elastic / detection-rules

Intro

File size measurements show the distribution of size of files.
Files are classified in four categories based on their size (lines of code): 1-100 (very small files), 101-200 (small files), 201-500 (medium size files), 501-1000 (long files), 1001+(very long files).
It is a good practice to keep files small. Long files may become "bloaters", code that have increased to such gargantuan proportions that they are hard to work with.

Learn more...

File Size Overall

There are 1,718 files with 169,942 lines of code.

2 very long files (2,277 lines of code)
2 long files (1,234 lines of code)
32 medium size files (8,700 lines of codeclsfd_ftr_w_mp_ins)
666 small files (82,520 lines of code)
1,016 very small files (75,211 lines of code)

Legend:

1001+

501-1000

201-500

101-200

1-100

explore: grouped by folders | grouped by size | sunburst | 3D view

File Size per Extension

1001+

501-1000

201-500

101-200

1-100

File Size per Logical Decomposition

primary

1001+

501-1000

201-500

101-200

1-100

Longest Files (Top 50)

File	# lines	# units
rule.py in detection_rules	1152	114
devtools.py in detection_rules	1125	47
docs.py in detection_rules	699	60
main.py in detection_rules	535	18
rule_loader.py in detection_rules	451	44
rule_validators.py in detection_rules	439	25
kbwrap.py in detection_rules	368	5
packaging.py in detection_rules	367	18
utils.py in detection_rules	339	44
execution_posh_hacktool_functions.toml in rules/windows	324	-
command_and_control_common_webservices.toml in rules/windows	315	-
misc.py in detection_rules	312	17
eswrap.py in detection_rules	306	22
integrations.py in detection_rules	287	17
persistence_run_key_and_startup_broad.toml in rules/windows	284	-
command_and_control_new_terms_commonly_abused_rat_execution.toml in rules/windows	278	-
discovery_posh_generic.toml in rules_building_block	274	-
defense_evasion_communication_apps_suspicious_child_process.toml in rules/windows	271	-
parser.py in lib/kql/kql	265	31
persistence_suspicious_file_modifications.toml in rules/integrations/fim	252	-
ecs.py in detection_rules	245	21
resources.py in lib/kibana/kibana	243	32
ghwrap.py in detection_rules	241	18
execution_from_unusual_path_cmdline.toml in rules/windows	237	-
persistence_cron_job_creation.toml in rules/linux	228	-
persistence_etc_file_creation.toml in rules/linux	226	-
persistence_systemd_service_creation.toml in rules/linux	225	-
definitions.py in detection_rules/schemas	225	3
config.py in detection_rules	223	13
navigator.py in detection_rules	220	19
__init__.py in detection_rules/schemas	216	39
defense_evasion_masquerading_business_apps_installer.toml in rules/windows	212	-
persistence_kde_autostart_modification.toml in rules/linux	212	-
version_lock.py in detection_rules	212	11
persistence_systemd_service_started.toml in rules/linux	202	-
cli_utils.py in detection_rules	201	3
rule_formatter.py in detection_rules	200	10
exception.py in detection_rules	199	10
threat_intel_indicator_match_hash.toml in rules/threat_intel	191	-
defense_evasion_network_connection_from_windows_binary.toml in rules/windows	191	-
persistence_credential_access_modify_ssh_binaries.toml in rules/linux	191	-
command_and_control_suspicious_network_activity_from_unknown_executable.toml in rules/linux	191	-
execution_shell_evasion_linux_binary.toml in rules/linux	190	-
privilege_escalation_persistence_phantom_dll.toml in rules/windows	189	-
persistence_service_dll_unsigned.toml in rules/windows	189	-
credential_access_lsass_openprocess_api.toml in rules/windows	188	-
defense_evasion_masquerading_browsers.toml in rules_building_block	186	-
persistence_message_of_the_day_execution.toml in rules/linux	185	-
privilege_escalation_posh_token_impersonation.toml in rules/windows	184	-
beats.py in detection_rules	184	17

Files With Most Units (Top 50)

File	# lines	# units
rule.py in detection_rules	1152	114
docs.py in detection_rules	699	60
devtools.py in detection_rules	1125	47
rule_loader.py in detection_rules	451	44
utils.py in detection_rules	339	44
__init__.py in detection_rules/schemas	216	39
resources.py in lib/kibana/kibana	243	32
parser.py in lib/kql/kql	265	31
ml.py in detection_rules	183	28
rule_validators.py in detection_rules	439	25
eswrap.py in detection_rules	306	22
ecs.py in detection_rules	245	21
navigator.py in detection_rules	220	19
packaging.py in detection_rules	367	18
generic_loader.py in detection_rules	125	18
mixins.py in detection_rules	158	18
main.py in detection_rules	535	18
ghwrap.py in detection_rules	241	18
evaluator.py in lib/kql/kql	112	18
remote_validation.py in detection_rules	152	17
misc.py in detection_rules	312	17
integrations.py in detection_rules	287	17
beats.py in detection_rules	184	17
eql2kql.py in lib/kql/kql	91	16
dsl.py in lib/kql/kql	82	15
config.py in detection_rules	223	13
kql2eql.py in lib/kql/kql	64	13
optimizer.py in lib/kql/kql	91	13
version_lock.py in detection_rules	212	11
ast.py in lib/kql/kql	91	11
attack.py in detection_rules	164	10
exception.py in detection_rules	199	10
rule_formatter.py in detection_rules	200	10
markdown.py in hunting	102	10
search.py in hunting	124	10
utils.py in hunting	79	8
run.py in hunting	49	7
__main__.py in hunting	161	7
endgame.py in detection_rules	62	6
action_connector.py in detection_rules	124	6
custom_schemas.py in detection_rules	66	6
__init__.py in lib/kql/kql	52	6
kbwrap.py in detection_rules	368	5
custom_rules.py in detection_rules	106	4
cli_utils.py in detection_rules	201	3
stack_compat.py in detection_rules/schemas	32	3
definitions.py in detection_rules/schemas	225	3
action.py in detection_rules	39	2
definitions.py in hunting	39	2
__main__.py in detection_rules	13	1

