Open
Conversation
brokensound77
pushed a commit
that referenced
this pull request
Sep 8, 2023
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Samirbous
added a commit
to Samirbous/detection-rules
that referenced
this pull request
Dec 17, 2025
* [Tuning] Windows BruteForce Rules Tuning brokensound77#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%) brokensound77#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%. * ++ * Update execution_shell_evasion_linux_binary.toml * Update execution_shell_evasion_linux_binary.toml * Update defense_evasion_indirect_exec_forfiles.toml * Update lateral_movement_remote_file_copy_hidden_share.toml * Update lateral_movement_remote_file_copy_hidden_share.toml * Update persistence_service_windows_service_winlog.toml * Update credential_access_lsass_openprocess_api.toml * Update persistence_suspicious_scheduled_task_runtime.toml * Update impact_hosts_file_modified.toml * Update defense_evasion_process_termination_followed_by_deletion.toml * Update rules/windows/credential_access_lsass_openprocess_api.toml * Update rules/windows/credential_access_bruteforce_admin_account.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update credential_access_lsass_openprocess_api.toml * Update impact_hosts_file_modified.toml * Update credential_access_dollar_account_relay.toml * Update credential_access_new_terms_secretsmanager_getsecretvalue.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
test