Skip to content

[8.3] [8.3] Adding Documents for v8.3.3 Pre-Built Detection Rules Integration Release (backport #2905) #2909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
terrancedejesus merged 2 commits into from
Jan 23, 2023
Merged

[8.3] [8.3] Adding Documents for v8.3.3 Pre-Built Detection Rules Integration Release (backport #2905) #2909

terrancedejesus merged 2 commits into from
Jan 23, 2023

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Jan 23, 2023

This is an automatic backport of pull request #2905 done by Mergify.
Cherry-pick of 3d0edd6 has failed:

On branch mergify/bp/8.3/pr-2905
Your branch is up to date with 'origin/8.3'.

You are currently cherry-picking commit 3d0edd6.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-a-scheduled-task-was-created.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-a-scheduled-task-was-updated.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-abnormal-process-id-or-lock-file-created.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-abnormally-large-dns-response.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-accepted-default-telnet-port-connection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-access-of-stored-browser-credentials.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-access-to-a-sensitive-ldap-attribute.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-access-to-keychain-credentials-directories.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-account-configured-with-never-expiring-password.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-account-discovery-command-via-system-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-account-password-reset-remotely.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-adding-hidden-file-attribute-via-attrib.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-adfind-command-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-administrator-privileges-assigned-to-an-okta-group.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-administrator-role-assigned-to-an-okta-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-adminsdholder-backdoor.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-adminsdholder-sdprop-exclusion-added.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-adobe-hijack-persistence.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-adversary-behavior-detected-elastic-endgame.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-apple-script-execution-followed-by-network-connection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-apple-scripting-execution-with-administrator-privileges.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-create-okta-api-token.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-deactivate-an-okta-application.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-deactivate-an-okta-network-zone.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-deactivate-an-okta-policy-rule.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-deactivate-an-okta-policy.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-delete-an-okta-application.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-delete-an-okta-network-zone.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-delete-an-okta-policy-rule.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-delete-an-okta-policy.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-disable-gatekeeper.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-disable-syslog-service.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-enable-the-root-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-install-root-certificate.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-modify-an-okta-application.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-modify-an-okta-network-zone.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-modify-an-okta-policy-rule.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-modify-an-okta-policy.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-mount-smb-share-via-command-line.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-remove-file-quarantine-attribute.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-revoke-okta-api-token.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempted-bypass-of-okta-mfa.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-attempts-to-brute-force-an-okta-user-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-authorization-plugin-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-access-secret-in-secrets-manager.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudtrail-log-created.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudtrail-log-deleted.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudtrail-log-suspended.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudtrail-log-updated.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudwatch-alarm-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudwatch-log-group-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-cloudwatch-log-stream-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-config-resource-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-ec2-snapshot-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-execution-via-system-manager.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-iam-assume-role-policy-update.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-iam-brute-force-of-assume-role-policy.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-iam-deactivation-of-mfa-device.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-iam-user-addition-to-group.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-management-console-root-login.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-root-login-without-mfa.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-s3-bucket-configuration-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-aws-vpc-flow-logs-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-active-directory-high-risk-sign-in.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-active-directory-powershell-sign-in.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-event-hub-authorization-rule-created-or-updated.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-key-vault-modified.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-privilege-identity-management-role-modified.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-azure-service-principal-addition.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-base16-or-base32-encoding-decoding-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-bash-shell-profile-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-binary-executed-from-shared-memory-directory.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-bpf-filter-applied-using-tc.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-bypass-uac-via-event-viewer.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-chkconfig-service-add.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-clearing-windows-console-history.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-clearing-windows-event-logs.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-cobalt-strike-command-and-control-beacon.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-command-execution-via-solarwinds-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-command-prompt-network-connection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-command-shell-activity-started-via-rundll32.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-component-object-model-hijacking.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-conhost-spawned-by-suspicious-parent-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-connection-to-commonly-abused-web-services.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-connection-to-external-network-via-telnet.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-connection-to-internal-network-via-telnet.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-control-panel-process-with-unusual-arguments.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-of-a-hidden-local-user-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-of-hidden-files-and-directories-via-commandline.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-of-hidden-launch-agent-or-daemon.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-of-hidden-login-item-via-apple-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-of-hidden-shared-object-file.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-creation-or-modification-of-root-certificate.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-credential-acquisition-via-registry-hive-dumping.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-default-cobalt-strike-team-server-certificate.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-delete-volume-usn-journal-with-fsutil.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-deleting-backup-catalogs-with-wbadmin.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-direct-outbound-smb-connection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-disable-windows-firewall-rules-via-netsh.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-disabling-user-account-control-via-registry-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-disabling-windows-defender-security-settings-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-dns-over-https-enabled-via-registry.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-dumping-account-hashes-via-built-in-commands.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-dumping-of-keychain-content-via-security-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-dynamic-linker-copy.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-eggshell-backdoor-execution.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-elastic-agent-service-terminated.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-emond-rules-creation-or-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enable-host-network-discovery-via-netsh.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-encoded-executable-stored-in-the-registry.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-encrypting-files-with-winrar-or-7z.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-endpoint-security.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enumerating-domain-trusts-via-nltest-exe.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enumeration-command-spawned-via-wmiprvse.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enumeration-of-administrator-accounts.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enumeration-of-kernel-modules.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enumeration-of-privileged-local-groups-membership.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-enumeration-of-users-or-groups-via-built-in-commands.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-executable-file-creation-with-multiple-extensions.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-from-unusual-directory-command-line.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-of-com-object-via-xwizard.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-of-file-written-or-modified-by-microsoft-office.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-of-file-written-or-modified-by-pdf-reader.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-of-persistent-suspicious-program.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-via-electron-child-process-node-js-module.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-via-local-sxs-shared-module.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-via-tsclient-mountpoint.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-execution-with-explicit-credentials-via-scripting.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-exporting-exchange-mailbox-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-external-ip-lookup-from-non-browser-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-file-deletion-via-shred.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-file-made-immutable-by-chattr.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-file-permission-modification-in-writable-directory.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-file-transfer-or-listener-established-via-netcat.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-finder-sync-plugin-registered-and-enabled.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-full-user-mode-dumps-enabled-system-wide.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-gcp-kubernetes-rolebindings-created-or-patched.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-gcp-pub-sub-subscription-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-gcp-pub-sub-topic-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-google-workspace-mfa-enforcement-disabled.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-group-policy-abuse-for-privilege-addition.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-halfbaked-command-and-control-beacon.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-high-number-of-process-and-or-service-terminations.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-high-number-of-process-terminations.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-hosts-file-modified.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-hping-process-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-iis-http-logging-disabled.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-image-file-execution-options-injection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-imageload-via-windows-update-auto-update-client.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-incoming-dcom-lateral-movement-via-mshta.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-incoming-dcom-lateral-movement-with-mmc.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-incoming-execution-via-powershell-remoting.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-incoming-execution-via-winrm-remote-shell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-installation-of-custom-shim-databases.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-installation-of-security-support-provider.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-installutil-process-making-network-connections.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-interactive-terminal-spawned-via-perl.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-interactive-terminal-spawned-via-python.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-ipsec-nat-traversal-port-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-kerberos-cached-credentials-dumping.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-kerberos-pre-authentication-disabled-for-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-kerberos-traffic-from-unusual-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-kernel-module-load-via-insmod.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-kernel-module-removal.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-keychain-password-retrieval-via-command-line.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-krbtgt-delegation-backdoor.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-lateral-movement-via-startup-folder.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-launch-agent-creation-or-modification-and-immediate-loading.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-local-account-tokenfilter-policy-disabled.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-local-scheduled-task-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-lsass-memory-dump-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-lsass-memory-dump-handle-access.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-macos-installer-package-spawns-network-event.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-masquerading-space-after-filename.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-build-engine-started-an-unusual-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-build-engine-started-by-a-script-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-build-engine-started-by-a-system-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-build-engine-started-by-an-office-application.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-build-engine-using-an-alternate-name.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-exchange-server-um-writing-suspicious-files.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-iis-connection-strings-decryption.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-iis-service-account-password-dumped.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-microsoft-windows-defender-tampering.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-mimikatz-memssp-log-file-detected.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-amsienable-registry-key.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-boot-configuration.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-dynamic-linker-preload-shared-object.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-environment-variable-via-launchctl.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-openssh-binaries.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-safari-settings-via-defaults-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-standard-authentication-module-or-configuration.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-the-mspkiaccountcredentials.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-of-wdigest-security-provider.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-mounting-hidden-or-webdav-remote-shares.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-ms-office-macro-security-registry-modifications.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-msbuild-making-network-connections.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-mshta-making-network-connections.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-multi-factor-authentication-disabled-for-an-azure-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-multiple-alerts-in-different-att-ck-tactics-on-a-single-host.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-multiple-alerts-involving-a-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-multiple-logon-failure-followed-by-logon-success.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-multiple-logon-failure-from-the-same-source-address.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-multiple-vault-web-credentials-read.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-namespace-manipulation-using-unshare.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-network-connection-via-certutil.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-network-connection-via-compiled-html-file.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-network-connection-via-msxsl.asciidoc
