Justin Ibarra
Justin Ibarra
- ignore ssl warnings - pass count to track per thread (or get from thread object) - capture raw bits to prevent non printable ascii; `content` for raw body; may...
Reverts elastic/detection-rules#4086 This technically introduced a bug and will create opaque issues - most specifically when dumping a rule with empty lists then reparsing them (if required by the schema)...
## Overview The [manual-backflow](https://github.com/elastic/detection-rules/blob/main/.github/workflows/manual-backport.yml) workflow was recently [modified](https://github.com/elastic/detection-rules/commits/main/.github/workflows/manual-backport.yml) in order to be compatible with an internal backport emulation script. It now successfully runs, but results in no changes detected for...
### Description A user has downloaded an excessive amount of files in Slack over a short period, which could indicate attempts to perform recon, discovery, or exfil. This could potentially...
### Description Detects multiple self add to Google Workspace user group in short succession, which could be indicative of attempts to `Discover`, `Colletct`, `Exfil` or perform recon. Also, side note...
### Description User groups in Google Workspace are created to help manage users permissions and access to various resources and applications. The security label is only applied to a group...
### Description Explore all file activity by user and event action ### Target Huntset google_workspace ### Target hunt Type ES|QL ### Query ```sql from logs-google_workspace* | where file.name == "*"...
### Description Explore all sensitive files accessed by users, based on defined parameters ### Target Huntset google_workspace ### Target hunt Type ES|QL ### Query ```sql from logs-google_workspace* | where file.name...
### Description Explore all files accessed via view or download by a user, within google workspace. ### Target Huntset google_workspace ### Target hunt Type ES|QL ### Query ```sql from logs-google_workspace*...
### Link to Rule https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml#L45 ### Rule Tuning Type False Negatives - Enhancing detection of true threats that were previously missed. ### Description Tune google_workspace.drive.visibility beyond just `people_with_link` to include...