
rules/windows/privilege_escalation_posh_token_impersonation.toml	184
rules/windows/defense_evasion_execution_windefend_unusual_path.toml	101
rules/windows/defense_evasion_parent_process_pid_spoofing.toml	122
rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml	109
rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml	120
rules/windows/credential_access_kirbi_file.toml	86
rules/windows/defense_evasion_msxsl_network.toml	80
rules/windows/defense_evasion_amsienable_key_mod.toml	108
rules/windows/persistence_via_application_shimming.toml	106
rules/windows/privilege_escalation_via_ppid_spoofing.toml	132
rules/windows/lateral_movement_alternate_creds_pth.toml	83
rules/windows/execution_windows_cmd_shell_susp_args.toml	136
rules/windows/privilege_escalation_rogue_windir_environment_var.toml	99
rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml	134
rules/windows/lateral_movement_rdp_enabled_registry.toml	106
rules/windows/lateral_movement_scheduled_task_target.toml	84
rules/windows/discovery_privileged_localgroup_membership.toml	177
rules/windows/credential_access_posh_minidump.toml	105
rules/windows/command_and_control_screenconnect_childproc.toml	104
rules/windows/command_and_control_headless_browser.toml	86
rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml	125
rules/windows/initial_access_suspicious_ms_outlook_child_process.toml	139
rules/windows/defense_evasion_disabling_windows_logs.toml	116
rules/windows/defense_evasion_from_unusual_directory.toml	169
rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml	107
rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml	105
rules/windows/impact_stop_process_service_threshold.toml	80
rules/windows/defense_evasion_unusual_system_vp_child_program.toml	82
rules/windows/execution_downloaded_url_file.toml	87
rules/windows/defense_evasion_suspicious_scrobj_load.toml	95
rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml	133
rules/windows/command_and_control_tool_transfer_via_curl.toml	106
rules/windows/persistence_ms_outlook_vba_template.toml	83
rules/windows/privilege_escalation_uac_bypass_mock_windir.toml	150
rules/windows/defense_evasion_masquerading_communication_apps.toml	136
rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml	102
rules/windows/credential_access_bruteforce_admin_account.toml	115
rules/windows/impact_modification_of_boot_config.toml	89
rules/windows/persistence_run_key_and_startup_broad.toml	284
rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml	147
rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml	74
rules/windows/defense_evasion_posh_obfuscation.toml	123
rules/windows/execution_register_server_program_connecting_to_the_internet.toml	146
rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml	89
rules/windows/privilege_escalation_persistence_phantom_dll.toml	189
rules/windows/initial_access_exfiltration_first_time_seen_usb.toml	103
rules/windows/privilege_escalation_group_policy_privileged_groups.toml	86
rules/windows/lateral_movement_direct_outbound_smb_connection.toml	128
rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml	123
rules/windows/discovery_group_policy_object_discovery.toml	84
rules/windows/execution_from_unusual_path_cmdline.toml	237
rules/windows/execution_via_mmc_console_file_unusual_path.toml	117
rules/windows/defense_evasion_unusual_dir_ads.toml	86
rules/windows/command_and_control_port_forwarding_added_registry.toml	102
rules/windows/privilege_escalation_windows_service_via_unusual_client.toml	101
rules/windows/initial_access_execution_remote_via_msiexec.toml	116
rules/windows/credential_access_generic_localdumps.toml	104
rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml	161
rules/windows/execution_command_shell_started_by_unusual_process.toml	110
rules/windows/lateral_movement_remote_task_creation_winlog.toml	73
rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml	92
rules/windows/execution_shared_modules_local_sxs_dll.toml	58
rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml	109
rules/windows/persistence_suspicious_scheduled_task_runtime.toml	131
rules/windows/lateral_movement_remote_services.toml	151
rules/windows/defense_evasion_audit_policy_disabled_winlog.toml	107
rules/windows/credential_access_posh_invoke_ninjacopy.toml	113
rules/windows/credential_access_lsass_openprocess_api.toml	188
rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml	98
rules/windows/command_and_control_sunburst_c2_activity_detected.toml	138
rules/windows/collection_posh_screen_grabber.toml	101
rules/windows/lateral_movement_dcom_mmc20.toml	99
rules/windows/defense_evasion_disable_nla.toml	91
rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml	114
rules/windows/defense_evasion_defender_exclusion_via_powershell.toml	126
rules/windows/command_and_control_rdp_tunnel_plink.toml	101
rules/windows/credential_access_spn_attribute_modified.toml	100
rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml	97
rules/windows/defense_evasion_cve_2020_0601.toml	72
rules/windows/defense_evasion_execution_msbuild_started_renamed.toml	127
rules/windows/credential_access_lsass_loaded_susp_dll.toml	142
rules/windows/command_and_control_outlook_home_page.toml	100
rules/windows/persistence_dontexpirepasswd_account.toml	92
rules/windows/defense_evasion_via_filter_manager.toml	129
rules/windows/persistence_app_compat_shim.toml	94
rules/windows/execution_suspicious_image_load_wmi_ms_office.toml	83
rules/windows/defense_evasion_regmod_remotemonologue.toml	73
rules/windows/credential_access_posh_relay_tools.toml	126
rules/windows/persistence_sdprop_exclusion_dsheuristics.toml	101
rules/windows/execution_command_prompt_connecting_to_the_internet.toml	140
rules/windows/defense_evasion_posh_assembly_load.toml	179
rules/windows/execution_scheduled_task_powershell_source.toml	91
rules/windows/persistence_via_bits_job_notify_command.toml	93
rules/windows/impact_ransomware_file_rename_smb.toml	96
rules/windows/persistence_appinitdlls_registry.toml	159
rules/windows/defense_evasion_execution_lolbas_wuauclt.toml	129
rules/windows/execution_posh_hacktool_authors.toml	114
rules/windows/initial_access_script_executing_powershell.toml	123
rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml	120
rules/windows/credential_access_posh_kerb_ticket_dump.toml	120
rules/windows/privilege_escalation_named_pipe_impersonation.toml	126
rules/windows/lateral_movement_incoming_winrm_shell_execution.toml	87
rules/windows/defense_evasion_masquerading_renamed_autoit.toml	116
rules/windows/privilege_escalation_dns_serverlevelplugindll.toml	79
rules/windows/defense_evasion_sdelete_like_filename_rename.toml	91
rules/windows/credential_access_suspicious_comsvcs_imageload.toml	143
rules/windows/lateral_movement_executable_tool_transfer_smb.toml	93
rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml	99
rules/windows/collection_posh_keylogger.toml	119
rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml	85
rules/windows/privilege_escalation_create_process_as_different_user.toml	84
rules/windows/command_and_control_remote_file_copy_powershell.toml	151
rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml	109
rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml	119
rules/windows/persistence_remote_password_reset.toml	103
rules/windows/defense_evasion_mshta_beacon.toml	84
rules/windows/defense_evasion_masquerading_business_apps_installer.toml	212
rules/windows/initial_access_scripts_process_started_via_wmi.toml	125
rules/windows/impact_ransomware_note_file_over_smb.toml	95
rules/windows/collection_posh_webcam_video_capture.toml	111
rules/windows/persistence_system_shells_via_services.toml	133
rules/windows/defense_evasion_amsi_bypass_dllhijack.toml	151
rules/windows/credential_access_ldap_attributes.toml	129
rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml	115
rules/windows/lateral_movement_unusual_dns_service_children.toml	100
rules/windows/persistence_ad_adminsdholder.toml	85
rules/windows/initial_access_suspicious_ms_office_child_process.toml	152
rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml	132
rules/windows/credential_access_saved_creds_vault_winlog.toml	89
rules/windows/credential_access_dollar_account_relay.toml	91
rules/windows/lateral_movement_incoming_wmi.toml	103
rules/windows/lateral_movement_unusual_dns_service_file_writes.toml	60
rules/windows/defense_evasion_posh_obfuscation_string_concat.toml	84
rules/windows/credential_access_suspicious_lsass_access_generic.toml	111
rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml	106