	new file:   docs/detections/prebuilt-rules/downl
(…)
-packages/8-3-3/prebuilt-rule-8-3-3-potential-privilege-escalation-via-installerfiletakeover.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-privilege-escalation-via-pkexec.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-privilege-escalation-via-sudoers-file-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-process-herpaderping-attempt.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-process-injection-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-protocol-tunneling-via-earthworm.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-remote-credential-access-via-registry.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-remote-desktop-shadowing-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-remote-desktop-tunneling-detected.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-reverse-shell-activity-via-terminal.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-secure-file-deletion-via-sdelete-utility.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-shadow-credentials-added-to-ad-object.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-shadow-file-read-via-command-line-utilities.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-sharprdp-behavior.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-shell-via-web-server.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-ssh-brute-force-detected-on-privileged-account.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-ssh-password-guessing.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-potential-windows-error-manager-masquerading.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-kerberos-ticket-request.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-keylogging-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-minidump-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-psreflect-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-script-block-logging-disabled.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-script-with-token-impersonation-capabilities.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-share-enumeration-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-suspicious-payload-encoded-and-compressed.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-powershell-suspicious-script-with-screenshot-capabilities.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-privilege-escalation-via-named-pipe-impersonation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-privilege-escalation-via-root-crontab-file-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-privilege-escalation-via-windir-environment-variable.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-privileged-account-brute-force.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-privileges-elevation-via-parent-process-pid-spoofing.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-process-activity-via-compiled-html-file.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-process-creation-via-secondary-logon.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-process-execution-from-an-unusual-directory.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-process-injection-by-the-microsoft-build-engine.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-process-started-from-process-id-pid-file.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-process-termination-followed-by-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-program-files-directory-masquerading.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-prompt-for-credentials-with-osascript.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-psexec-network-connection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-rare-aws-error-code.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-rdp-enabled-via-registry.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-registry-persistence-via-appcert-dll.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-registry-persistence-via-appinit-dll.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-computer-account-dnshostname-update.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-execution-via-file-shares.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-file-copy-to-a-hidden-share.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-file-copy-via-teamviewer.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-file-download-via-desktopimgdownldr-utility.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-file-download-via-mpcmdrun.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-file-download-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-file-download-via-script-interpreter.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-logon-followed-by-scheduled-task-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-scheduled-task-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-ssh-login-enabled-via-systemsetup-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-system-discovery-commands.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remote-windows-service-installed.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-remotely-started-services-via-rpc.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-renamed-autoit-scripts-interpreter.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-reverse-shell-created-via-named-pipe.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-scheduled-task-created-by-a-windows-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-scheduled-task-execution-at-scale-via-gpo.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-scheduled-tasks-at-command-enabled.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-screensaver-plist-file-modified-by-unexpected-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-searching-for-saved-credentials-via-vaultcmd.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-security-software-discovery-using-wmic.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-security-software-discovery-via-grep.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sensitive-files-compression.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-service-command-lateral-movement.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-service-control-spawned-via-script-interpreter.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-service-creation-via-local-kerberos-authentication.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-setuid-setgid-bit-set-via-chmod.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-shell-execution-via-apple-scripting.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-signed-proxy-execution-via-ms-work-folders.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sip-provider-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-softwareupdate-preferences-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-solarwinds-process-disabling-services-via-registry.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-spike-in-aws-error-messages.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-ssh-authorized-keys-file-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-startup-folder-persistence-via-unsigned-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-startup-logon-script-added-to-group-policy-object.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-startup-or-run-key-registry-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-startup-persistence-by-a-suspicious-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sublime-plugin-or-application-script-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sudo-heap-based-buffer-overflow-attempt.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sudoers-file-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-sunburst-command-and-control-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-activity-reported-by-okta-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-automator-workflows-execution.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-browser-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-calendar-file-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-certutil-commands.