Merge branch 'initial-elastic-rules-toml-push' into main

Author: r0ot

rules/cross-platform/credential_access_forced_authentication_pipes.toml

@@ -52,6 +52,7 @@ tags = [
     "Use Case: Active Directory Monitoring",
     "Data Source: System",
     "Resources: Investigation Guide",
+    "vigilant.disabled"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/network/discovery_potential_port_scan_detected.toml

@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+event.action:network and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 note = """## Triage and analysis
 

rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

@@ -37,6 +37,7 @@ tags = [
     "Tactic: Credential Access",
     "Data Source: Sysmon",
     "Resources: Investigation Guide",
+    "vigilant.disabled"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml

@@ -42,6 +42,7 @@ tags = [
     "Data Source: Sysmon",
     "Data Source: System",
     "Resources: Investigation Guide",
+    "vigilant.disabled"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_timestomp_sysmon.toml

@@ -28,6 +28,7 @@ tags = [
     "Tactic: Defense Evasion",
     "Data Source: Sysmon",
     "Resources: Investigation Guide",
+    "vigilant.disabled"
 ]
 timestamp_override = "event.ingested"
 type = "eql"