rules/windows/persistence_scheduled_task_creation_winlog.toml	85
rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml	87
rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml	146
rules/windows/persistence_user_account_creation.toml	86
rules/windows/defense_evasion_amsi_bypass_powershell.toml	148
rules/windows/initial_access_execution_from_removable_media.toml	75
rules/windows/discovery_peripheral_device.toml	80
rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml	104
rules/windows/execution_suspicious_pdf_reader.toml	123
rules/windows/privilege_escalation_group_policy_iniscript.toml	121
rules/windows/credential_access_posh_request_ticket.toml	113
rules/windows/defense_evasion_unusual_ads_file_creation.toml	161
rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml	79
rules/windows/defense_evasion_rundll32_no_arguments.toml	118
rules/windows/lateral_movement_execution_from_tsclient_mup.toml	92
rules/windows/defense_evasion_ntlm_downgrade.toml	80
rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml	88
rules/windows/persistence_startup_folder_scripts.toml	138
rules/windows/credential_access_dcsync_replication_rights.toml	128
rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml	103
rules/windows/initial_access_execution_from_inetcache.toml	110
rules/windows/command_and_control_ingress_transfer_bits.toml	144
rules/windows/defense_evasion_proxy_execution_via_msdt.toml	90
rules/windows/privilege_escalation_service_control_spawned_script_int.toml	159
rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml	80
rules/windows/discovery_command_system_account.toml	93
rules/windows/defense_evasion_wsl_registry_modification.toml	87
rules/windows/execution_posh_hacktool_functions.toml	324
rules/windows/persistence_suspicious_service_created_registry.toml	101
rules/windows/persistence_services_registry.toml	121
rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml	87
rules/windows/defense_evasion_wsl_enabled_via_dism.toml	86
rules/windows/defense_evasion_suspicious_zoom_child_process.toml	135
rules/windows/credential_access_adidns_wildcard.toml	97
rules/windows/credential_access_cmdline_dump_tool.toml	138
rules/windows/defense_evasion_sc_sdset.toml	102
rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml	119
rules/windows/defense_evasion_suspicious_wmi_script.toml	90
rules/windows/discovery_whoami_command_activity.toml	111
rules/windows/credential_access_regback_sam_security_hives.toml	81
rules/windows/credential_access_saved_creds_vaultcmd.toml	99
rules/windows/persistence_via_hidden_run_key_valuename.toml	120
rules/windows/defense_evasion_root_dir_ads_creation.toml	89
rules/windows/execution_suspicious_powershell_imgload.toml	103
rules/windows/defense_evasion_posh_encryption.toml	93
rules/windows/credential_access_mimikatz_memssp_default_logs.toml	88
rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml	126
rules/windows/privilege_escalation_make_token_local.toml	90
rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml	104
rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml	120
rules/windows/collection_email_powershell_exchange_mailbox.toml	120
rules/windows/lateral_movement_powershell_remoting_target.toml	105
rules/windows/defense_evasion_masquerading_trusted_directory.toml	114
rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml	107
rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml	141
rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml	148
rules/windows/persistence_webshell_detection.toml	153
rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml	127
rules/windows/defense_evasion_dns_over_https_enabled.toml	92
rules/windows/defense_evasion_dotnet_compiler_parent_process.toml	105
rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml	85
rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml	157
rules/windows/credential_access_dcsync_newterm_subjectuser.toml	121
rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml	271
rules/windows/persistence_service_dll_unsigned.toml	189
rules/windows/persistence_runtime_run_key_startup_susp_procs.toml	90
rules/windows/initial_access_rdp_file_mail_attachment.toml	99
rules/windows/defense_evasion_posh_obfuscation_string_format.toml	86
rules/windows/persistence_user_account_creation_event_logs.toml	77
rules/windows/persistence_local_scheduled_job_creation.toml	97
rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml	123
rules/windows/persistence_local_scheduled_task_creation.toml	92
rules/windows/credential_access_moving_registry_hive_via_smb.toml	96
rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml	98
rules/windows/initial_access_suspicious_ms_exchange_files.toml	97
rules/windows/privilege_escalation_gpo_schtask_service_creation.toml	105
rules/windows/defense_evasion_ms_office_suspicious_regmod.toml	124
rules/windows/execution_mofcomp.toml	102
rules/windows/defense_evasion_unusual_process_network_connection.toml	91
rules/windows/privilege_escalation_lsa_auth_package.toml	94
rules/windows/collection_email_outlook_mailbox_via_com.toml	102
rules/windows/credential_access_credential_dumping_msbuild.toml	141
rules/windows/persistence_netsh_helper_dll.toml	96
rules/windows/credential_access_suspicious_lsass_access_memdump.toml	104
rules/windows/defense_evasion_suspicious_certutil_commands.toml	131
rules/windows/credential_access_rare_webdav_destination.toml	68
rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml	124
rules/windows/privilege_escalation_driver_newterm_imphash.toml	127
rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml	104
rules/windows/command_and_control_encrypted_channel_freesslcert.toml	86
rules/windows/credential_access_dnsnode_creation.toml	97
rules/windows/defense_evasion_installutil_beacon.toml	80
rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml	86
rules/windows/credential_access_mod_wdigest_security_provider.toml	107
rules/windows/persistence_via_lsa_security_support_provider_registry.toml	103
rules/windows/credential_access_persistence_network_logon_provider_modification.toml	151
rules/windows/persistence_msi_installer_task_startup.toml	103
rules/windows/command_and_control_common_webservices.toml	315
rules/windows/initial_access_suspicious_ms_exchange_process.toml	127
rules/windows/command_and_control_iexplore_via_com.toml	100
rules/windows/execution_via_hidden_shell_conhost.toml	122
rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml	79
rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml	85
rules/windows/execution_initial_access_wps_dll_exploit.toml	94
rules/windows/defense_evasion_untrusted_driver_loaded.toml	113
rules/windows/command_and_control_dns_tunneling_nslookup.toml	90
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml	106
rules/windows/defense_evasion_file_creation_mult_extension.toml	100
rules/windows/persistence_suspicious_com_hijack_registry.toml	161
rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml	100
rules/windows/execution_posh_psreflect.toml	160
rules/windows/privilege_escalation_wpad_exploitation.toml	72
rules/windows/lateral_movement_execution_via_file_shares_sequence.toml	162
rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml	91
rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml	101
rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml	92
rules/windows/lateral_movement_dcom_hta.toml	100
rules/windows/persistence_adobe_hijack_persistence.toml	130
rules/windows/discovery_admin_recon.toml	110
rules/windows/privilege_escalation_group_policy_scheduled_task.toml	135
rules/windows/persistence_time_provider_mod.toml	148
rules/windows/defense_evasion_posh_process_injection.toml	126
rules/windows/discovery_active_directory_webservice.toml	80
rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml	144
rules/windows/command_and_control_remote_file_copy_scripts.toml	126
rules/windows/credential_access_wireless_creds_dumping.toml	128
rules/windows/defense_evasion_script_via_html_app.toml	116
rules/windows/collection_posh_audio_capture.toml	109
rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml	69
rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml	87
rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml	110
rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml	109
rules/windows/persistence_powershell_profiles.toml	145
rules/windows/defense_evasion_lolbas_win_cdb_utility.toml	90
rules/windows/persistence_temp_scheduled_task.toml	89
rules/windows/persistence_werfault_reflectdebugger.toml	93
rules/windows/credential_access_mimikatz_powershell_module.toml	107
rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml	115
rules/windows/impact_high_freq_file_renames_by_kernel.toml	100
rules/windows/credential_access_shadow_credentials.toml	100
rules/windows/defense_evasion_right_to_left_override.toml	102
rules/windows/defense_evasion_clearing_windows_console_history.toml	113
rules/windows/credential_access_posh_veeam_sql.toml	110
rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml	128
rules/windows/execution_com_object_xwizard.toml	104
rules/windows/execution_posh_malicious_script_agg.toml	119
rules/windows/lateral_movement_evasion_rdp_shadowing.toml	103
rules/windows/credential_access_veeam_backup_dll_imageload.toml	92
rules/windows/credential_access_lsass_handle_via_malseclogon.toml	85
rules/windows/credential_access_wbadmin_ntds.toml	104
rules/windows/privilege_escalation_exploit_cve_202238028.toml	95
rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml	115
rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml	133
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml	156
rules/windows/privilege_escalation_expired_driver_loaded.toml	87
rules/windows/persistence_evasion_hidden_local_account_creation.toml	85
rules/windows/command_and_control_certreq_postdata.toml	146
rules/windows/execution_posh_portable_executable.toml	144
rules/windows/privilege_escalation_reg_service_imagepath_mod.toml	146
rules/windows/credential_access_dcsync_user_backdoor.toml	104
rules/windows/privilege_escalation_credroaming_ldap.toml	93
rules/windows/defense_evasion_masquerading_werfault.toml	123
rules/apm/apm_sqlmap_user_agent.toml	58
rules/apm/apm_405_response_method_not_allowed.toml	57
rules/apm/apm_403_response_to_a_post.toml	57
rules/_deprecated/initial_access_login_failures.toml	44
rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml	39
rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification.toml	43
rules/_deprecated/execution_command_shell_started_by_powershell.toml	37
rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml	75
rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml	121
rules/_deprecated/linux_nmap_activity.toml	34
rules/_deprecated/threat_intel_fleet_integrations.toml	153
rules/_deprecated/defense_evasion_code_injection_conhost.toml	86
rules/_deprecated/execution_crash_binary.toml	42
rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml	117
rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml	80
rules/_deprecated/command_and_control_linux_iodine_activity.toml	53
rules/_deprecated/discovery_query_registry_via_reg.toml	37
rules/_deprecated/linux_mknod_activity.toml	34
rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml	89
rules/_deprecated/initial_access_cross_site_scripting.toml	42
rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml	100
rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml	79
rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml	48
rules/_deprecated/command_and_control_sql_server_port_activity_to_the_internet.toml	56
rules/_deprecated/execution_linux_process_started_in_temp_directory.toml	42
rules/_deprecated/container_workload_protection.toml	61
rules/_deprecated/execution_busybox_binary.toml	42
rules/_deprecated/execution_find_binary.toml	44
rules/_deprecated/privilege_escalation_linux_strace_activity.toml	43
rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml	68
rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml	101
rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml	82
rules/_deprecated/execution_suspicious_jar_child_process.toml	96
rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml	77
rules/_deprecated/credential_access_tcpdump_activity.toml	52
rules/_deprecated/execution_reverse_shell_via_named_pipe.toml	66
rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml	44
rules/_deprecated/initial_access_login_location.toml	44
rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml	76
rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml	53
rules/_deprecated/persistence_shell_activity_by_web_server.toml	84
rules/_deprecated/exfiltration_rds_snapshot_export.toml	40
rules/_deprecated/execution_expect_binary.toml	44
rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml	72
rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml	58
rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml	85
rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml	97
rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml	39
rules/_deprecated/threat_intel_filebeat8x.toml	153
rules/_deprecated/discovery_whoami_commmand.toml	41
rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml	103
rules/_deprecated/execution_env_binary.toml	42
rules/_deprecated/command_and_control_tor_activity_to_the_internet.toml	60
rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml	81
rules/_deprecated/defense_evasion_potential_processherpaderping.toml	52
rules/_deprecated/execution_c89_c99_binary.toml	44
rules/_deprecated/execution_via_net_com_assemblies.toml	46
rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml	62
rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml	95
rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml	69
rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml	42
rules/_deprecated/apm_null_user_agent.toml	43
rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml	91
rules/_deprecated/initial_access_login_sessions.toml	44
rules/_deprecated/initial_access_login_time.toml	44
rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml	75
rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml	102
rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml	81
rules/_deprecated/execution_interactive_exec_to_container.toml	104
rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml	81
rules/_deprecated/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml	40
rules/_deprecated/linux_socat_activity.toml	33
rules/_deprecated/command_and_control_port_8000_activity_to_the_internet.toml	57
rules/_deprecated/execution_awk_binary_shell.toml	43
rules/_deprecated/execution_gcc_binary.toml	44
rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml	83
rules/_deprecated/execution_vi_binary.toml	42
rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml	44
rules/_deprecated/execution_ssh_binary.toml	45
rules/_deprecated/privilege_escalation_printspooler_malicious_driver_file_changes.toml	43
rules/_deprecated/execution_mysql_binary.toml	44
rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml	90
rules/_deprecated/credential_access_microsoft_365_potential_password_spraying_attack.toml	53
rules/_deprecated/discovery_file_dir_discovery.toml	79
rules/_deprecated/command_and_control_dns_directly_to_the_internet.toml	80
rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml	107
rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml	80
rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml	43
rules/_deprecated/command_and_control_proxy_port_activity_to_the_internet.toml	60
rules/_deprecated/threat_intel_filebeat7x.toml	158
rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml	50
rules/_deprecated/execution_apt_binary.toml	45
rules/_deprecated/defense_evasion_mshta_making_network_connections.toml	42
rules/_deprecated/execution_flock_binary.toml	42
rules/_deprecated/command_and_control_smtp_to_the_internet.toml	65
rules/_deprecated/persistence_kernel_module_activity.toml	45
rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml	39
rules/_deprecated/execution_cpulimit_binary.toml	45
rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml	135
rules/ml/discovery_ml_linux_system_network_connection_discovery.toml	115
rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml	122
rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml	123
rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml	121
rules/ml/ml_packetbeat_rare_server_domain.toml	100
rules/ml/discovery_ml_linux_system_process_discovery.toml	115
rules/ml/ml_low_count_events_for_a_host_name.toml	77
rules/ml/ml_high_count_events_for_a_host_name.toml	78
rules/ml/credential_access_ml_suspicious_login_activity.toml	122
rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml	169
rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml	113
rules/ml/initial_access_ml_auth_rare_user_logon.toml	125
rules/ml/persistence_ml_windows_anomalous_process_creation.toml	157
rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml	111
rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml	117
rules/ml/ml_high_count_network_denies.toml	94