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-cmd-execution-via-wmi.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-crontab-creation-or-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-emond-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-endpoint-security-parent-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-execution-from-a-mounted-device.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-execution-short-program-name.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-execution-via-scheduled-task.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-explorer-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-file-creation-in-etc-for-persistence.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-hidden-child-process-of-launchd.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-html-file-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-imagepath-service-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-java-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-lsass-access-via-malseclogon.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-macos-ms-office-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-managed-code-hosting-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-microsoft-diagnostics-wizard-execution.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-module-loaded-by-lsass.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-ms-office-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-ms-outlook-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-net-code-compilation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-net-reflection-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-network-connection-attempt-by-root.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-pdf-reader-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-powershell-engine-imageload.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-powershell-script.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-print-spooler-file-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-print-spooler-point-and-print-dll.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-print-spooler-spl-file-created.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-printspooler-service-executable-file-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-process-access-via-direct-system-call.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-process-creation-calltrace.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-process-execution-via-renamed-psexec-executable.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-rdp-activex-client-loaded.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-script-object-execution.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-service-was-installed-in-the-system.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-solarwinds-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-startup-shell-folder-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-werfault-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-wmi-image-load-from-ms-office.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-wmic-xsl-script-execution.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-suspicious-zoom-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-svchost-spawning-cmd.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-symbolic-link-to-shadow-copy-created.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-system-information-discovery-via-windows-command-shell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-system-log-file-deletion.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-system-shells-via-services.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-systemkey-access-via-command-line.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-tampering-of-bash-command-line-history.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-temporarily-scheduled-task-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-threat-detected-by-okta-threatinsight.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-threat-intel-filebeat-module-v8-x-indicator-match.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-threat-intel-indicator-match.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-timestomping-using-touch-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unauthorized-access-to-an-okta-application.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-uncommon-registry-persistence-change.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unexpected-child-process-of-macos-screensaver-engine.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-aws-command-for-a-user.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-child-process-from-a-system-virtual-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-child-process-of-dns-exe.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-child-processes-of-rundll32.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-city-for-an-aws-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-country-for-an-aws-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-executable-file-creation-by-a-system-critical-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-file-creation-alternate-data-stream.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-file-modification-by-dns-exe.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-network-activity-from-a-windows-system-binary.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-network-connection-via-dllhost.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-network-connection-via-rundll32.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-parent-child-relationship.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-parent-process-for-cmd-exe.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-persistence-via-services-registry.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-print-spooler-child-process.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-process-execution-path-alternate-data-stream.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-process-for-a-windows-host.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-process-network-connection.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-unusual-service-host-child-process-childless-service.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-user-account-creation.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-user-account-exposed-to-kerberoasting.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-user-added-to-privileged-group.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-virtual-machine-fingerprinting-via-grep.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-virtual-machine-fingerprinting.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-virtual-private-network-connection-attempt.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-vnc-virtual-network-computing-from-the-internet.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-vnc-virtual-network-computing-to-the-internet.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-volume-shadow-copy-deletion-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-volume-shadow-copy-deletion-via-wmic.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-web-application-suspicious-activity-post-request-declined.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-web-application-suspicious-activity-sqlmap-user-agent.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-web-application-suspicious-activity-unauthorized-method.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-web-shell-detection-script-process-child-of-common-web-processes.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-webproxy-settings-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-webserver-access-logs-deleted.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-whoami-process-activity.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-defender-disabled-via-registry-modification.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-defender-exclusions-added-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-event-logs-cleared.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-firewall-disabled-via-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-network-enumeration.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-registry-file-creation-in-smb-share.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-script-executing-powershell.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-script-interpreter-executing-process-via-wmi.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-windows-service-installed-via-an-unusual-client.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-wireless-credential-dumping-using-netsh-command.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rule-8-3-3-wmi-incoming-lateral-movement.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rules-8-3-3-appendix.asciidoc
	new file:   docs/detections/prebuilt-rules/downloadable-packages/8-3-3/prebuilt-rules-8-3-3-summary.asciidoc