Files With Long Lines (Top 50)

There are 1567 files with lines longer than 120 characters. In total, there are 26834 long lines.

File	# lines	# units	# long lines
initial_access_microsoft_365_abnormal_clientappid.toml in rules/integrations/o365	109	-	43
command_and_control_suspicious_network_activity_from_unknown_executable.toml in rules/linux	191	-	41
persistence_ec2_security_group_configuration_change_detection.toml in rules/integrations/aws	145	-	40
defense_evasion_sqs_purge_queue.toml in rules/integrations/aws	137	-	38
credential_access_ssh_backdoor_log.toml in rules/linux	149	-	35
initial_access_ml_auth_rare_source_ip_for_a_user.toml in rules/ml	122	-	34
credential_access_ml_suspicious_login_activity.toml in rules/ml	122	-	34
credential_access_ml_linux_anomalous_metadata_process.toml in rules/ml	117	-	34
credential_access_ml_auth_spike_in_logon_events.toml in rules/ml	125	-	34
credential_access_ml_linux_anomalous_metadata_user.toml in rules/ml	118	-	34
discovery_ml_linux_system_network_configuration_discovery.toml in rules/ml	115	-	34
execution_shell_via_meterpreter_linux.toml in rules/linux	123	-	34
defense_evasion_chattr_immutable_file.toml in rules/linux	116	-	34
persistence_xdg_autostart_netcon.toml in rules/linux	131	-	34
discovery_virtual_machine_fingerprinting.toml in rules/linux	113	-	34
defense_evasion_log_files_deleted.toml in rules/linux	127	-	34
discovery_linux_hping_activity.toml in rules/linux	119	-	34
privilege_escalation_linux_suspicious_symbolic_link.toml in rules/linux	123	-	34
defense_evasion_hidden_shared_object.toml in rules/linux	109	-	34
ml_packetbeat_rare_server_domain.toml in rules/ml	100	-	33
command_and_control_ml_packetbeat_rare_dns_question.toml in rules/ml	116	-	33
command_and_control_ml_packetbeat_rare_urls.toml in rules/ml	120	-	33
ml_linux_anomalous_network_port_activity.toml in rules/ml	100	-	33
privilege_escalation_ld_preload_shared_object_modif.toml in rules/linux	115	-	33
execution_unusual_pkexec_execution.toml in rules/linux	126	-	33
defense_evasion_hidden_file_dir_tmp.toml in rules/linux	125	-	33
persistence_kde_autostart_modification.toml in rules/linux	212	-	33
defense_evasion_disable_selinux_attempt.toml in rules/linux	116	-	33
defense_evasion_attempt_to_disable_syslog_service.toml in rules/linux	117	-	33
discovery_linux_nping_activity.toml in rules/linux	119	-	33
command_and_control_beaconing.toml in rules/integrations/beaconing	92	-	32
discovery_ml_linux_system_network_connection_discovery.toml in rules/ml	115	-	32
discovery_ml_linux_system_process_discovery.toml in rules/ml	115	-	32
persistence_ml_windows_anomalous_process_all_hosts.toml in rules/ml	169	-	32
persistence_ml_windows_anomalous_process_creation.toml in rules/ml	157	-	32
ml_high_count_network_denies.toml in rules/ml	94	-	32
command_and_control_ml_packetbeat_rare_user_agent.toml in rules/ml	117	-	32
execution_ml_windows_anomalous_script.toml in rules/ml	116	-	32
privilege_escalation_ml_linux_anomalous_sudo_activity.toml in rules/ml	123	-	32
ml_rare_destination_country.toml in rules/ml	98	-	32
command_and_control_ml_packetbeat_dns_tunneling.toml in rules/ml	108	-	32
persistence_ml_rare_process_by_host_windows.toml in rules/ml	158	-	32
discovery_ml_linux_system_user_discovery.toml in rules/ml	114	-	32
resource_development_ml_linux_anomalous_compiler_activity.toml in rules/ml	118	-	32
credential_access_promt_for_pwd_via_osascript.toml in rules/macos	107	-	32
command_and_control_frequent_egress_netcon_from_sus_executable.toml in rules/linux	117	-	32
impact_potential_bruteforce_malware_infection.toml in rules/linux	134	-	32
lateral_movement_telnet_network_activity_internal.toml in rules/linux	117	-	32
lateral_movement_unusual_remote_file_creation.toml in rules/linux	118	-	32
lateral_movement_remote_file_creation_world_writeable_dir.toml in rules/linux	111	-	32