rules/ml/discovery_ml_linux_system_information_discovery.toml	115
rules/ml/initial_access_ml_windows_anomalous_user_name.toml	104
rules/ml/ml_high_count_network_events.toml	94
rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml	110
rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml	117
rules/ml/credential_access_ml_auth_spike_in_logon_events.toml	125
rules/ml/ml_linux_anomalous_network_activity.toml	82
rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml	116
rules/ml/execution_ml_windows_anomalous_script.toml	116
rules/ml/persistence_ml_windows_anomalous_service.toml	114
rules/ml/command_and_control_ml_packetbeat_rare_urls.toml	120
rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml	123
rules/ml/persistence_ml_rare_process_by_host_linux.toml	121
rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml	118
rules/ml/ml_rare_destination_country.toml	98
rules/ml/persistence_ml_windows_anomalous_path_activity.toml	131
rules/ml/initial_access_ml_linux_anomalous_user_name.toml	100
rules/ml/ml_spike_in_traffic_to_a_country.toml	98
rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml	108
rules/ml/persistence_ml_rare_process_by_host_windows.toml	158
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml	89
rules/ml/discovery_ml_linux_system_user_discovery.toml	114
rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml	115
rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml	106
rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml	118
rules/ml/ml_windows_anomalous_network_activity.toml	80
rules/ml/ml_linux_anomalous_network_port_activity.toml	100
rules/macos/persistence_emond_rules_file_creation.toml	96
rules/macos/persistence_creation_modif_launch_deamon_sequence.toml	94
rules/macos/persistence_via_atom_init_file_modification.toml	95
rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml	101
rules/macos/privilege_escalation_user_added_to_admin_group.toml	100
rules/macos/discovery_users_domain_built_in_commands.toml	110
rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml	158
rules/macos/persistence_finder_sync_plugin_pluginkit.toml	95
rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml	109
rules/macos/credential_access_dumping_keychain_security.toml	95
rules/macos/lateral_movement_remote_ssh_login_enabled.toml	98
rules/macos/defense_evasion_modify_environment_launchctl.toml	99
rules/macos/persistence_creation_change_launch_agents_file.toml	97
rules/macos/persistence_emond_rules_process_execution.toml	122
rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml	108
rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml	94
rules/macos/privilege_escalation_applescript_with_admin_privs.toml	102
rules/macos/persistence_screensaver_engine_unexpected_child_process.toml	79
rules/macos/credential_access_kerberosdump_kcc.toml	102
rules/macos/persistence_account_creation_hide_at_logon.toml	95
rules/macos/privilege_escalation_root_crontab_filemod.toml	98
rules/macos/persistence_loginwindow_plist_modification.toml	78
rules/macos/persistence_periodic_tasks_file_mdofiy.toml	98
rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml	115
rules/macos/credential_access_high_volume_of_pbpaste.toml	99
rules/macos/persistence_login_logout_hooks_defaults.toml	101
rules/macos/execution_initial_access_suspicious_browser_childproc.toml	109
rules/macos/execution_installer_package_spawned_network_event.toml	123
rules/macos/defense_evasion_apple_softupdates_modification.toml	96
rules/macos/persistence_credential_access_authorization_plugin_creation.toml	100
rules/macos/credential_access_mitm_localhost_webproxy.toml	96
rules/macos/lateral_movement_mounting_smb_share.toml	100
rules/macos/persistence_enable_root_account.toml	94
rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml	112
rules/macos/credential_access_credentials_keychains.toml	100
rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml	95
rules/macos/credential_access_potential_macos_ssh_bruteforce.toml	93
rules/macos/privilege_escalation_explicit_creds_via_scripting.toml	115
rules/macos/credential_access_dumping_hashes_bi_cmds.toml	93
rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml	114
rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml	104
rules/macos/defense_evasion_install_root_certificate.toml	97
rules/macos/defense_evasion_safari_config_change.toml	97
rules/macos/persistence_folder_action_scripts_runtime.toml	104
rules/macos/persistence_directory_services_plugins_modification.toml	91
rules/macos/defense_evasion_unload_endpointsecurity_kext.toml	104
rules/macos/execution_shell_execution_via_apple_scripting.toml	94
rules/macos/credential_access_systemkey_dumping.toml	96
rules/macos/persistence_modification_sublime_app_plugin_or_script.toml	103
rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml	88
rules/macos/persistence_creation_hidden_login_item_osascript.toml	114
rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml	178
rules/macos/persistence_docker_shortcuts_plist_modification.toml	95
rules/macos/credential_access_promt_for_pwd_via_osascript.toml	107
rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml	112
rules/macos/privilege_escalation_local_user_added_to_admin.toml	98
rules/macos/lateral_movement_vpn_connection_attempt.toml	98
rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml	105
rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml	106
rules/macos/persistence_screensaver_plist_file_modification.toml	100
rules/macos/persistence_suspicious_calendar_modification.toml	97
rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml	91
rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml	106
rules/macos/persistence_crontab_creation.toml	97
rules/macos/execution_script_via_automator_workflows.toml	90
rules/linux/privilege_escalation_docker_escape_via_nsenter.toml	73
rules/linux/persistence_user_or_group_creation_or_modification.toml	108
rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml	100
rules/linux/execution_shell_via_meterpreter_linux.toml	123
rules/linux/discovery_kernel_seeking.toml	107
rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml	70
rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml	104
rules/linux/discovery_kernel_module_enumeration.toml	114
rules/linux/persistence_linux_group_creation.toml	109
rules/linux/persistence_message_of_the_day_creation.toml	158
rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml	123
rules/linux/defense_evasion_ssl_certificate_deletion.toml	111
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml	136
rules/linux/persistence_shadow_file_modification.toml	106
rules/linux/defense_evasion_chattr_immutable_file.toml	116
rules/linux/command_and_control_tunneling_via_earthworm.toml	156
rules/linux/privilege_escalation_kworker_uid_elevation.toml	109
rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml	72
rules/linux/execution_cupsd_foomatic_rip_file_creation.toml	114
rules/linux/persistence_shell_configuration_modification.toml	136
rules/linux/execution_network_event_post_compilation.toml	111
rules/linux/discovery_pam_version_discovery.toml	128
rules/linux/credential_access_proc_credential_dumping.toml	110
rules/linux/persistence_rc_script_creation.toml	162
rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml	117
rules/linux/execution_egress_connection_from_entrypoint_in_container.toml	95
rules/linux/privilege_escalation_container_util_misconfiguration.toml	107
rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml	122
rules/linux/execution_potential_hack_tool_executed.toml	116
rules/linux/command_and_control_linux_kworker_netcon.toml	129
rules/linux/discovery_port_scanning_activity_from_compromised_host.toml	101
rules/linux/credential_access_potential_linux_local_account_bruteforce.toml	97
rules/linux/persistence_apt_package_manager_file_creation.toml	139
rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml	102
rules/linux/persistence_pth_file_creation.toml	141
rules/linux/command_and_control_telegram_api_request.toml	79
rules/linux/credential_access_manual_memory_dumping.toml	81
rules/linux/persistence_systemd_service_started.toml	202
rules/linux/discovery_esxi_software_via_find.toml	105
rules/linux/discovery_docker_socket_discovery.toml	108
rules/linux/persistence_unusual_exim4_child_process.toml	59
rules/linux/persistence_dpkg_unusual_execution.toml	122
rules/linux/defense_evasion_mount_execution.toml	107
rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml	141
rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml	104
rules/linux/privilege_escalation_sudo_hijacking.toml	126
rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml	92
rules/linux/execution_tc_bpf_filter.toml	103
rules/linux/execution_system_binary_file_permission_change.toml	100
rules/linux/execution_shell_openssl_client_or_server.toml	113
rules/linux/execution_suspicious_executable_running_system_commands.toml	119
rules/linux/defense_evasion_creation_of_hidden_files_directories.toml	82
rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml	131
rules/linux/persistence_user_credential_modification_via_echo.toml	96
rules/linux/defense_evasion_file_mod_writable_dir.toml	114
rules/linux/privilege_escalation_dac_permissions.toml	109
rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml	112
rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml	115
rules/linux/discovery_unusual_user_enumeration_via_id.toml	94
rules/linux/persistence_systemd_service_creation.toml	225
rules/linux/discovery_suid_sguid_enumeration.toml	118
rules/linux/lateral_movement_telnet_network_activity_external.toml	116
rules/linux/persistence_pluggable_authentication_module_source_download.toml	91
rules/linux/persistence_dracut_module_creation.toml	144
rules/linux/execution_potentially_overly_permissive_container_creation.toml	116
rules/linux/execution_suspicious_mkfifo_execution.toml	87
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml	131
rules/linux/persistence_init_d_file_creation.toml	165
rules/linux/persistence_git_hook_process_execution.toml	145
rules/linux/persistence_systemd_netcon.toml	120
rules/linux/defense_evasion_ld_so_creation.toml	125
rules/linux/lateral_movement_ssh_it_worm_download.toml	118
rules/linux/persistence_pluggable_authentication_module_creation.toml	119
rules/linux/execution_process_started_from_process_id_file.toml	89
rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml	120
rules/linux/persistence_setuid_setgid_capability_set.toml	156
rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml	90
rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml	93
rules/linux/credential_access_credential_dumping.toml	105
rules/linux/persistence_unusual_sshd_child_process.toml	111
rules/linux/persistence_cron_job_creation.toml	228
rules/linux/impact_potential_bruteforce_malware_infection.toml	134
rules/linux/persistence_etc_file_creation.toml	226
rules/linux/impact_potential_linux_ransomware_note_detected.toml	106
rules/linux/persistence_process_capability_set_via_setcap.toml	100
rules/linux/persistence_extract_initramfs_via_cpio.toml	113
rules/linux/execution_python_tty_shell.toml	100
rules/linux/discovery_private_key_password_searching_activity.toml	95
rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml	92
rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml	119
rules/linux/lateral_movement_telnet_network_activity_internal.toml	117
rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml	111
rules/linux/persistence_web_server_sus_command_execution.toml	154
rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml	120
rules/linux/persistence_linux_shell_activity_via_web_server.toml	169
rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml	80
rules/linux/defense_evasion_root_certificate_installation.toml	109
rules/linux/persistence_kernel_driver_load_by_non_root.toml	108
rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml	112
rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml	125
rules/linux/lateral_movement_unusual_remote_file_creation.toml	118
rules/linux/persistence_apt_package_manager_netcon.toml	133
rules/linux/defense_evasion_ld_preload_cmdline.toml	109
rules/linux/persistence_xdg_autostart_netcon.toml	131
rules/linux/execution_unusual_pkexec_execution.toml	126
rules/linux/persistence_tainted_kernel_module_load.toml	101
rules/linux/persistence_bpf_probe_write_user.toml	101
rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml	100
rules/linux/discovery_proc_maps_read.toml	99
rules/linux/defense_evasion_base64_decoding_activity.toml	136
rules/linux/persistence_web_server_sus_destination_port.toml	142
rules/linux/privilege_escalation_sudo_cve_2019_14287.toml	106
rules/linux/privilege_escalation_mount_launched_inside_container.toml	96
rules/linux/execution_process_started_in_shared_memory_directory.toml	108
rules/linux/impact_memory_swap_modification.toml	118
rules/linux/persistence_dynamic_linker_backup.toml	164
rules/linux/privilege_escalation_debugfs_launched_inside_container.toml	97
rules/linux/persistence_systemd_scheduled_timer_created.toml	183
rules/linux/persistence_systemd_generator_creation.toml	135
rules/linux/persistence_at_job_creation.toml	144
rules/linux/persistence_potential_persistence_script_executable_bit_set.toml	136
rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml	107
rules/linux/persistence_web_server_sus_child_spawned.toml	150
rules/linux/persistence_credential_access_modify_ssh_binaries.toml	191
rules/linux/discovery_kernel_unpacking.toml	106
rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml	128
rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml	112
rules/linux/execution_process_backgrounded_by_unusual_parent.toml	126
rules/linux/execution_unix_socket_communication.toml	93
rules/linux/defense_evasion_unusual_preload_env_vars.toml	127
rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml	111
rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml	124
rules/linux/credential_access_collection_sensitive_files.toml	159
rules/linux/discovery_sudo_allowed_command_enumeration.toml	99
rules/linux/discovery_virtual_machine_fingerprinting.toml	113
rules/linux/persistence_rc_local_error_via_syslog.toml	90
rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml	128
rules/linux/execution_shell_via_background_process.toml	114
rules/linux/execution_unusual_path_invocation_from_command_line.toml	114
rules/linux/defense_evasion_acl_modification_via_setfacl.toml	88
rules/linux/persistence_ssh_netcon.toml	115
rules/linux/privilege_escalation_pkexec_envar_hijack.toml	107
rules/linux/persistence_git_hook_execution.toml	126
rules/linux/privilege_escalation_enlightenment_window_manager.toml	94
rules/linux/defense_evasion_authorized_keys_file_deletion.toml	101
rules/linux/privilege_escalation_shadow_file_read.toml	118
rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml	106
rules/linux/persistence_simple_web_server_creation.toml	134
rules/linux/persistence_insmod_kernel_module_load.toml	164
rules/linux/persistence_openssl_passwd_hash_generation.toml	108
rules/linux/persistence_network_manager_dispatcher_persistence.toml	138
rules/linux/persistence_git_hook_netcon.toml	134
rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml	136
rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml	81
rules/linux/command_and_control_ip_forwarding_activity.toml	82
rules/linux/persistence_polkit_policy_creation.toml	110
rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml	116
rules/linux/persistence_rc_local_service_already_running.toml	103
rules/linux/execution_shell_via_java_revshell_linux.toml	120
rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml	81
rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml	80
rules/linux/defense_evasion_log_files_deleted.toml	127
rules/linux/discovery_ping_sweep_detected.toml	100
rules/linux/execution_python_webserver_spawned.toml	119
rules/linux/defense_evasion_dynamic_linker_file_creation.toml	134
rules/linux/persistence_grub_configuration_creation.toml	127
rules/linux/persistence_chkconfig_service_add.toml	171
rules/linux/persistence_boot_file_copy.toml	135
rules/linux/execution_unusual_kthreadd_execution.toml	91
rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml	124
rules/linux/persistence_message_of_the_day_execution.toml	185
rules/linux/credential_access_aws_creds_search_inside_container.toml	99
rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml	101
rules/linux/persistence_kworker_file_creation.toml	173
rules/linux/defense_evasion_directory_creation_in_bin.toml	111
rules/linux/execution_file_made_executable_via_chmod_inside_container.toml	106
rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml	119
rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml	70
rules/linux/privilege_escalation_overlayfs_local_privesc.toml	98
rules/linux/defense_evasion_hex_payload_execution_via_utility.toml	133
rules/linux/impact_data_encrypted_via_openssl.toml	98
rules/linux/discovery_linux_hping_activity.toml	119
rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml	115
rules/linux/defense_evasion_rename_esxi_files.toml	99