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc
	both modified:   docs/index.asciidoc

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com

@terrancedejesus @mergify
[8.3] Adding Documents for v8.3.3 Pre-Built Detection Rules Integrati…
c0f34b1 
…on Release (#2905)

* [8.3] Adding Documents for 8.3.3 Pre-Built Detection Rules Integration Release

* updated OSQuery links

(cherry picked from commit 3d0edd6)

# Conflicts:
#	docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc
#	docs/index.asciidoc
@github-actions
Copy link

github-actions bot commented Jan 23, 2023

Documentation previews:

@terrancedejesus
Copy link
Contributor

terrancedejesus commented Jan 23, 2023
edited
Loading

Failing because backporting is going to 8.3 and 8.4 references exist. Ultimately, we may need have to specify to only backport to the latest branch the documents reference.

10:03:25 INFO:build_docs:asciidoctor: ERROR: detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc: line 94: include file not found: /tmp/docsbuild/MM7_7ZsqRT/security-docs/docs/detections/prebuilt-rules/downloadable-packages/8-4-1/prebuilt-rules-8-4-1-summary.asciidoc
10:03:25 INFO:build_docs:asciidoctor: WARNING: detections/prebuilt-rules/downloadable-packages/8-3-2/prebuilt-rules-8-3-2-summary.asciidoc: line 3: id assigned to block already in use: prebuilt-rule-8-3-2-prebuilt-rules-8-3-2-summary
10:03:25 INFO:build_docs:asciidoctor: ERROR: index.asciidoc: line 76: include file not found: /tmp/docsbuild/MM7_7ZsqRT/security-docs/docs/detections/prebuilt-rules/downloadable-packages/8-4-1/prebuilt-rules-8-4-1-appendix.asciidoc
10:03:25 INFO:build_docs:asciidoctor: WARNING: invalid reference: prebuilt-rule-8-4-1-prebuilt-rules-8-4-1-summary
10:03:25 INFO:build_docs:

Since we are releasing a package for each version -3 from main, we may need to rethink how we approach updates to this repository as a result. Merging into main all of the packages is fine. When backporting, we can only backport to +1 of the earliest package version. Example below.

OOB Packages (Packages - v8.6.1, v8.5.1, v8.4.2, v8.3.3):
Main -> Packages - v8.6.1, v8.5.1, v8.4.2, v8.3.3
8.6 -> Packages - v8.6.1
8.5 -> Packages - v8.5.1, v8.4.2, v8.3.3
8.4 -> Packages - v8.4.2, v8.3.3
8.3 -> Packages - v8.3.3

This adds complexity to the doc updates. We may also want to limit the documentation scope to only matching minor stacks. For the 8.5 branch, we should only display v8.5.x packages as customers will not receive 8.6 packages and Fleet automatically installs the latest package, therefore previous is obsolete.

