Closed terrancedejesus closed 3 weeks ago
botelastic[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
terrancedejesus
commented
2 years ago This was scoped for 8.3 but unfortunately did not make it. Re-scoping this for 8.4 release.
terrancedejesus
commented
1 year ago This was re-scoped for 8.4 but unfortunately did not make it as GCP and Google Workspace were completed. Potentially re-scoping this for a later release.
w0rk3r
commented
3 weeks ago Closing this in favor of https://github.com/elastic/ia-trade-team/issues/375
Link to rule
O365 Integration Rules ATT&CK Coverage
Description
The following rules are older than 90 days and are missing investigation notes. Investigation notes will be added and each rule examined via telemetry and through simulation to determine tuning is necessary or not. We should also look to start documentation on how to setup a rule development environment for this it does not currently exist - Example
Documentation
E2E Testing and Tuning Review
Potential Rule Development
If we notice a new potential rule from review or 3rd-party, lets list it here with a reference of some sort. New rules are in the stretch goals of this issue so if we have available time we can start these new rule issues/PRs.
Schema Issues
Any schema issues or corrections we come across let's get issues/PRs started to fix these and track them in a list below.
Rule Tuning
Let's keep track of all tuning issues/PRs from this review here by listing each.
Alert Documents
Let's keep track of every rule and alert we test by including a single JSON.TXT file of the alert document from our Kibana instance.
Stretch
Our stretch goals should consist of new rule development. If we happen to review rules, test and confirm they are fine and notice a new rule opportunity, we can at least start the issue and have the query available while we are already in the environment.