rules/linux/impact_esxi_process_kill.toml	95
rules/linux/discovery_suspicious_which_command_execution.toml	80
rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml	112
rules/linux/persistence_suspicious_file_opened_through_editor.toml	125
rules/linux/execution_interpreter_tty_upgrade.toml	106
rules/linux/privilege_escalation_linux_uid_int_max_bug.toml	98
rules/linux/command_and_control_aws_cli_endpoint_url_used.toml	75
rules/linux/persistence_simple_web_server_connection_accepted.toml	124
rules/linux/defense_evasion_hidden_directory_creation.toml	119
rules/linux/defense_evasion_hidden_file_dir_tmp.toml	125
rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml	130
rules/linux/privilege_escalation_sda_disk_mount_non_root.toml	100
rules/linux/execution_suspicious_mining_process_creation_events.toml	96
rules/linux/command_and_control_linux_chisel_server_activity.toml	145
rules/linux/persistence_site_and_user_customize_file_creation.toml	136
rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml	191
rules/linux/command_and_control_cat_network_activity.toml	148
rules/linux/collection_linux_clipboard_activity.toml	80
rules/linux/execution_shell_via_udp_cli_utility_linux.toml	132
rules/linux/persistence_ssh_via_backdoored_system_user.toml	113
rules/linux/discovery_dynamic_linker_via_od.toml	105
rules/linux/persistence_grub_makeconfig.toml	112
rules/linux/discovery_esxi_software_via_grep.toml	105
rules/linux/discovery_pspy_process_monitoring_detected.toml	98
rules/linux/defense_evasion_kernel_module_removal.toml	129
rules/linux/discovery_suspicious_memory_grep_activity.toml	80
rules/linux/persistence_manual_dracut_execution.toml	123
rules/linux/execution_abnormal_process_id_file_created.toml	140
rules/linux/privilege_escalation_uid_change_post_compilation.toml	99
rules/linux/persistence_kde_autostart_modification.toml	212
rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml	113
rules/linux/privilege_escalation_writable_docker_socket.toml	99
rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml	123
rules/linux/persistence_udev_rule_creation.toml	124
rules/linux/impact_process_kill_threshold.toml	89
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml	111
rules/linux/execution_unusual_interactive_process_inside_container.toml	75
rules/linux/lateral_movement_ssh_process_launched_inside_container.toml	116
rules/linux/persistence_kernel_object_file_creation.toml	113
rules/linux/privilege_escalation_netcon_via_sudo_binary.toml	111
rules/linux/execution_remote_code_execution_via_postgresql.toml	107
rules/linux/persistence_dbus_service_creation.toml	137
rules/linux/defense_evasion_rename_esxi_index_file.toml	98
rules/linux/persistence_git_hook_file_creation.toml	139
rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml	139
rules/linux/execution_shell_evasion_linux_binary.toml	190
rules/linux/execution_nc_listener_via_rlwrap.toml	112
rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml	106
rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml	117
rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml	92
rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml	102
rules/linux/defense_evasion_interactive_shell_from_system_user.toml	114
rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml	90
rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml	120
rules/linux/persistence_yum_package_manager_plugin_file_creation.toml	137
rules/linux/privilege_escalation_sudo_token_via_process_injection.toml	110
rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml	96
rules/linux/command_and_control_linux_chisel_client_activity.toml	146
rules/linux/privilege_escalation_unshare_namespace_manipulation.toml	107
rules/linux/discovery_security_file_access_via_common_utility.toml	103
rules/linux/command_and_control_linux_proxychains_activity.toml	127
rules/linux/persistence_apt_package_manager_execution.toml	137
rules/linux/execution_executable_stack_execution.toml	89
rules/linux/discovery_polkit_version_discovery.toml	101
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml	114
rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml	104
rules/linux/defense_evasion_hidden_shared_object.toml	109
rules/linux/credential_access_gdb_process_hooking.toml	88
rules/linux/persistence_shared_object_creation.toml	174
rules/linux/defense_evasion_suspicious_path_mounted.toml	68
rules/linux/execution_netcon_from_rwx_mem_region_binary.toml	112
rules/linux/privilege_escalation_docker_release_file_creation.toml	46
rules/linux/discovery_yum_dnf_plugin_detection.toml	106
rules/linux/persistence_ssh_key_generation.toml	102
rules/linux/execution_perl_tty_shell.toml	100
rules/linux/defense_evasion_kthreadd_masquerading.toml	107
rules/linux/credential_access_gdb_init_process_hooking.toml	103
rules/linux/discovery_process_capabilities.toml	93
rules/linux/execution_shell_via_child_tcp_utility_linux.toml	115
rules/linux/exfiltration_potential_curl_data_exfiltration.toml	80
rules/linux/defense_evasion_disable_selinux_attempt.toml	116
rules/linux/execution_shell_via_suspicious_binary.toml	124
rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml	130
rules/linux/privilege_escalation_suspicious_passwd_file_write.toml	113
rules/linux/persistence_linux_backdoor_user_creation.toml	137
rules/linux/initial_access_first_time_public_key_authentication.toml	99
rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml	141
rules/linux/persistence_systemd_shell_execution.toml	110
rules/linux/persistence_kernel_driver_load.toml	103
rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml	143
rules/linux/defense_evasion_prctl_process_name_tampering.toml	103
rules/linux/persistence_unusual_pam_grantor.toml	98
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml	117
rules/linux/execution_file_execution_followed_by_deletion.toml	107
rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml	131
rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml	79
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml	153
rules/linux/defense_evasion_kill_command_executed.toml	123
rules/linux/command_and_control_curl_socks_proxy_detected.toml	112
rules/linux/discovery_linux_nping_activity.toml	119
rules/linux/persistence_lkm_configuration_file_creation.toml	114
rules/linux/defense_evasion_potential_proot_exploits.toml	104
rules/linux/command_and_control_linux_ssh_x11_forwarding.toml	121
rules/linux/credential_access_ssh_backdoor_log.toml	149
rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml	106
rules/linux/persistence_linux_user_account_creation.toml	108
rules/linux/defense_evasion_file_deletion_via_shred.toml	103
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml	163
rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml	101
rules/linux/persistence_linux_user_added_to_privileged_group.toml	135
rules/linux/defense_evasion_clear_kernel_ring_buffer.toml	111
rules/linux/execution_container_management_binary_launched_inside_container.toml	99
rules/linux/defense_evasion_disable_apparmor_attempt.toml	112
detection_rules/packaging.py	367
detection_rules/ml.py	183
detection_rules/docs.py	699
detection_rules/config.py	223
detection_rules/attack.py	164
detection_rules/generic_loader.py	125
detection_rules/exception.py	199
detection_rules/remote_validation.py	152
detection_rules/cli_utils.py	201
detection_rules/mixins.py	158
detection_rules/ecs.py	245
detection_rules/__main__.py	13
detection_rules/endgame.py	62
detection_rules/rule_validators.py	439
detection_rules/rule_loader.py	451
detection_rules/devtools.py	1125
detection_rules/schemas/registry_package.py	40
detection_rules/schemas/stack_compat.py	32
detection_rules/schemas/__init__.py	216
detection_rules/schemas/definitions.py	225
detection_rules/__init__.py	36
detection_rules/utils.py	339
detection_rules/navigator.py	220
detection_rules/action_connector.py	124
detection_rules/rule.py	1152
detection_rules/misc.py	312
detection_rules/version_lock.py	212
detection_rules/rule_formatter.py	200
detection_rules/integrations.py	287
detection_rules/kbwrap.py	368
detection_rules/main.py	535
detection_rules/ghwrap.py	241
detection_rules/custom_rules.py	106
detection_rules/beats.py	184
detection_rules/eswrap.py	306
detection_rules/custom_schemas.py	66
detection_rules/etc/example_test_config.yaml	6
detection_rules/etc/packages.yaml	31
detection_rules/etc/_config.yaml	10
detection_rules/etc/__init__.py	1
detection_rules/etc/stack-schema-map.yaml	28
detection_rules/action.py	39
pyproject.toml	62
rules_building_block/defense_evasion_file_permission_modification.toml	57
rules_building_block/discovery_linux_modprobe_enumeration.toml	72
rules_building_block/discovery_hosts_file_access.toml	48
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml	60
rules_building_block/discovery_system_service_discovery.toml	60
rules_building_block/defense_evasion_powershell_clear_logs_script.toml	102
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml	74
rules_building_block/execution_settingcontent_ms_file_creation.toml	70
rules_building_block/impact_github_user_blocked_from_organization.toml	41
rules_building_block/defense_evasion_posh_defender_tampering.toml	93
rules_building_block/discovery_net_share_discovery_winlog.toml	60
rules_building_block/persistence_iam_instance_request_to_iam_service.toml	112
rules_building_block/execution_aws_lambda_function_updated.toml	64
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml	70
rules_building_block/discovery_signal_unusual_user_host.toml	51
rules_building_block/defense_evasion_service_disabled_registry.toml	64
rules_building_block/defense_evasion_installutil_command_activity.toml	58
rules_building_block/persistence_web_server_sus_file_creation.toml	119
rules_building_block/defense_evasion_unsigned_bits_client.toml	58
rules_building_block/discovery_getconf_execution.toml	49
rules_building_block/command_and_control_certutil_network_connection.toml	151
rules_building_block/discovery_generic_account_groups.toml	94
rules_building_block/defense_evasion_injection_from_msoffice.toml	82
rules_building_block/defense_evasion_unusual_process_path_wbem.toml	61
rules_building_block/discovery_win_network_connections.toml	62
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml	54
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml	102
rules_building_block/defense_evasion_unusual_process_extension.toml	73
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml	94
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml	60
rules_building_block/discovery_linux_sysctl_enumeration.toml	70
rules_building_block/defense_evasion_masquerading_browsers.toml	186
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml	98
rules_building_block/discovery_security_software_wmic.toml	88
rules_building_block/collection_common_compressed_archived_file.toml	117
rules_building_block/command_and_control_bitsadmin_activity.toml	83
rules_building_block/lateral_movement_at.toml	70
rules_building_block/initial_access_github_new_ip_address_for_user.toml	52
rules_building_block/persistence_startup_folder_lnk.toml	62
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml	72
rules_building_block/credential_access_win_private_key_access.toml	84
rules_building_block/initial_access_github_new_user_agent_for_pat.toml	53
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml	59
rules_building_block/execution_wmi_wbemtest.toml	52
rules_building_block/execution_unsigned_service_executable.toml	72
rules_building_block/defense_evasion_generic_deletion.toml	62
rules_building_block/collection_outlook_email_archive.toml	62
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml	65
rules_building_block/execution_linux_segfault.toml	52
rules_building_block/execution_github_repo_interaction_from_new_ip.toml	49
rules_building_block/defense_evasion_outlook_suspicious_child.toml	100
rules_building_block/discovery_remote_system_discovery_commands_windows.toml	93
rules_building_block/defense_evasion_masquerading_vlc_dll.toml	69
rules_building_block/impact_github_member_removed_from_organization.toml	41
rules_building_block/command_and_control_non_standard_http_port.toml	135
rules_building_block/persistence_transport_agent_exchange.toml	113
rules_building_block/collection_files_staged_in_recycle_bin_root.toml	53
rules_building_block/lateral_movement_wmic_remote.toml	71
rules_building_block/execution_github_new_repo_interaction_for_pat.toml	50
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml	50
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml	52
rules_building_block/defense_evasion_invalid_codesign_imageload.toml	54
rules_building_block/credential_access_mdmp_file_unusual_extension.toml	75
rules_building_block/defense_evasion_dll_hijack.toml	97
rules_building_block/defense_evasion_service_path_registry.toml	85
rules_building_block/execution_github_new_event_action_for_pat.toml	49
rules_building_block/defense_evasion_services_exe_path.toml	82
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml	63
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml	75
rules_building_block/discovery_generic_registry_query.toml	68
rules_building_block/initial_access_github_new_user_agent_for_user.toml	52
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml	61
rules_building_block/defense_evasion_write_dac_access.toml	71
rules_building_block/discovery_net_view.toml	99
rules_building_block/discovery_posh_password_policy.toml	109
rules_building_block/impact_github_pat_access_revoked.toml	41
rules_building_block/discovery_generic_process_discovery.toml	59
rules_building_block/discovery_potential_memory_seeking_activity.toml	60
rules_building_block/collection_posh_compression.toml	128
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml	55
rules_building_block/discovery_suspicious_proc_enumeration.toml	73
rules_building_block/discovery_windows_system_information_discovery.toml	68
rules_building_block/discovery_process_discovery_via_builtin_tools.toml	54
rules_building_block/collection_archive_data_zip_imageload.toml	62
rules_building_block/discovery_posh_generic.toml	274
rules_building_block/persistence_github_new_user_added_to_organization.toml	45
rules_building_block/discovery_of_domain_groups.toml	49
rules_building_block/credential_access_mdmp_file_creation.toml	91
rules_building_block/defense_evasion_download_susp_extension.toml	85
rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml	90
rules_building_block/lateral_movement_posh_winrm_activity.toml	113
rules_building_block/discovery_linux_system_information_discovery.toml	47
rules_building_block/discovery_linux_system_owner_user_discovery.toml	51
rules_building_block/discovery_capnetraw_capability.toml	77
rules_building_block/privilege_escalation_trap_execution.toml	52
rules_building_block/discovery_system_time_discovery.toml	60
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml	138
rules_building_block/execution_github_new_repo_interaction_for_user.toml	49
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml	68
rules_building_block/initial_access_github_new_ip_address_for_pat.toml	53
rules_building_block/defense_evasion_cmstp_execution.toml	60
rules_building_block/persistence_creation_of_kernel_module.toml	49
rules_building_block/execution_github_repo_created.toml	41
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml	61
rules_building_block/discovery_internet_capabilities.toml	57
rules_building_block/persistence_github_new_pat_for_user.toml	53
rules_building_block/discovery_system_network_connections.toml	45
hunting/run.py	49
hunting/azure/queries/entra_authentication_attempts_behind_rare_user_agents.toml	75
hunting/azure/queries/entra_suspicious_odata_client_requests.toml	59
hunting/azure/queries/entra_authentication_attempts_from_abused_hosting_service_providers.toml	85
hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml	48
hunting/azure/queries/entra_device_code_authentication_from_unusual_principal.toml	50
hunting/azure/queries/entra_unusual_client_app_auth_request_on_behalf_of_user.toml	55
hunting/azure/queries/entra_excessive_non_interactive_sfa_sign_ins_across_users.toml	55
hunting/markdown.py	102
hunting/search.py	124
hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml	39
hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml	65
hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml	45
hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml	28
hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml	28
hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml	39
hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml	31
hunting/windows/queries/execution_via_remote_services_by_client_address.toml	27
hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml	27
hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml	39
hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml	27
hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml	63
hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml	30
hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml	26
hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml	30
hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml	45
hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml	36
hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml	33
hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml	23
hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml	27
hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml	48
hunting/windows/queries/windows_logon_activity_by_source_ip.toml	29
hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml	31
hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml	49
hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml	40
hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml	34
hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml	29
hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml	26
hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml	45
hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml	30
hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml	45
hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml	26
hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml	46
hunting/aws/queries/s3_public_bucket_rapid_object_access_attempts.toml	30
hunting/aws/queries/sns_topic_message_published_by_rare_user.toml	32
hunting/aws/queries/ssm_rare_sendcommand_code_execution.toml	27
hunting/aws/queries/ec2_discovery_multi_region_describe_instance_calls.toml	31
hunting/aws/queries/lambda_add_permissions_for_write_actions_to_function.toml	30
hunting/aws/queries/ec2_modify_instance_attribute_user_data.toml	27
hunting/aws/queries/iam_assume_role_creation_with_attached_policy.toml	32
hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml	29
hunting/aws/queries/iam_user_creation_with_administrator_policy_assigned.toml	31
hunting/aws/queries/sns_topic_created_by_rare_user.toml	32
hunting/aws/queries/sns_email_subscription_by_rare_user.toml	31
hunting/aws/queries/iam_user_activity_with_no_mfa_session.toml	25
hunting/aws/queries/multiple_service_logging_deleted_or_stopped.toml	29
hunting/aws/queries/ssm_sendcommand_api_used_by_ec2_instance.toml	27
hunting/aws/queries/servicequotas_discovery_multi_region_get_service_quota_calls.toml	37
hunting/aws/queries/ec2_high_instance_deployment_count_attempts.toml	37
hunting/aws/queries/signin_single_factor_console_login_via_federated_session.toml	27
hunting/aws/queries/ssm_start_remote_session_to_ec2_instance.toml	25
hunting/aws/queries/secretsmanager_high_frequency_get_secret_value.toml	30
hunting/aws/queries/sns_direct_to_phone_messaging_spike.toml	35
hunting/aws/queries/ec2_suspicious_get_user_password_request.toml	28
hunting/aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml	32
hunting/aws/queries/sts_suspicious_federated_temporary_credential_request.toml	31
hunting/__main__.py	161
hunting/llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml	35
hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml	35
hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml	28
hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml	30
hunting/__init__.py	1
hunting/utils.py	79
hunting/okta/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml	35
hunting/okta/queries/persistence_rare_domain_with_user_authentication.toml	30
hunting/okta/queries/credential_access_rapid_reset_password_requests_for_different_users.toml	30
hunting/okta/queries/initial_access_impossible_travel_sign_on.toml	30
hunting/okta/queries/initial_access_higher_than_average_failed_authentication.toml	37
hunting/okta/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml	35
hunting/okta/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml	36
hunting/okta/queries/persistence_multi_factor_push_notification_bombing.toml	28
hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml	30
hunting/okta/queries/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml	36
hunting/okta/queries/initial_access_password_spraying_from_repeat_source.toml	35
hunting/macos/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml	27
hunting/macos/queries/execution_unsigned_or_untrusted_binary_fork_via_python.toml	31
hunting/macos/queries/execution_suspicious_file_access_via_docker.toml	30
hunting/macos/queries/defense_evasion_self_deleted_python_script_outbound_network_connection.toml	36
hunting/macos/queries/credential_access_potential_python_stealer.toml	34
hunting/macos/queries/execution_unusual_library_load_via_python.toml	31
hunting/macos/queries/defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml	30
hunting/macos/queries/defense_evasion_python_library_load_and_delete.toml	30
hunting/macos/queries/execution_suspicious_executable_file_modification_via_docker.toml	31
hunting/macos/queries/execution_suspicious_python_app_execution_via_streamlit.toml	40
hunting/macos/queries/command_and_control_suspicious_executable_file_creation_via_python.toml	34
hunting/macos/queries/execution_unsigned_or_untrusted_binary_execution_via_python.toml	37
hunting/macos/queries/execution_python_script_drop_and_execute.toml	32
hunting/macos/queries/defense_evasion_self_deleting_python_script.toml	34
hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml	32
hunting/definitions.py	39
hunting/linux/queries/persistence_general_kernel_manipulation.toml	73
hunting/linux/queries/persistence_via_rpm_dpkg_installer_packages.toml	76
hunting/linux/queries/persistence_via_systemd_timers.toml	180
hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml	85
hunting/linux/queries/persistence_via_xdg_autostart_modifications.toml	115
hunting/linux/queries/persistence_via_package_manager.toml	85
hunting/linux/queries/persistence_via_sysv_init.toml	71
hunting/linux/queries/low_volume_external_network_connections_from_process.toml	38
hunting/linux/queries/persistence_via_loadable_kernel_modules.toml	74
hunting/linux/queries/privilege_escalation_via_suid_binaries.toml	54
hunting/linux/queries/persistence_via_udev.toml	90
hunting/linux/queries/privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml	39
hunting/linux/queries/login_activity_by_source_address.toml	30
hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml	30
hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml	28
hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml	28
hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml	30
hunting/linux/queries/low_volume_modifications_to_critical_system_binaries.toml	36
hunting/linux/queries/persistence_via_grub_bootloader.toml	101
hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml	65
hunting/linux/queries/privilege_escalation_via_existing_sudoers.toml	21
hunting/linux/queries/persistence_via_rc_local.toml	66
hunting/linux/queries/persistence_via_message_of_the_day.toml	67
hunting/linux/queries/persistence_via_web_shell.toml	48
hunting/linux/queries/persistence_via_network_manager_dispatcher_script.toml	65
hunting/linux/queries/persistence_via_policykit.toml	64
hunting/linux/queries/excessive_ssh_network_activity_unique_destinations.toml	29
hunting/linux/queries/persistence_via_cron.toml	97
hunting/linux/queries/persistence_via_dynamic_linker_hijacking.toml	89
hunting/linux/queries/persistence_via_shell_modification_persistence.toml	99
hunting/linux/queries/persistence_via_unusual_system_binary_parent.toml	28
hunting/linux/queries/persistence_via_desktop_bus.toml	78
hunting/linux/queries/persistence_via_initramfs.toml	66
hunting/linux/queries/persistence_via_user_group_creation_modification.toml	38
hunting/linux/queries/persistence_reverse_bind_shells.toml	46
hunting/linux/queries/persistence_via_malicious_docker_container.toml	68
hunting/linux/queries/defense_evasion_via_multi_dot_process_execution.toml	27
hunting/linux/queries/persistence_via_git_hook_pager.toml	77
hunting/linux/queries/execution_uncommon_process_execution_from_suspicious_directory.toml	46
hunting/linux/queries/privilege_escalation_via_process_capabilities.toml	47
hunting/linux/queries/low_volume_gtfobins_external_network_connections.toml	35
hunting/linux/queries/persistence_via_pluggable_authentication_module.toml	78
hunting/linux/queries/low_volume_process_injection_syscalls_by_executable.toml	27
lib/kibana/pyproject.toml	26
lib/kibana/kibana/connector.py	28
lib/kibana/kibana/resources.py	243
lib/kibana/kibana/__init__.py	8
lib/kibana/kibana/definitions.py	53
lib/kql/pyproject.toml	28
lib/kql/kql/kql2eql.py	64
lib/kql/kql/dsl.py	82
lib/kql/kql/evaluator.py	112
lib/kql/kql/parser.py	265
lib/kql/kql/eql2kql.py	91
lib/kql/kql/kql.g	40
lib/kql/kql/errors.py	4
lib/kql/kql/__init__.py	52
lib/kql/kql/optimizer.py	91
lib/kql/kql/ast.py	91