As a stop-gap prior to https://github.com/elastic/ia-trade-team/issues/17 (re-factor), we may need to only apply package documents to the compatible branch as so...

OOB Packages (Packages - v8.6.1, v8.5.1, v8.4.2, v8.3.3):
Main -> Packages - v8.6.1, v8.5.1, v8.4.2, v8.3.3
8.6 -> Packages - v8.6.1, v8.6.2
8.5 -> Packages - v8.5.1, v8.5.2
8.4 -> Packages - v8.4.2, v8.4.3
8.3 -> Packages - v8.3.3, v8.3.4

As shown, we can still merge everything into master but the specific branch versions would only reflect the latest compatible package just as Fleet would install. The potential issue is the target branch would no longer receive previous branch packages but I think these can still be added, it just adds complexity to the PRs.

At the moment, it appears there are no rule version history links for OOB packages, this only exists for filesystem rules in Kibana, which is no longer available as of 8.6. This would be nice detail, but we may save this for the pre-built detection rules security docs refactor.

Screen Shot 2023-01-23 at 2 47 09 PM

Screen Shot 2023-01-23 at 2 47 46 PM

Regarding Detection Rules code for the CLI command that generates these documents, it appears the "new" vs "update" is dependent on logic in detection rules and is not dependent on the security docs repository. As a result, if we only pushed package docs to a specific branch, it will still determine if these are new or not.

TRaDE will need to be careful when running our integration docs generation CLI command as we compare diffs from the specified tags. This should work well when targeting specific branches (i.e. comparing 8.3.3 to 8.3.4) to tell what rules have been updated and which are new.

@dev_group.command('build-integration-docs')
@click.argument('registry-version')
@click.option('--pre', required=True, help='Tag for pre-existing rules')
@click.option('--post', required=True, help='Tag for rules post updates')
@click.option('--directory', '-d', type=Path, required=True, help='Output directory to save docs to')
@click.option('--force', '-f', is_flag=True, help='Bypass the confirmation prompt')
@click.option('--remote', '-r', default='origin', help='Override the remote from "origin"')
@click.pass_context
def build_integration_docs(ctx: click.Context, registry_version: str, pre: str, post: str, directory: Path, force: bool,
                           remote: Optional[str] = 'origin') -> IntegrationSecurityDocs:
    """Build documents from two git tags for an integration package."""
    if not force:
        if not click.confirm(f'This will refresh tags and may overwrite local tags for: {pre} and {post}. Continue?'):
            ctx.exit(1)

    rules_changes = get_release_diff(pre, post, remote)
    docs = IntegrationSecurityDocs(registry_version, directory, True, *rules_changes)
    package_dir = docs.generate()

    click.echo(f'Generated documents saved to: {package_dir}')
    updated, new, deprecated = rules_changes
    click.echo(f'- {len(updated)} updated rules')
    click.echo(f'- {len(new)} new rules')
    click.echo(f'- {len(deprecated)} deprecated rules')

    return docs

Short-Term Solution

To not become potentially blocker in this repository.

  1. Merge in existing backport PRs that are passing
  2. Checkout this PR locally, remove 8.4 references, pass the testing and merge.
  3. For further package releases and doc updates
    1. In detection rules, checkout appropriate branch and then checkout locked version PR commit
    2. Run integration security docs CLI command comparing only the latest package version compatible with this stack and the new package compatible with this stack
    3. Stage changes, commit and push to target branch (i.e. v8.3.4 -> 8.3 branch and compare v8.3.3 to v8.3.4)
    4. Review changes and approvals
    5. Merge but DO NOT backport

I am concerned about that branches will diverge from main, since it relies on backporting and therefore I am unaware if this temporary solution is feasible at the moment.

@terrancedejesus terrancedejesus merged commit 9dfe102 into 8.3 Jan 23, 2023
@mergify mergify bot deleted the mergify/bp/8.3/pr-2905 branch January 23, 2023 22:28
This was referenced Jan 24, 2023
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@terrancedejesus terrancedejesus

Labels

backport conflicts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@terrancedejesus