Closed Aegrah closed 1 month ago
These guidelines serve as a reminder set of considerations when tuning an existing rule.
updated_date
matches the date of tuning PR merged.min_stack_version
should support the widest stack versions.name
and description
should be descriptive and not include typos.query
should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.
Summary
The current rule does not have all ways of disabling app armor integrated. While detonating malware samples, I noticed we were lacking coverage. This tuning PR adds this coverage.
Hits in detonate: