Closed terrancedejesus closed 1 month ago
Welcome to the hunting
folder within the detection-rules
repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.
author
: The name of the individual or organization authoring the rule.creation_date
matches the date of creation PR initially merged.min_stack_version
supports the widest stack versions.name
and description
are descriptive and typo-free.language
: The query language(s) used in the rule, such as KQL
, EQL
, ES|QL
, OsQuery
, or YARA
.query
is inclusive, not overly exclusive, considering performance for diverse environments.integration
aligns with the index
. Ensure updates if the integration is newly introduced.setup
includes necessary steps to configure the integration.note
includes additional information (e.g., Triage and analysis investigation guides, timeline templates).tags
are relevant to the threat and align with EXPECTED_HUNT_TAGS
in definitions.py
.threat
, techniques
, and subtechniques
map to ATT&CK whenever possible.python generate_markdown.py
to update the documentation.
Pull Request
Issue link(s): https://github.com/elastic/ia-trade-team/issues/361
Summary - What I changed
This pull request adds initial AWS hunting queries to the shared hunting library. Along with these queries are the generated docs in markdown format and an updated index.
How To Test
There is no testing required for this pull request aside from the unit tests already established.
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist