Release 0.16.0

Merge branch 'socprime-master'
Merge pull request #624 from Antonlovesdnb/master
2020-02-25 22:19:52 +01:00 · 2020-02-25 21:32:59 +01:00 · 2020-02-25 15:44:31 +01:00 · 2020-02-25 09:24:29 -05:00 · 2020-02-25 09:23:52 -05:00 · 2020-02-25 09:23:22 -05:00
623 changed files with 16894 additions and 2100 deletions
@@ -91,3 +91,6 @@ ENV/
 # vi(m)
 *.swp
 settings.json
+
+# VisualStudio
+.vs/
@@ -1,9 +1,9 @@
 language: python
 dist: xenial
 python:
-  # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
-  - 3.6
-  - 3.7
+    # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
+    - 3.6
+    - 3.7
 sudo: true
 services:
    - elasticsearch
@@ -11,14 +11,15 @@ cache: pip
 before_install:
    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
-  - pip install -r tools/requirements-devel.txt 
+    - pip install -r tools/requirements-devel.txt
+    - pip install -r tests/requirements-test.txt 
 script:
-  - make test
-  - make test-backend-es-qs
+    - make test
+    - make test-backend-es-qs
 notifications:
-  email:
-    recipients:
-      - venom14@gmail.com
-      - thomas@patzke.org
-    on_success: change
-    on_failure: always
+    email:
+        recipients:
+            - venom14@gmail.com
+            - thomas@patzke.org
+        on_success: change
+        on_failure: always
@@ -0,0 +1,142 @@
+# Release Notes
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
+from version 0.14.0.
+
+## 0.16.0 - 2020-02-25
+
+### Added
+
+* Proxy field names to ECS mapping (ecs-proxy) configuration
+* False positives metadata to LimaCharlie backend
+* Additional aggregation capabilitied for es-dsl backend.
+* Azure log analytics rule backend (ala-rule)
+* SQL backend
+* Splunk Zeek sourcetype mapping config
+* sigma2attack script
+* Carbon Black backend and configuration
+* ArcSight ESM backend
+* Elasticsearch detection rule backend
+
+### Changed
+
+* Kibana object id is now Sigma rule id if available. Else
+  the old naming scheme is used.
+* sigma2misp: replacement of deprecated method usage.
+* Various configuration updates
+* Extended ArcSight mapping
+
+### Fixed
+
+* Fixed aggregation queries for Elastalert backend
+* Fixed aggregation queries for es-dsl backend
+* Backend and configuration lists are sorted.
+* Escaping in ala backend
+
+## 0.15.0 - 2019-12-06
+
+### Added
+
+* sigma-uuid tool for addition and check of Sigma rule identifiers
+* Default configurations
+* Restriction of compared rules in sigma-similarity
+* Regular expression support in es-dsl backend
+* LimaCharlie support for proxy rule category
+* Source distribution for PyPI
+
+### Changed
+
+* Type errors are now ignored with -I
+
+### Fixed
+
+* Removed wrong mapping of CommandLine field mapping in THOR config
+
+## 0.14 - 2019-11-10
+
+### Added
+
+* sigma-similarity tool
+* LimaCharlie backend
+* Default configurations for some backends that are used if no configuration is passed.
+* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
+* Value modifiers:
+    * startswith
+    * endswith
+
+### Changed
+
+* Removal of line breaks in elastalert output
+* Searches not bound to fields are restricted to keyword fields in es-qs backend
+* Graylog backend now based on es-qs backend
+
+### Fixed
+
+* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
+  process creation log source configuration.
+
+## 0.13 - 2019-10-21
+
+### Added
+
+* Index mappings for Sumologic
+* Malicious cmdlets in wdatp
+* QRadar support for keyword searches
+* QRadar mapping improvements
+* QRadar field selection
+* QRadar type regex modifier support
+* Elasticsearch keyword field blacklisting with wildcards
+* Added dateField configuration parameter in xpack-watcher backend
+* Field mappings in configurations
+* Field name mapping for conditional fields
+* Value modifiers:
+    * utf16
+    * utf16le
+    * wide
+    * utf16be
+
+### Changed
+
+* Improved --backend-config help text
+
+### Fixed
+
+* Backend errors in ala
+* Slash escaping within es-dsl wildcard queries
+* QRadar backend config
+* QRadar field name and value escaping and handling
+* Elasticsearch wildcard detection pattern
+* Aggregation on keyword field in es-dsl backend
+
+## 0.12.1 - 2019-08-05
+
+### Fixed
+
+* Missing build dependency
+
+## 0.12 - 2019-08-01
+
+### Added
+
+* Usage of "Channel" field in ELK Windows configuration
+* Fields to mappings
+* xpack-watcher actions index and webhook
+* Config for Winlogbeat 7.x
+* Value modifiers
+* Regular expression support
+
+### Changed
+
+* Warning/error messages
+* Sumologic value cleaning
+* Explicit OR for Elasticsearch query strings
+* Listing of available configurations on missing configuration error
+
+### Fixed
+
+* Conditions in es-dsl backend
+* Sumologic handling of null values
+* Ignore timeframe detection keyword in all/any of conditions
@@ -0,0 +1,38 @@
+## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }})
+
+### Added
+
+{% for item in added %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Changed
+
+{% for item in changed %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Deprecated
+
+{% for item in deprecated %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Removed
+
+{% for item in removed %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Fixed
+
+{% for item in fixed %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Security
+
+{% for item in security %}
+* {{ item | indent(2) }}
+{% endfor %}
+
@@ -1,7 +1,7 @@
-.PHONY: test test-rules test-sigmac
+.PHONY: test test-rules test-sigmac test-sigma2attack
 TMPOUT = $(shell tempfile||mktemp)
-COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-rules test-sigmac test-merge build finish
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma,tools/sigma2attack
+test: clearcov test-rules test-sigmac test-merge test-sigma2attack build finish

 clearcov:
 	rm -f .coverage
@@ -13,6 +13,7 @@ finish:
 test-rules:
 	yamllint rules
 	tests/test_rules.py
+	tools/sigma-uuid -Ver rules/

 test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac
@@ -34,14 +35,20 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/winlogbeat.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
@@ -49,6 +56,7 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
@@ -89,8 +97,11 @@ test-merge:
 test-backend-es-qs:
 	tests/test-backend-es-qs.py

+test-sigma2attack:
+	coverage run -a --include=$(COVSCOPE) tools/sigma2attack
+
 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
-	cd tools && python3 setup.py bdist_wheel
+	cd tools && python3 setup.py bdist_wheel sdist

 upload-test: build
 	twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/*
@@ -12,6 +12,8 @@ elasticsearch = "*"
 elasticsearch-async = "*"
 pymisp = "*"
 PyYAML = ">=3.11"
+progressbar2 = "*"
+colorama = "*"

 [requires]
 python_version = "3.6"
@@ -1,7 +1,7 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "5e571aa1a1b4f78e71563cc30e3f457c8359c36888c76b6ed68376dadce445bb"
+            "sha256": "c553c014d5959f8c30ffdb23d4648ff872dbffd5f6f982d8c029a5b4533a959d"
        },
        "pipfile-spec": 6,
        "requires": {
@@ -18,30 +18,20 @@
    "default": {
        "aiohttp": {
            "hashes": [
-                "sha256:00d198585474299c9c3b4f1d5de1a576cc230d562abc5e4a0e81d71a20a6ca55",
-                "sha256:0155af66de8c21b8dba4992aaeeabf55503caefae00067a3b1139f86d0ec50ed",
-                "sha256:09654a9eca62d1bd6d64aa44db2498f60a5c1e0ac4750953fdd79d5c88955e10",
-                "sha256:199f1d106e2b44b6dacdf6f9245493c7d716b01d0b7fbe1959318ba4dc64d1f5",
-                "sha256:296f30dedc9f4b9e7a301e5cc963012264112d78a1d3094cd83ef148fdf33ca1",
-                "sha256:368ed312550bd663ce84dc4b032a962fcb3c7cae099dbbd48663afc305e3b939",
-                "sha256:40d7ea570b88db017c51392349cf99b7aefaaddd19d2c78368aeb0bddde9d390",
-                "sha256:629102a193162e37102c50713e2e31dc9a2fe7ac5e481da83e5bb3c0cee700aa",
-                "sha256:6d5ec9b8948c3d957e75ea14d41e9330e1ac3fed24ec53766c780f82805140dc",
-                "sha256:87331d1d6810214085a50749160196391a712a13336cd02ce1c3ea3d05bcf8d5",
-                "sha256:9a02a04bbe581c8605ac423ba3a74999ec9d8bce7ae37977a3d38680f5780b6d",
-                "sha256:9c4c83f4fa1938377da32bc2d59379025ceeee8e24b89f72fcbccd8ca22dc9bf",
-                "sha256:9cddaff94c0135ee627213ac6ca6d05724bfe6e7a356e5e09ec57bd3249510f6",
-                "sha256:a25237abf327530d9561ef751eef9511ab56fd9431023ca6f4803f1994104d72",
-                "sha256:a5cbd7157b0e383738b8e29d6e556fde8726823dae0e348952a61742b21aeb12",
-                "sha256:a97a516e02b726e089cffcde2eea0d3258450389bbac48cbe89e0f0b6e7b0366",
-                "sha256:acc89b29b5f4e2332d65cd1b7d10c609a75b88ef8925d487a611ca788432dfa4",
-                "sha256:b05bd85cc99b06740aad3629c2585bda7b83bd86e080b44ba47faf905fdf1300",
-                "sha256:c2bec436a2b5dafe5eaeb297c03711074d46b6eb236d002c13c42f25c4a8ce9d",
-                "sha256:cc619d974c8c11fe84527e4b5e1c07238799a8c29ea1c1285149170524ba9303",
-                "sha256:d4392defd4648badaa42b3e101080ae3313e8f4787cb517efd3f5b8157eaefd6",
-                "sha256:e1c3c582ee11af7f63a34a46f0448fca58e59889396ffdae1f482085061a2889"
+                "sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e",
+                "sha256:259ab809ff0727d0e834ac5e8a283dc5e3e0ecc30c4d80b3cd17a4139ce1f326",
+                "sha256:2f4d1a4fdce595c947162333353d4a44952a724fba9ca3205a3df99a33d1307a",
+                "sha256:32e5f3b7e511aa850829fbe5aa32eb455e5534eaa4b1ce93231d00e2f76e5654",
+                "sha256:344c780466b73095a72c616fac5ea9c4665add7fc129f285fbdbca3cccf4612a",
+                "sha256:460bd4237d2dbecc3b5ed57e122992f60188afe46e7319116da5eb8a9dfedba4",
+                "sha256:4c6efd824d44ae697814a2a85604d8e992b875462c6655da161ff18fd4f29f17",
+                "sha256:50aaad128e6ac62e7bf7bd1f0c0a24bc968a0c0590a726d5a955af193544bcec",
+                "sha256:6206a135d072f88da3e71cc501c59d5abffa9d0bb43269a6dcd28d66bfafdbdd",
+                "sha256:65f31b622af739a802ca6fd1a3076fd0ae523f8485c52924a89561ba10c49b48",
+                "sha256:ae55bac364c405caa23a4f2d6cfecc6a0daada500274ffca4a9230e7129eac59",
+                "sha256:b778ce0c909a2653741cb4b1ac7015b5c130ab9c897611df43ae6a58523cb965"
            ],
-            "version": "==3.5.4"
+            "version": "==3.6.2"
        },
        "async-timeout": {
            "hashes": [
@@ -52,17 +42,17 @@
        },
        "attrs": {
            "hashes": [
-                "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
-                "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
+                "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
+                "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
            ],
-            "version": "==19.1.0"
+            "version": "==19.3.0"
        },
        "certifi": {
            "hashes": [
-                "sha256:046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939",
-                "sha256:945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"
+                "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
+                "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
            ],
-            "version": "==2019.6.16"
+            "version": "==2019.11.28"
        },
        "chardet": {
            "hashes": [
@@ -71,58 +61,65 @@
            ],
            "version": "==3.0.4"
        },
-        "coverage": {
+        "colorama": {
            "hashes": [
-                "sha256:08907593569fe59baca0bf152c43f3863201efb6113ecb38ce7e97ce339805a6",
-                "sha256:0be0f1ed45fc0c185cfd4ecc19a1d6532d72f86a2bac9de7e24541febad72650",
-                "sha256:141f08ed3c4b1847015e2cd62ec06d35e67a3ac185c26f7635f4406b90afa9c5",
-                "sha256:19e4df788a0581238e9390c85a7a09af39c7b539b29f25c89209e6c3e371270d",
-                "sha256:23cc09ed395b03424d1ae30dcc292615c1372bfba7141eb85e11e50efaa6b351",
-                "sha256:245388cda02af78276b479f299bbf3783ef0a6a6273037d7c60dc73b8d8d7755",
-                "sha256:331cb5115673a20fb131dadd22f5bcaf7677ef758741312bee4937d71a14b2ef",
-                "sha256:386e2e4090f0bc5df274e720105c342263423e77ee8826002dcffe0c9533dbca",
-                "sha256:3a794ce50daee01c74a494919d5ebdc23d58873747fa0e288318728533a3e1ca",
-                "sha256:60851187677b24c6085248f0a0b9b98d49cba7ecc7ec60ba6b9d2e5574ac1ee9",
-                "sha256:63a9a5fc43b58735f65ed63d2cf43508f462dc49857da70b8980ad78d41d52fc",
-                "sha256:6b62544bb68106e3f00b21c8930e83e584fdca005d4fffd29bb39fb3ffa03cb5",
-                "sha256:6ba744056423ef8d450cf627289166da65903885272055fb4b5e113137cfa14f",
-                "sha256:7494b0b0274c5072bddbfd5b4a6c6f18fbbe1ab1d22a41e99cd2d00c8f96ecfe",
-                "sha256:826f32b9547c8091679ff292a82aca9c7b9650f9fda3e2ca6bf2ac905b7ce888",
-                "sha256:93715dffbcd0678057f947f496484e906bf9509f5c1c38fc9ba3922893cda5f5",
-                "sha256:9a334d6c83dfeadae576b4d633a71620d40d1c379129d587faa42ee3e2a85cce",
-                "sha256:af7ed8a8aa6957aac47b4268631fa1df984643f07ef00acd374e456364b373f5",
-                "sha256:bf0a7aed7f5521c7ca67febd57db473af4762b9622254291fbcbb8cd0ba5e33e",
-                "sha256:bf1ef9eb901113a9805287e090452c05547578eaab1b62e4ad456fcc049a9b7e",
-                "sha256:c0afd27bc0e307a1ffc04ca5ec010a290e49e3afbe841c5cafc5c5a80ecd81c9",
-                "sha256:dd579709a87092c6dbee09d1b7cfa81831040705ffa12a1b248935274aee0437",
-                "sha256:df6712284b2e44a065097846488f66840445eb987eb81b3cc6e4149e7b6982e1",
-                "sha256:e07d9f1a23e9e93ab5c62902833bf3e4b1f65502927379148b6622686223125c",
-                "sha256:e2ede7c1d45e65e209d6093b762e98e8318ddeff95317d07a27a2140b80cfd24",
-                "sha256:e4ef9c164eb55123c62411f5936b5c2e521b12356037b6e1c2617cef45523d47",
-                "sha256:eca2b7343524e7ba246cab8ff00cab47a2d6d54ada3b02772e908a45675722e2",
-                "sha256:eee64c616adeff7db37cc37da4180a3a5b6177f5c46b187894e633f088fb5b28",
-                "sha256:ef824cad1f980d27f26166f86856efe11eff9912c4fed97d3804820d43fa550c",
-                "sha256:efc89291bd5a08855829a3c522df16d856455297cf35ae827a37edac45f466a7",
-                "sha256:fa964bae817babece5aa2e8c1af841bebb6d0b9add8e637548809d040443fee0",
-                "sha256:ff37757e068ae606659c28c3bd0d923f9d29a85de79bf25b2b34b148473b5025"
+                "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
+                "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
            ],
            "index": "pypi",
-            "version": "==4.5.4"
+            "version": "==0.4.3"
+        },
+        "coverage": {
+            "hashes": [
+                "sha256:15cf13a6896048d6d947bf7d222f36e4809ab926894beb748fc9caa14605d9c3",
+                "sha256:1daa3eceed220f9fdb80d5ff950dd95112cd27f70d004c7918ca6dfc6c47054c",
+                "sha256:1e44a022500d944d42f94df76727ba3fc0a5c0b672c358b61067abb88caee7a0",
+                "sha256:25dbf1110d70bab68a74b4b9d74f30e99b177cde3388e07cc7272f2168bd1477",
+                "sha256:3230d1003eec018ad4a472d254991e34241e0bbd513e97a29727c7c2f637bd2a",
+                "sha256:3dbb72eaeea5763676a1a1efd9b427a048c97c39ed92e13336e726117d0b72bf",
+                "sha256:5012d3b8d5a500834783689a5d2292fe06ec75dc86ee1ccdad04b6f5bf231691",
+                "sha256:51bc7710b13a2ae0c726f69756cf7ffd4362f4ac36546e243136187cfcc8aa73",
+                "sha256:527b4f316e6bf7755082a783726da20671a0cc388b786a64417780b90565b987",
+                "sha256:722e4557c8039aad9592c6a4213db75da08c2cd9945320220634f637251c3894",
+                "sha256:76e2057e8ffba5472fd28a3a010431fd9e928885ff480cb278877c6e9943cc2e",
+                "sha256:77afca04240c40450c331fa796b3eab6f1e15c5ecf8bf2b8bee9706cd5452fef",
+                "sha256:7afad9835e7a651d3551eab18cbc0fdb888f0a6136169fbef0662d9cdc9987cf",
+                "sha256:9bea19ac2f08672636350f203db89382121c9c2ade85d945953ef3c8cf9d2a68",
+                "sha256:a8b8ac7876bc3598e43e2603f772d2353d9931709345ad6c1149009fd1bc81b8",
+                "sha256:b0840b45187699affd4c6588286d429cd79a99d509fe3de0f209594669bb0954",
+                "sha256:b26aaf69713e5674efbde4d728fb7124e429c9466aeaf5f4a7e9e699b12c9fe2",
+                "sha256:b63dd43f455ba878e5e9f80ba4f748c0a2156dde6e0e6e690310e24d6e8caf40",
+                "sha256:be18f4ae5a9e46edae3f329de2191747966a34a3d93046dbdf897319923923bc",
+                "sha256:c312e57847db2526bc92b9bfa78266bfbaabac3fdcd751df4d062cd4c23e46dc",
+                "sha256:c60097190fe9dc2b329a0eb03393e2e0829156a589bd732e70794c0dd804258e",
+                "sha256:c62a2143e1313944bf4a5ab34fd3b4be15367a02e9478b0ce800cb510e3bbb9d",
+                "sha256:cc1109f54a14d940b8512ee9f1c3975c181bbb200306c6d8b87d93376538782f",
+                "sha256:cd60f507c125ac0ad83f05803063bed27e50fa903b9c2cfee3f8a6867ca600fc",
+                "sha256:d513cc3db248e566e07a0da99c230aca3556d9b09ed02f420664e2da97eac301",
+                "sha256:d649dc0bcace6fcdb446ae02b98798a856593b19b637c1b9af8edadf2b150bea",
+                "sha256:d7008a6796095a79544f4da1ee49418901961c97ca9e9d44904205ff7d6aa8cb",
+                "sha256:da93027835164b8223e8e5af2cf902a4c80ed93cb0909417234f4a9df3bcd9af",
+                "sha256:e69215621707119c6baf99bda014a45b999d37602cb7043d943c76a59b05bf52",
+                "sha256:ea9525e0fef2de9208250d6c5aeeee0138921057cd67fcef90fbed49c4d62d37",
+                "sha256:fca1669d464f0c9831fd10be2eef6b86f5ebd76c724d1e0706ebdff86bb4adf0"
+            ],
+            "index": "pypi",
+            "version": "==5.0.3"
        },
        "deprecated": {
            "hashes": [
-                "sha256:a515c4cf75061552e0284d123c3066fbbe398952c87333a92b8fc3dd8e4f9cc1",
-                "sha256:b07b414c8aac88f60c1d837d21def7e83ba711052e03b3cbaff27972567a8f8d"
+                "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
+                "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
            ],
-            "version": "==1.2.6"
+            "version": "==1.2.7"
        },
        "elasticsearch": {
            "hashes": [
-                "sha256:cbc73831c63fa2824538df76fcb2c4be007b43dbd9e7788ae70ea6d24109925b",
-                "sha256:d1b176b87a7fb75dca82978c82a4023e8b21cbc98f4018cb51190fb0b8b43764"
+                "sha256:1815ee1377e7d3cf32770738a70785fe4ab1f05be28336a330ed71cb295a7c6c",
+                "sha256:2a0ca516378ae9b87ac840e7bb529ec508f3010360dd9feed605dff2a898aff5"
            ],
            "index": "pypi",
-            "version": "==7.0.2"
+            "version": "==7.5.1"
        },
        "elasticsearch-async": {
            "hashes": [
@@ -146,93 +143,102 @@
            "markers": "python_version < '3.7'",
            "version": "==1.1.0"
        },
+        "importlib-metadata": {
+            "hashes": [
+                "sha256:06f5b3a99029c7134207dd882428a66992a9de2bef7c2b699b5641f9886c3302",
+                "sha256:b97607a1a18a5100839aec1dc26a1ea17ee0d93b20b0f008d80a5a050afb200b"
+            ],
+            "markers": "python_version < '3.8'",
+            "version": "==1.5.0"
+        },
        "jsonschema": {
            "hashes": [
-                "sha256:5f9c0a719ca2ce14c5de2fd350a64fd2d13e8539db29836a86adc990bb1a068f",
-                "sha256:8d4a2b7b6c2237e0199c8ea1a6d3e05bf118e289ae2b9d7ba444182a2959560d"
+                "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
+                "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
            ],
-            "version": "==3.0.2"
+            "version": "==3.2.0"
        },
        "multidict": {
            "hashes": [
-                "sha256:024b8129695a952ebd93373e45b5d341dbb87c17ce49637b34000093f243dd4f",
-                "sha256:041e9442b11409be5e4fc8b6a97e4bcead758ab1e11768d1e69160bdde18acc3",
-                "sha256:045b4dd0e5f6121e6f314d81759abd2c257db4634260abcfe0d3f7083c4908ef",
-                "sha256:047c0a04e382ef8bd74b0de01407e8d8632d7d1b4db6f2561106af812a68741b",
-                "sha256:068167c2d7bbeebd359665ac4fff756be5ffac9cda02375b5c5a7c4777038e73",
-                "sha256:148ff60e0fffa2f5fad2eb25aae7bef23d8f3b8bdaf947a65cdbe84a978092bc",
-                "sha256:1d1c77013a259971a72ddaa83b9f42c80a93ff12df6a4723be99d858fa30bee3",
-                "sha256:1d48bc124a6b7a55006d97917f695effa9725d05abe8ee78fd60d6588b8344cd",
-                "sha256:31dfa2fc323097f8ad7acd41aa38d7c614dd1960ac6681745b6da124093dc351",
-                "sha256:34f82db7f80c49f38b032c5abb605c458bac997a6c3142e0d6c130be6fb2b941",
-                "sha256:3d5dd8e5998fb4ace04789d1d008e2bb532de501218519d70bb672c4c5a2fc5d",
-                "sha256:4a6ae52bd3ee41ee0f3acf4c60ceb3f44e0e3bc52ab7da1c2b2aa6703363a3d1",
-                "sha256:4b02a3b2a2f01d0490dd39321c74273fed0568568ea0e7ea23e02bd1fb10a10b",
-                "sha256:4b843f8e1dd6a3195679d9838eb4670222e8b8d01bc36c9894d6c3538316fa0a",
-                "sha256:5de53a28f40ef3c4fd57aeab6b590c2c663de87a5af76136ced519923d3efbb3",
-                "sha256:61b2b33ede821b94fa99ce0b09c9ece049c7067a33b279f343adfe35108a4ea7",
-                "sha256:6a3a9b0f45fd75dc05d8e93dc21b18fc1670135ec9544d1ad4acbcf6b86781d0",
-                "sha256:76ad8e4c69dadbb31bad17c16baee61c0d1a4a73bed2590b741b2e1a46d3edd0",
-                "sha256:7ba19b777dc00194d1b473180d4ca89a054dd18de27d0ee2e42a103ec9b7d014",
-                "sha256:7c1b7eab7a49aa96f3db1f716f0113a8a2e93c7375dd3d5d21c4941f1405c9c5",
-                "sha256:7fc0eee3046041387cbace9314926aa48b681202f8897f8bff3809967a049036",
-                "sha256:8ccd1c5fff1aa1427100ce188557fc31f1e0a383ad8ec42c559aabd4ff08802d",
-                "sha256:8e08dd76de80539d613654915a2f5196dbccc67448df291e69a88712ea21e24a",
-                "sha256:c18498c50c59263841862ea0501da9f2b3659c00db54abfbf823a80787fde8ce",
-                "sha256:c49db89d602c24928e68c0d510f4fcf8989d77defd01c973d6cbe27e684833b1",
-                "sha256:ce20044d0317649ddbb4e54dab3c1bcc7483c78c27d3f58ab3d0c7e6bc60d26a",
-                "sha256:d1071414dd06ca2eafa90c85a079169bfeb0e5f57fd0b45d44c092546fcd6fd9",
-                "sha256:d3be11ac43ab1a3e979dac80843b42226d5d3cccd3986f2e03152720a4297cd7",
-                "sha256:db603a1c235d110c860d5f39988ebc8218ee028f07a7cbc056ba6424372ca31b"
+                "sha256:13f3ebdb5693944f52faa7b2065b751cb7e578b8dd0a5bb8e4ab05ad0188b85e",
+                "sha256:26502cefa86d79b86752e96639352c7247846515c864d7c2eb85d036752b643c",
+                "sha256:4fba5204d32d5c52439f88437d33ad14b5f228e25072a192453f658bddfe45a7",
+                "sha256:527124ef435f39a37b279653ad0238ff606b58328ca7989a6df372fd75d7fe26",
+                "sha256:5414f388ffd78c57e77bd253cf829373721f450613de53dc85a08e34d806e8eb",
+                "sha256:5eee66f882ab35674944dfa0d28b57fa51e160b4dce0ce19e47f495fdae70703",
+                "sha256:63810343ea07f5cd86ba66ab66706243a6f5af075eea50c01e39b4ad6bc3c57a",
+                "sha256:6bd10adf9f0d6a98ccc792ab6f83d18674775986ba9bacd376b643fe35633357",
+                "sha256:83c6ddf0add57c6b8a7de0bc7e2d656be3eefeff7c922af9a9aae7e49f225625",
+                "sha256:93166e0f5379cf6cd29746989f8a594fa7204dcae2e9335ddba39c870a287e1c",
+                "sha256:9a7b115ee0b9b92d10ebc246811d8f55d0c57e82dbb6a26b23c9a9a6ad40ce0c",
+                "sha256:a38baa3046cce174a07a59952c9f876ae8875ef3559709639c17fdf21f7b30dd",
+                "sha256:a6d219f49821f4b2c85c6d426346a5d84dab6daa6f85ca3da6c00ed05b54022d",
+                "sha256:a8ed33e8f9b67e3b592c56567135bb42e7e0e97417a4b6a771e60898dfd5182b",
+                "sha256:d7d428488c67b09b26928950a395e41cc72bb9c3d5abfe9f0521940ee4f796d4",
+                "sha256:dcfed56aa085b89d644af17442cdc2debaa73388feba4b8026446d168ca8dad7",
+                "sha256:f29b885e4903bd57a7789f09fe9d60b6475a6c1a4c0eca874d8558f00f9d4b51"
            ],
-            "version": "==4.5.2"
+            "version": "==4.7.4"
        },
        "pathspec": {
            "hashes": [
-                "sha256:54a5eab895d89f342b52ba2bffe70930ef9f8d96e398cccf530d21fa0516a873"
+                "sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424",
+                "sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96"
            ],
-            "version": "==0.5.9"
+            "version": "==0.7.0"
+        },
+        "progressbar2": {
+            "hashes": [
+                "sha256:7538d02045a1fd3aa2b2834bfda463da8755bd3ff050edc6c5ddff3bc616215f",
+                "sha256:eb774d1e0d03ea4730f381c13c2c6ae7abb5ddfb14d8321d7a58a61aa708f0d0"
+            ],
+            "index": "pypi",
+            "version": "==3.47.0"
        },
        "pymisp": {
            "hashes": [
-                "sha256:5bff5e7705d2697fd6e7110d1f316688d6106795cba4d453eec8c78c18b0e9f7",
-                "sha256:85d319e0e1d4e53a901501ad74679f3802201b5e12df2da443aaae1d2443e3b1",
-                "sha256:a2fe66bada1186abc6237dc151473e307619685b8168aaeb31b6112528638d9e"
+                "sha256:4359953881c70d8c851ba847ebd41fe636ecc155ee92a6b653dcae2d241a6fef",
+                "sha256:be4c2a2d311ba1aaeb73e1124e8a97ac4eec52a871e02d373c455936095aac72"
            ],
            "index": "pypi",
-            "version": "==2.4.112"
+            "version": "==2.4.120"
        },
        "pyrsistent": {
            "hashes": [
-                "sha256:34b47fa169d6006b32e99d4b3c4031f155e6e68ebcc107d6454852e8e0ee6533"
+                "sha256:cdc7b5e3ed77bed61270a47d35434a30617b9becdf2478af76ad2c6ade307280"
            ],
-            "version": "==0.15.4"
+            "version": "==0.15.7"
        },
        "python-dateutil": {
            "hashes": [
-                "sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb",
-                "sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"
+                "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
+                "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
            ],
-            "version": "==2.8.0"
+            "version": "==2.8.1"
+        },
+        "python-utils": {
+            "hashes": [
+                "sha256:34aaf26b39b0b86628008f2ae0ac001b30e7986a8d303b61e1357dfcdad4f6d3",
+                "sha256:e25f840564554eaded56eaa395bca507b0b9e9f0ae5ecb13a8cb785305c56d25"
+            ],
+            "version": "==2.3.0"
        },
        "pyyaml": {
            "hashes": [
-                "sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9",
-                "sha256:01adf0b6c6f61bd11af6e10ca52b7d4057dd0be0343eb9283c878cf3af56aee4",
-                "sha256:5124373960b0b3f4aa7df1707e63e9f109b5263eca5976c66e08b1c552d4eaf8",
-                "sha256:5ca4f10adbddae56d824b2c09668e91219bb178a1eee1faa56af6f99f11bf696",
-                "sha256:7907be34ffa3c5a32b60b95f4d95ea25361c951383a894fec31be7252b2b6f34",
-                "sha256:7ec9b2a4ed5cad025c2278a1e6a19c011c80a3caaac804fd2d329e9cc2c287c9",
-                "sha256:87ae4c829bb25b9fe99cf71fbb2140c448f534e24c998cc60f39ae4f94396a73",
-                "sha256:9de9919becc9cc2ff03637872a440195ac4241c80536632fffeb6a1e25a74299",
-                "sha256:a5a85b10e450c66b49f98846937e8cfca1db3127a9d5d1e31ca45c3d0bef4c5b",
-                "sha256:b0997827b4f6a7c286c01c5f60384d218dca4ed7d9efa945c3e1aa623d5709ae",
-                "sha256:b631ef96d3222e62861443cc89d6563ba3eeb816eeb96b2629345ab795e53681",
-                "sha256:bf47c0607522fdbca6c9e817a6e81b08491de50f3766a7a0e6a5be7905961b41",
-                "sha256:f81025eddd0327c7d4cfe9b62cf33190e1e736cc6e97502b3ec425f574b3e7a8"
+                "sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6",
+                "sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf",
+                "sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5",
+                "sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e",
+                "sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811",
+                "sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e",
+                "sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d",
+                "sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20",
+                "sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689",
+                "sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994",
+                "sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615"
            ],
            "index": "pypi",
-            "version": "==5.1.2"
+            "version": "==5.3"
        },
        "requests": {
            "hashes": [
@@ -243,26 +249,26 @@
        },
        "six": {
            "hashes": [
-                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
-                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
+                "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
+                "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
            ],
-            "version": "==1.12.0"
+            "version": "==1.14.0"
        },
        "typing-extensions": {
            "hashes": [
-                "sha256:2ed632b30bb54fc3941c382decfd0ee4148f5c591651c9272473fea2c6397d95",
-                "sha256:b1edbbf0652660e32ae780ac9433f4231e7339c7f9a8057d0f042fcbcea49b87",
-                "sha256:d8179012ec2c620d3791ca6fe2bf7979d979acdbef1fca0bc56b37411db682ed"
+                "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2",
+                "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d",
+                "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575"
            ],
            "markers": "python_version < '3.7'",
-            "version": "==3.7.4"
+            "version": "==3.7.4.1"
        },
        "urllib3": {
            "hashes": [
-                "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
-                "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
+                "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
+                "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
            ],
-            "version": "==1.25.3"
+            "version": "==1.25.8"
        },
        "wrapt": {
            "hashes": [
@@ -272,27 +278,40 @@
        },
        "yamllint": {
            "hashes": [
-                "sha256:9a4fec2d40804979de5f54453fd1551bc1f8b59a7ad4a26fd7f26aeca34a83af",
-                "sha256:f97cd763fe7b588444a94cc44fd3764b832a613b5250baa2bfe8b84c91e4c330"
+                "sha256:7318e189027951983c3cb4d6bcaa1e75deef7c752320ca3ce84e407f2551e8ce",
+                "sha256:76912b6262fd7e0815d7b14c4c2bb2642c754d0aa38f2d3e4b4e21c77872a3bf"
            ],
            "index": "pypi",
-            "version": "==1.16.0"
+            "version": "==1.20.0"
        },
        "yarl": {
            "hashes": [
-                "sha256:024ecdc12bc02b321bc66b41327f930d1c2c543fa9a561b39861da9388ba7aa9",
-                "sha256:2f3010703295fbe1aec51023740871e64bb9664c789cba5a6bdf404e93f7568f",
-                "sha256:3890ab952d508523ef4881457c4099056546593fa05e93da84c7250516e632eb",
-                "sha256:3e2724eb9af5dc41648e5bb304fcf4891adc33258c6e14e2a7414ea32541e320",
-                "sha256:5badb97dd0abf26623a9982cd448ff12cb39b8e4c94032ccdedf22ce01a64842",
-                "sha256:73f447d11b530d860ca1e6b582f947688286ad16ca42256413083d13f260b7a0",
-                "sha256:7ab825726f2940c16d92aaec7d204cfc34ac26c0040da727cf8ba87255a33829",
-                "sha256:b25de84a8c20540531526dfbb0e2d2b648c13fd5dd126728c496d7c3fea33310",
-                "sha256:c6e341f5a6562af74ba55205dbd56d248daf1b5748ec48a0200ba227bb9e33f4",
-                "sha256:c9bb7c249c4432cd47e75af3864bc02d26c9594f49c82e2a28624417f0ae63b8",
-                "sha256:e060906c0c585565c718d1c3841747b61c5439af2211e185f6739a9412dfbde1"
+                "sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce",
+                "sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6",
+                "sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce",
+                "sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae",
+                "sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d",
+                "sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f",
+                "sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b",
+                "sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b",
+                "sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb",
+                "sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462",
+                "sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea",
+                "sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70",
+                "sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1",
+                "sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a",
+                "sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b",
+                "sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080",
+                "sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2"
            ],
-            "version": "==1.3.0"
+            "version": "==1.4.2"
+        },
+        "zipp": {
+            "hashes": [
+                "sha256:ccc94ed0909b58ffe34430ea5451f07bc0c76467d7081619a454bf5c98b89e28",
+                "sha256:feae2f18633c32fc71f2de629bfb3bd3c9325cd4419642b1f1da42ee488d9b98"
+            ],
+            "version": "==2.1.0"
        }
    },
    "develop": {}
@@ -14,9 +14,9 @@ Sigma is for log files what [Snort](https://www.snort.org/) is for network traff

 This repository contains:

-* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
-* Open repository for sigma signatures in the `./rules`subfolder
-* A converter that generate searches/queries for different SIEM systems [work in progress]
+1. Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
+2. Open repository for sigma signatures in the `./rules` subfolder
+3. A converter named `sigmac` located in the `./tools/` sub folder that generates search queries for different SIEM systems from Sigma rules

 ![sigma_description](./images/Sigma-description.png)

@@ -33,7 +33,7 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
 # Use Cases

 * Describe your detection method in Sigma to make it sharable
-* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Write your SIEM searches in Sigma to avoid a vendor lock-in
 * Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
 * Provide Sigma signatures for malicious behaviour in your own application
@@ -100,7 +100,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule

 ```
 usage: sigmac [-h] [--recurse] [--filter FILTER]
-              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
              [--target-list] [--config CONFIG] [--output OUTPUT]
              [--backend-option BACKEND_OPTION] [--defer-abort]
              [--ignore-backend-errors] [--verbose] [--debug]
@@ -125,7 +125,7 @@ optional arguments:
                        tag that must appear in the rules tag list, case-
                        insensitive matching. Multiple log source
                        specifications are AND linked.
-  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
                        Output target format
  --target-list, -l     List available output target formats
  --config CONFIG, -c CONFIG
@@ -154,12 +154,17 @@ optional arguments:
 #### Single Rule Translation
 Translate a single rule
 ```
-tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
+tools/sigmac -t splunk -c splunk-windows rules/windows/sysmon/sysmon_susp_image_load.yml
 ```
 #### Rule Set Translation
 Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
 ```
-tools/sigmac -I -t splunk -r rules/windows/sysmon/
+tools/sigmac -I -t splunk -c splunk-windows -r rules/windows/sysmon/
+```
+#### Translate Only Rules of Level High or Critical
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`) and select only rules of level `high` and `critical`
+```
+tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
 ```
 #### Rule Set Translation with Custom Config 
 Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
@@ -195,6 +200,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
 * [RSA NetWitness](https://www.rsa.com/en-us/products/threat-detection-response)
 * [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
 * [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
+* [LimaCharlie](https://limacharlie.io)

 Current work-in-progress
 * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
@@ -253,6 +259,27 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/

 [Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 

+## Sigma2attack
+
+Generates a [MITRE ATT&CK Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
+
+Requirements:
+- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
+
+Usage samples:
+
+```
+# Use the default "rules" folder
+./tools/sigma2attack
+
+# ... or specify your own
+./tools/sigma2attack --rules-directory ~/hunting/rules
+```
+
+Result once imported in the MITRE ATT&CK Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
+
+![Sigma2attack result](./images/sigma2attack.png)
+
 ## Contributed Scripts

 The directory `contrib` contains scripts that were contributed by the community:
@@ -271,12 +298,14 @@ These tools are not part of the main toolchain and maintained separately by thei
 # Projects or Products that use Sigma

 * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
-* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
 * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
-* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
 * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
-* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [Joe Sandbox](https://www.joesecurity.org/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
 * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
+* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
+* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)

 # Contribution

@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed
+# comments etc.) of sigma-uuid script.
+#
+# Usually used as follows:
+# 1. Add UUIDs to rules:
+# tools/sigma-uuid -er rules
+# 2. Generate and filter patch
+# git diff | contrib/filter-uuid-patch > rule-uuid.diff
+# 3. Reset to previous state
+# git reset --hard
+# 4. Apply filtered patch
+# patch -p1 < rule-uuid.diff
+#
+# This tool requires an installed unidiff package.
+
+from unidiff import PatchSet
+from sys import argv, stdin
+
+try:
+    with open(argv[1], "r") as f:
+        patch = PatchSet(f.readlines())
+except IndexError:
+    patch = PatchSet(stdin.readlines())
+
+for patched_file in patch:
+    for h in reversed(range(len(patched_file))):
+        hunk = patched_file[h]
+        if not any([ line.is_added and line.value.startswith("id: ") for line in hunk ]):
+            del patched_file[h]
+
+print(str(patch))
@@ -0,0 +1,42 @@
+title: High DNS subdomain requests rate per domain
+id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
+description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    dns_question_name:
+        query: "*"
+    default_list_of_well_known_domains:
+        query_etld_plus_one: 
+            - "akadns.net"
+            - "akamaiedge.net"
+            - "amazonaws.com"
+            - "apple.com"
+            - "apple-dns.net"
+            - "cloudfront.net"
+            - "icloud.com"
+            - "in-addr.arpa"
+            - "google.com"
+            - "yahoo.com"
+            - "dropbox.com"
+            - "windowsupdate.com"
+            - "microsoftonline.com"
+            - "s-microsoft.com"
+            - "office365.com"
+            - "linkedin.com"
+    timeframe: 15m
+    condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
+    #    for each host in timeframe
+    #                for each dns_question_etld_plus_one
+    #                    if number of dns_question_name > 200
+    #                        dns_question_etld_plus_one is not in default_list_of_well_known_domains
+falsepositives:
+    - Legitimate domain name requested, which should be added to whitelist
+level: high
+status: experimental
@@ -0,0 +1,37 @@
+title: Large domain name request
+id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
+description: Detects large DNS domain names
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    selection:
+        query_length: "> 70"              # IS MORE THAN 70 bytes
+    default_list_of_well_known_domains:
+        query_etld_plus_one:
+            - "akadns.net"
+            - "akamaiedge.net"
+            - "amazonaws.com"
+            - "apple.com"
+            - "apple-dns.net"
+            - "cloudfront.net"
+            - "icloud.com"
+            - "in-addr.arpa"
+            - "google.com"
+            - "yahoo.com"
+            - "dropbox.com"
+            - "windowsupdate.com"
+            - "microsoftonline.com"
+            - "s-microsoft.com"
+            - "office365.com"
+            - "linkedin.com"
+    condition: selection and not default_list_of_well_known_domains
+falsepositives:
+    - Legitimate domain name requested, which should be added to whitelist
+level: high
+status: experimental
@@ -0,0 +1,23 @@
+title: Possible DNS Rebinding
+id: ec5b8711-b550-4879-9660-568aaae2c3ea
+status: experimental
+description: 'Detects DNS-answer with TTL <10.'
+date: 2019/10/25
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    product: dns
+detection:
+    selection:
+        answer: '*'
+    filter1:
+        ttl: '>0'
+    filter2:
+        ttl: '<10'
+    timeframe: 30s
+    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
+level: medium
@@ -0,0 +1,48 @@
+action: global
+title: Defense evasion via process reimaging
+id: 7fa4f550-850e-4117-b543-428c86ebb849
+description: Detects process reimaging defense evasion technique
+# where
+#             selection1: ImageFileName != selection1: OriginalFileName
+#             selection1: ParentProcessGuid = selection2: ProcessGuid
+#             selection1: Image = selection2: TargetFileName
+# and new field ImageFileName is coming from enrichment
+#             selection1: Image = ^.+\\<ImageFileName>$
+# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
+# Rule logic is currently not supported by SIGMA.
+# Sysmon v.10.0 or newer is required for proper detection.
+status: experimental
+author: Alexey Balandin, oscd.community
+references:
+    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
+tags:
+    - attack.defense_evasion
+date: 2019/10/25
+detection:
+    condition: all of them
+falsepositives:
+    - unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        category: process_creation
+fields:
+    - Image
+    - OriginalFileName
+    - ParentProcessGuid
+new_fields:
+    - ImageFileName
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection2:
+        EventID: 11
+fields:
+    - ProcessGuid
+    - TargetFileName
@@ -0,0 +1,34 @@
+title: Dumping ntds.dit remotely via DCSync
+id: 51238c62-2b29-4539-ad75-e94575368a12
+description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/24
+modified: 2019/11/13
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 4624
+        ComputerName: '%DomainControllersNamesList%'
+    selection2:
+        IpAddress: '%DomainControllersIpsList%'
+    selection3:
+        EventID: 4662
+        ComputerName: '%DomainControllersNamesList%'
+        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
+        Properties|contains: 
+            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
+            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
+    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
+falsepositives:
+    - Legitimate administrator adding new domain controller to already existing domain
+level: medium
+status: experimental
@@ -0,0 +1,30 @@
+title: Dumping ntds.dit remotely via NetSync
+id: 757b2a11-73e7-411a-bd46-141d906e0167
+description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 4624
+        ComputerName: '%DomainControllersNamesList%'
+    selection2:
+        IpAddress: '%DomainControllersIpsList%'
+    selection3:
+        EventID: 5145
+        ComputerName: '%DomainControllersNamesList%'
+        ShareName|contains: '\IPC$'
+        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
+        RelativeTargetName: 'netlogon'
+    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
+falsepositives:
+    - Legitimate administrator adding new domain controller to already existing domain
+level: medium
+status: experimental
@@ -1,6 +1,8 @@
 title: Python SQL Exceptions
+id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
+date: 2017/08/12
 references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
@@ -17,4 +19,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,7 +1,9 @@
 title: Suspicious SQL Error Messages
+id: 8a670c6d-7189-4b1c-8017-a417ca84a086
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
+date: 2017/11/27
 references:
    - http://www.sqlinjection.net/errors
 logsource:
@@ -1,6 +1,8 @@
-title: Django framework exceptions
+title: Django Framework Exceptions
+id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/05
 references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@@ -28,4 +30,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,6 +1,8 @@
-title: Ruby on Rails framework exceptions
+title: Ruby on Rails Framework Exceptions
+id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/06
 references:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
@@ -21,4 +23,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,6 +1,8 @@
-title: Spring framework exceptions
+title: Spring Framework Exceptions
+id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/06
 references:
    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
@@ -20,4 +22,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -0,0 +1,33 @@
+title: Silence.Downloader V3
+id: 170901d1-de11-4de7-bccb-8fa13678d857
+status: experimental
+description: Detects Silence downloader. These commands are hardcoded into the binary.
+author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2019/11/22
+tags:
+    - attack.persistence
+    - attack.g0091
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_recon:
+        Image|endswith:
+            - '\tasklist.exe'
+            - '\qwinsta.exe'
+            - '\ipconfig.exe'
+            - '\hostname.exe'
+        CommandLine|contains: '>>'
+        CommandLine|endswith: 'temps.dat'
+    selection_persistence:
+        CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
+    condition: selection_recon | near selection_persistence # requires both
+fields:
+    - ComputerName
+    - User
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,34 @@
+title: Silence.EDA Detection
+id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
+status: experimental
+description: Detects Silence empireDNSagent
+author: Alina Stepchenkova, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2019/11/20
+tags:
+    - attack.g0091
+    - attack.s0363
+logsource:
+    product: windows
+    service: powershell
+detection:
+    empire:
+        ScriptBlockText|contains|all:           # better to randomise the order
+            - 'System.Diagnostics.Process'
+            - 'Stop-Computer'
+            - 'Restart-Computer'
+            - 'Exception in execution'
+            - '$cmdargs'
+            - 'Close-Dnscat2Tunnel'
+    dnscat:
+         ScriptBlockText|contains|all:          # better to randomise the order
+            - 'set type=$LookupType`nserver'
+            - '$Command | nslookup 2>&1 | Out-String'
+            - 'New-RandomDNSField'
+            - '[Convert]::ToString($SYNOptions, 16)'
+            - '$Session.Dead = $True'
+            - '$Session["Driver"] -eq'
+    condition: empire and dnscat
+falsepositives:
+    - Unknown
+level: critical
@@ -1,19 +0,0 @@
-title: Sofacy Zebrocy
-author: Florian Roth
-description: Detects Sofacy's Zebrocy malware execution
-references:
-    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
-tags:
-    - attack.execution
-    - attack.g0020
-    - attack.t1059
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
@@ -0,0 +1,24 @@
+title: AWS CloudTrail Important Change
+id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
+status: experimental
+author: vitaliy0x1
+date: 2020/01/21
+description: Detects disabling, deleting and updating of a Trail
+references:
+  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+logsource:
+  service: cloudtrail
+detection:
+  selection_source:
+    - eventSource: cloudtrail.amazonaws.com
+  events:
+    - eventName:
+        - StopLogging
+        - UpdateTrail
+        - DeleteTrail
+  condition: selection_source AND events
+level: medium
+falsepositives:
+    - Valid change in a Trail
+tags:
+  - attack.t1089
@@ -0,0 +1,21 @@
+title: AWS Config Disabling Channel/Recorder
+id: 07330162-dba1-4746-8121-a9647d49d297
+status: experimental
+author: vitaliy0x1
+date: 2020/01/21
+description: Detects AWS Config Service disabling
+logsource:
+  service: cloudtrail
+detection:
+  selection_source:
+    - eventSource: config.amazonaws.com
+  events:
+    - eventName:
+        - DeleteDeliveryChannel
+        - StopConfigurationRecorder
+  condition: selection_source AND events
+level: high
+falsepositives:
+    - Valid change in AWS Config Service
+tags:
+  - attack.t1089
@@ -0,0 +1,24 @@
+title: AWS EC2 Download Userdata
+id: 26ff4080-194e-47e7-9889-ef7602efed0c
+status: experimental
+author: faloker
+date: 2020/02/11
+description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: ec2.amazonaws.com
+    selection_requesttype:
+        - requestParameters.attribute: userData
+    selection_eventname:
+        - eventName: DescribeInstanceAttribute
+    timeframe: 30m
+    condition: all of them | count() > 10
+level: medium
+falsepositives:
+    - Assets management software like device42
+tags:
+    - attack.t1020
@@ -0,0 +1,23 @@
+title: AWS EC2 Startup Shell Script Change
+id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: ec2.amazonaws.com
+    selection_userdata:
+        - requestParameters.userData: "*"
+    selection_eventname:
+        - eventName: ModifyInstanceAttribute
+    condition: all of them
+level: high
+falsepositives:
+    - Valid changes to the startup script
+tags:
+    - attack.t1064
@@ -0,0 +1,21 @@
+title: AWS GuardDuty Important Change
+id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
+status: experimental
+author: faloker
+date: 2020/02/11
+description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: guardduty.amazonaws.com
+    selection_eventName:
+        - eventName: CreateIPSet
+    condition: all of them
+level: high
+falsepositives:
+    - Valid change in the GuardDuty (e.g. to ignore internal scanners)
+tags:
+    - attack.t1089
@@ -0,0 +1,29 @@
+title: AWS IAM Backdoor Users Keys
+id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: iam.amazonaws.com
+    selection_eventname:
+        - eventName: CreateAccessKey
+    filter:
+        userIdentity.arn|contains: responseElements.accessKey.userName
+    condition: all of selection* and not filter
+fields:
+    - userIdentity.arn
+    - responseElements.accessKey.userName
+    - errorCode
+    - errorMessage
+level: medium
+falsepositives:
+    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
+    - AWS API keys legitimate exchange workflows
+tags:
+    - attack.t1098
@@ -0,0 +1,23 @@
+title: AWS RDS Master Password Change
+id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects the change of database master password. It may be a part of data exfiltration.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: rds.amazonaws.com
+    selection_modified_values:
+        - responseElements.pendingModifiedValues.masterUserPassword: "*"
+    selection_eventname:
+        - eventName: ModifyDBInstance
+    condition: all of them
+level: medium
+falsepositives:
+    - Benign changes to a db instance
+tags:
+    - attack.t1020
@@ -0,0 +1,23 @@
+title: Restore Public AWS RDS Instance
+id: c3f265c7-ff03-4056-8ab2-d486227b4599
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: rds.amazonaws.com
+    selection_ispublic:
+        - responseElements.publiclyAccessible: "true"
+    selection_eventname:
+        - eventName: RestoreDBInstanceFromDBSnapshot
+    condition: all of them
+level: high
+falsepositives:
+    - unknown
+tags:
+    - attack.t1020
@@ -0,0 +1,21 @@
+title: AWS Root Credentials
+id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
+status: experimental
+author: vitaliy0x1
+date: 2020/01/21
+description: Detects AWS root account usage
+references:
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
+logsource:
+  service: cloudtrail
+detection:
+  selection_usertype:
+    - userIdentity.type: Root
+  selection_eventtype:
+    - eventType: AwsServiceEvent
+  condition: selection_usertype AND NOT selection_eventtype
+level: medium
+falsepositives:
+    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
+tags:
+  - attack.t1078
@@ -1,109 +1,111 @@
 action: global
 title: Cleartext Protocol Usage
-description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
+id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
+description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
+    is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 date: 2019/03/26
 falsepositives:
- unknown
+    - unknown
 level: low
 tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
+    - CSC4
+    - CSC4.5
+    - CSC14
+    - CSC14.4
+    - CSC16
+    - CSC16.5
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - NIST CSF 1.1 PR.AC-1
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AC-5
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 PR.DS-1
+    - NIST CSF 1.1 PR.DS-2
+    - NIST CSF 1.1 PR.PT-3
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.2.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - ISO 27002-2013 A.8.3.1
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.10.1.1
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
+    - PCI DSS 3.2 8.8
+    - PCI DSS 3.2 1.3
+    - PCI DSS 3.2 1.4
+    - PCI DSS 3.2 4.3
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
 ---
 logsource:
-  product: netflow
+    product: netflow
 detection:
-  selection:
-    destination.port:
-    - 8080
-    - 21
-    - 80
-    - 23
-    - 50000
-    - 1521
-    - 27017
-    - 1433
-    - 11211
-    - 3306
-    - 15672
-    - 5900
-    - 5901
-    - 5902
-    - 5903
-    - 5904
-  condition: selection
+    selection:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 1433
+            - 11211
+            - 3306
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    condition: selection
 ---
 logsource:
-  product: firewall
+    product: firewall
 detection:
-  selection1:
-    destination.port:
-    - 8080
-    - 21
-    - 80
-    - 23
-    - 50000
-    - 1521
-    - 27017
-    - 3306
-    - 1433
-    - 11211
-    - 15672
-    - 5900
-    - 5901
-    - 5902
-    - 5903
-    - 5904
-  selection2:
-    action:
-    - forward
-    - accept
-    - 2
-  condition: selection1 AND selection2
+    selection1:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 3306
+            - 1433
+            - 11211
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    selection2:
+        action:
+            - forward
+            - accept
+            - 2
+    condition: selection1 AND selection2
@@ -1,107 +1,109 @@
 title: Default Credentials Usage
-description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
+description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials
+    usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
 date: 2019/03/26
 logsource:
-  product: qualys
+    product: qualys
 detection:
-  selection:
-    host.scan.vuln:
-    - 10693
-    - 11507
-    - 11633
-    - 11804
-    - 11821
-    - 11847
-    - 11867
-    - 11931
-    - 11935
-    - 11950
-    - 12541
-    - 12558
-    - 12559
-    - 12560
-    - 12562
-    - 12563
-    - 12565
-    - 12587
-    - 12590
-    - 12599
-    - 12702
-    - 12705
-    - 12706
-    - 12907
-    - 12928
-    - 12929
-    - 13053
-    - 13178
-    - 13200
-    - 13218
-    - 13241
-    - 13253
-    - 13274
-    - 13296
-    - 13301
-    - 13327
-    - 13373
-    - 13374
-    - 13409
-    - 13530
-    - 13532
-    - 20065
-    - 20073
-    - 20081
-    - 27202
-    - 27358
-    - 38702
-    - 38719
-    - 42045
-    - 42417
-    - 43029
-    - 43220
-    - 43221
-    - 43222
-    - 43223
-    - 43225
-    - 43246
-    - 43431
-    - 43484
-    - 86857
-    - 87098
-    - 87106
-  condition: selection
+    selection:
+        host.scan.vuln:
+            - 10693
+            - 11507
+            - 11633
+            - 11804
+            - 11821
+            - 11847
+            - 11867
+            - 11931
+            - 11935
+            - 11950
+            - 12541
+            - 12558
+            - 12559
+            - 12560
+            - 12562
+            - 12563
+            - 12565
+            - 12587
+            - 12590
+            - 12599
+            - 12702
+            - 12705
+            - 12706
+            - 12907
+            - 12928
+            - 12929
+            - 13053
+            - 13178
+            - 13200
+            - 13218
+            - 13241
+            - 13253
+            - 13274
+            - 13296
+            - 13301
+            - 13327
+            - 13373
+            - 13374
+            - 13409
+            - 13530
+            - 13532
+            - 20065
+            - 20073
+            - 20081
+            - 27202
+            - 27358
+            - 38702
+            - 38719
+            - 42045
+            - 42417
+            - 43029
+            - 43220
+            - 43221
+            - 43222
+            - 43223
+            - 43225
+            - 43246
+            - 43431
+            - 43484
+            - 86857
+            - 87098
+            - 87106
+    condition: selection
 falsepositives:
- unknown
+    - unknown
 level: medium
 tags:
- CSC4
- CSC4.2
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
+    - CSC4
+    - CSC4.2
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
@@ -1,57 +1,61 @@
 title: Group Modification Logging
-description: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a ‘Member is added to a Security Group’. Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’. Event ID 4730 indicates a‘Security Group is deleted’. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
+id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
+description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\
+    \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\
+    . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\
+    \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP."
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
 date: 2019/03/26
 logsource:
-  product: windows
-  service: security
+    product: windows
+    service: security
 detection:
-  selection:
-    EventID:
-    - 4728
-    - 4729
-    - 4730
-    - 633
-    - 632
-    - 634
-  condition: selection
+    selection:
+        EventID:
+            - 4728
+            - 4729
+            - 4730
+            - 633
+            - 632
+            - 634
+    condition: selection
 falsepositives:
- unknown
+    - unknown
 level: low
 tags:
- CSC4
- CSC4.8
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
+    - CSC4
+    - CSC4.8
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
@@ -1,29 +1,30 @@
 title: Host Without Firewall
+id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9
 description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 author: Alexandr Yampolskyi, SOC Prime
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
 date: 2019/03/19
 status: stable
 level: low
 logsource:
-  product: Qualys
+    product: Qualys
 detection:
-  selection:
-    event.category: Security Policy
-    host.scan.vuln_name: Firewall Product Not Detected*
-  condition: selection
+    selection:
+        event.category: Security Policy
+        host.scan.vuln_name: Firewall Product Not Detected*
+    condition: selection
 tags:
- CSC9
- CSC9.4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 DE.AE-1
- ISO 27002-2013 A.9.1.2
- ISO 27002-2013 A.13.2.1
- ISO 27002-2013 A.13.2.2
- ISO 27002-2013 A.14.1.2
- PCI DSS 3.2 1.4
+    - CSC9
+    - CSC9.4
+    - NIST CSF 1.1 PR.AC-5
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 DE.AE-1
+    - ISO 27002-2013 A.9.1.2
+    - ISO 27002-2013 A.13.2.1
+    - ISO 27002-2013 A.13.2.2
+    - ISO 27002-2013 A.14.1.2
+    - PCI DSS 3.2 1.4
@@ -1,45 +1,47 @@
 title: Locked Workstation
-description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
+id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4
+description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2
+    and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
 date: 2019/03/26
 logsource:
-  product: windows
-  service: security
+    product: windows
+    service: security
 detection:
-  selection:
-    EventID:
-    - 4800
-  condition: selection
+    selection:
+        EventID:
+            - 4800
+    condition: selection
 falsepositives:
- unknown
+    - unknown
 level: low
 tags:
- CSC16
- CSC16.11
- ISO27002-2013 A.9.1.1
- ISO27002-2013 A.9.2.1
- ISO27002-2013 A.9.2.2
- ISO27002-2013 A.9.2.3
- ISO27002-2013 A.9.2.4
- ISO27002-2013 A.9.2.5
- ISO27002-2013 A.9.2.6
- ISO27002-2013 A.9.3.1
- ISO27002-2013 A.9.4.1
- ISO27002-2013 A.9.4.3
- ISO27002-2013 A.11.2.8
- PCI DSS 3.1 7.1
- PCI DSS 3.1 7.2
- PCI DSS 3.1 7.3
- PCI DSS 3.1 8.7
- PCI DSS 3.1 8.8
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.PT-3
+    - CSC16
+    - CSC16.11
+    - ISO27002-2013 A.9.1.1
+    - ISO27002-2013 A.9.2.1
+    - ISO27002-2013 A.9.2.2
+    - ISO27002-2013 A.9.2.3
+    - ISO27002-2013 A.9.2.4
+    - ISO27002-2013 A.9.2.5
+    - ISO27002-2013 A.9.2.6
+    - ISO27002-2013 A.9.3.1
+    - ISO27002-2013 A.9.4.1
+    - ISO27002-2013 A.9.4.3
+    - ISO27002-2013 A.11.2.8
+    - PCI DSS 3.1 7.1
+    - PCI DSS 3.1 7.2
+    - PCI DSS 3.1 7.3
+    - PCI DSS 3.1 8.7
+    - PCI DSS 3.1 8.8
+    - NIST CSF 1.1 PR.AC-1
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 PR.PT-3
@@ -0,0 +1,25 @@
+title: Brute Force
+id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
+description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
+tags:
+    - attack.t1110
+author: Aleksandr Akhremchik, oscd.community
+date: 2019/10/25
+status: experimental
+logsource:
+    category: authentication
+detection:
+    selection:
+         action: failure
+    timeframe: 600s
+    condition: selection | count(category) by dst_ip > 30
+fields:
+    - src_ip
+    - dst_ip
+    - user
+falsepositives:
+    - Inventarization
+    - Penetration testing
+    - Vulnerability scanner
+    - Legitimate application
+level: medium
@@ -1,4 +1,5 @@
-title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
+title: Edit of .bash_profile and .bashrc
+id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
 status: experimental
 description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
 references:
@@ -17,7 +18,7 @@ detection:
        type: 'PATH'
        name:
            - '/home/*/.bashrc'
-            - '/home/*/.bash_profile' 
+            - '/home/*/.bash_profile'
            - '/home/*/.profile'
            - '/etc/profile'
            - '/etc/shells'
@@ -0,0 +1,34 @@
+title: Auditing Configuration Changes on Linux Host
+id: 977ef627-4539-4875-adf4-ed8f780c4922
+description: Detect changes in auditd configuration files
+    # Example config for this one (place it at the top of audit.rules)
+    # -w /etc/audit/ -p wa -k etc_modify_auditconfig
+    # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
+    # -w /etc/audisp/ -p wa -k etc_modify_audispconfig
+references:
+    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
+    - self experience
+tags:
+    - attack.defense_evasion
+    - attack.t1054
+author: Mikhail Larin, oscd.community
+status: experimental
+date: 2019/10/25
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: PATH
+        name:
+            - /etc/audit/*
+            - /etc/libaudit.conf
+            - /etc/audisp/*
+    condition: selection
+fields:
+    - exe
+    - comm
+    - key
+falsepositives:
+    - Legitimate administrative activity
+level: high
@@ -0,0 +1,24 @@
+title: Modification of ld.so.preload
+id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
+description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name: '/etc/ld.so.preload'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,33 @@
+title: Logging Configuration Changes on Linux Host
+id: c830f15d-6f6e-430f-8074-6f73d6807841
+description: Detect changes of syslog daemons configuration files
+    # Example config for this one (place it at the top of audit.rules)
+    # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
+    # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
+    # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
+references:
+    - self experience
+tags:
+    - attack.defense_evasion
+    - attack.t1054
+author: Mikhail Larin, oscd.community
+status: experimental
+date: 2019/10/25
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name:
+            - /etc/syslog.conf
+            - /etc/rsyslog.conf
+            - /etc/syslog-ng/syslog-ng.conf
+    condition: selection
+fields:
+    - exe
+    - comm
+    - key
+falsepositives:
+    - Legitimate administrative activity
+level: high
@@ -0,0 +1,24 @@
+title: Masquerading as Linux Crond Process
+id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
+status: experimental
+description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
+    observation. Several different variations of this technique have been observed.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'execve'
+        a0: 'cp'
+        a1: '-i'
+        a2: '/bin/sh'
+        a3: '*/crond'
+    condition: selection
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1036
@@ -1,8 +1,9 @@
-title: Detects Suspicious Commands on Linux systems
+title: Suspicious Commands Linux
+id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
 references:
-    - 'Internal Research - mostly derived from exploit code including code in MSF'
+    - Internal Research - mostly derived from exploit code including code in MSF
 date: 2017/12/12
 author: Florian Roth
 logsource:
@@ -17,7 +18,7 @@ detection:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 'u+s'
-    cmd3: 
+    cmd3:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/ksh'
@@ -28,4 +29,4 @@ detection:
    condition: 1 of them
 falsepositives:
    - Admin activity
-level: medium
+level: medium
@@ -1,8 +1,9 @@
 title: Program Executions in Suspicious Folders
+id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
 status: experimental
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
 references:
-    - 'Internal Research'
+    - Internal Research
 date: 2018/01/23
 author: Florian Roth
 logsource:
@@ -0,0 +1,26 @@
+title: System Owner or User Discovery
+id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
+status: experimental
+description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
+    the adversary fully infects the target and/or attempts specific actions.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0:
+            - 'users'
+            - 'w'
+            - 'who'
+    condition: selection
+falsepositives:
+    - Admin activity
+level: low
+tags:
+    - attack.discovery
+    - attack.t1033
@@ -0,0 +1,25 @@
+title: Webshell Remote Command Execution
+id: c0d3734d-330f-4a03-aae2-65dacc6a8222
+status: experimental
+description: Detects posible command execution by web application/web shell
+tags:
+    - attack.persistence
+    - attack.t1100
+references:
+    - personal experience
+author: Ilyas Ochkov, Beyu Denis, oscd.community
+date: 2019/10/12
+modified: 2019/11/04
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        SYSCALL: 'execve'
+        key: 'detect_execve_www'
+    condition: selection
+falsepositives:
+    - Admin activity
+    - Crazy web applications
+level: critical
@@ -0,0 +1,32 @@
+title: Data Compressed
+id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
+status: experimental
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
+    of data sent over the network
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'execve'
+        a0: 'zip'
+    selection2:
+        type: 'execve'
+        a0: 'gzip'
+        a1: '-f'
+    selection3:
+        type: 'execve'
+        a0: 'tar'
+        a1|contains: '-c'
+    condition: 1 of them
+falsepositives:
+    - Legitimate use of archiving tools by legitimate user
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1002
@@ -0,0 +1,32 @@
+title: Network Sniffing
+id: f4d3748a-65d1-4806-bd23-e25728081d01
+status: experimental
+description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
+    may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'execve'
+        a0: 'tcpdump'
+        a1: '-c'
+        a3|contains: '-i'
+    selection2:
+        type: 'execve'
+        a0: 'tshark'
+        a1: '-c'
+        a3: '-i'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administrator or user uses network sniffing tool for legitimate reason
+level: low
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040
@@ -1,4 +1,5 @@
 title: Equation Group Indicators
+id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
@@ -7,6 +8,7 @@ tags:
    - attack.g0020
    - attack.t1059
 author: Florian Roth
+date: 2017/04/09
 logsource:
    product: linux
 detection:
@@ -1,5 +1,8 @@
 title: Buffer Overflow Attempts
+id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
 description: Detects buffer overflow attempts in Unix system log files
+author: Florian Roth
+date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
@@ -0,0 +1,23 @@
+title: Remove Immutable File Attribute
+id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
+description: Detects removing immutable file attribute
+status: experimental
+tags:
+    - attack.defense_evasion
+    - attack.t1222
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'chattr'
+        a1|contains: '-i'
+    condition: selection
+falsepositives:
+    - Administrator interacting with immutable files (for instance backups)
+level: medium
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
@@ -1,5 +1,8 @@
 title: Relevant ClamAV Message
+id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
 description: Detects relevant ClamAV messages
+author: Florian Roth
+date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
@@ -0,0 +1,25 @@
+title: Overwriting the File with Dev Zero or Null
+id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
+date: 2019/10/23
+description: Detects overwriting (effectively wiping/deleting) the file
+author: Jakob Weinzettl, oscd.community
+tags:
+    - attack.impact
+    - attack.t1485
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'dd'   
+        a1|contains:
+            - 'if=/dev/null'    
+            - 'if=/dev/zero'    
+    condition: selection
+falsepositives:
+    - Appending null bytes to files
+    - Legitimate overwrite of files
+level: low
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
@@ -0,0 +1,24 @@
+title: File or Folder Permissions Change
+description: Detects 
+id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
+status: experimental
+tags:
+    - attack.defense_evasion
+    - attack.t1222
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains:
+            - 'chmod'
+            - 'chown'
+    condition: selection
+falsepositives:
+    - User interracting with files permissions (normal/daily behaviour)
+level: low
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
@@ -0,0 +1,27 @@
+title: Systemd Service Reload or Start
+id: 2625cc59-0634-40d0-821e-cb67382a3dd7
+description: Detects a reload or a start of a service
+status: experimental
+tags:
+    - attack.persistence
+    - attack.t1501
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'systemctl'
+        a1|contains:
+            - 'daemon-reload'
+            - 'start'
+    condition: selection
+falsepositives:
+    - Installation of legitimate service
+    - Legitimate reconfiguration of service
+level: low
+references:
+    - https://attack.mitre.org/techniques/T1501/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
@@ -1,6 +1,7 @@
 title: Clear Command History
+id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
 status: experimental
-description: Clear command history in linux which is used for defense evasion. 
+description: Clear command history in linux which is used for defense evasion.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
    - https://attack.mitre.org/techniques/T1146/
@@ -1,4 +1,5 @@
-title: Privilege Escalation Preparation 
+title: Privilege Escalation Preparation
+id: 444ade84-c362-4260-b1f3-e45e20e1a905
 status: experimental
 description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
 references:
@@ -1,4 +1,5 @@
 title: Suspicious Activity in Shell Commands
+id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
 description: Detects suspicious shell commands used in various exploit codes (see references)
 references:
    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
@@ -1,16 +1,16 @@
 title: Suspicious Log Entries
+id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 description: Detects suspicious log entries in Linux log files
 author: Florian Roth
+date: 2017/03/25
 logsource:
    product: linux
 detection:
    keywords:
-        # Generic suspicious log lines
-        - 'entered promiscuous mode'
-        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
-        - 'Deactivating service'
-        - 'Oversized packet received from'  
-        - 'imuxsock begins to drop messages'      
+        - entered promiscuous mode
+        - Deactivating service
+        - Oversized packet received from
+        - imuxsock begins to drop messages
    condition: keywords
 falsepositives:
    - Unknown
@@ -1,4 +1,5 @@
 title: Suspicious Reverse Shell Command Line
+id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
 status: experimental
 description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
 references:
@@ -1,5 +1,8 @@
 title: Shellshock Expression
+id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 description: Detects shellshock expressions in log files
+date: 2017/03/14
+author: Florian Roth
 references:
    - http://rubular.com/r/zxBfjWfFYs
 logsource:
@@ -1,4 +1,5 @@
 title: SSHD Error Message CVE-2018-15473
+id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
 description: Detects exploitation attempt using public exploit code for CVE-2018-15473
 references:
    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
@@ -1,6 +1,6 @@
---
 action: global
 title: Sudo Privilege Escalation CVE-2019-14287
+id: f74107df-b6c6-4e80-bf00-4170b658162b
 status: experimental
 description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
 references:
@@ -1,18 +1,20 @@
-title: Multiple Failed Logins with Different Accounts from Single Source System
+title: Failed Logins with Different Accounts from Single Source System
+id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
+author: Florian Roth
+date: 2017/02/16
 description: Detects suspicious failed logins with different user accounts from a single source system
 logsource:
    product: linux
    service: auth
 detection:
    selection:
-        pam_message: "authentication failure"
+        pam_message: authentication failure
        pam_user: '*'
        pam_rhost: '*'
-    timeframe: 24h 
+    timeframe: 24h
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
    - Terminal servers
    - Jump servers
-    - Workstations with frequently changing users 
+    - Workstations with frequently changing users
 level: medium
-
@@ -1,4 +1,5 @@
 title: JexBoss Command Sequence
+id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 description: Detects suspicious command sequence that JexBoss
 references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
@@ -1,6 +1,7 @@
 title: Suspicious Named Error
+id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
 status: experimental
-description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
 author: Florian Roth
@@ -1,5 +1,6 @@
 title: Suspicious SSHD Error
-description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
+description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
@@ -1,5 +1,6 @@
 title: Suspicious VSFTPD Error Messages
-description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
+description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
@@ -30,4 +31,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-
@@ -1,5 +1,8 @@
 title: Multiple Modsecurity Blocks
-description: Detects multiple blocks by the mod_security module (Web Application Firewall) 
+id: a06eea10-d932-4aa6-8ba9-186df72c8d23
+description: Detects multiple blocks by the mod_security module (Web Application Firewall)
+date: 2017/02/28
+author: Florian Roth
 logsource:
    product: linux
    service: modsecurity
@@ -8,10 +11,9 @@ detection:
        - 'mod_security: Access denied'
        - 'ModSecurity: Access denied'
        - 'mod_security-message: Access denied'
-    timeframe: 120m 
+    timeframe: 120m
    condition: selection | count() > 6
 falsepositives:
    - Vulnerability scanners
    - Frequent attacks if system faces Internet
 level: medium
-
@@ -0,0 +1,31 @@
+title: Cisco Clear Logs
+id: ceb407f6-8277-439b-951f-e4210e3ed956
+status: experimental
+description: Clear command history in network OS which is used for defense evasion.
+references:
+    - https://attack.mitre.org/techniques/T1146/
+    - https://attack.mitre.org/techniques/T1070/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.defense_evasion
+    - attack.t1146
+    - attack.t1070
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'clear logging'
+        - 'clear archive'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands.
+level: high
@@ -0,0 +1,39 @@
+title: Cisco Collect Data
+id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
+status: experimental
+description: Collect pertinent data from the configuration files
+references:
+    - https://attack.mitre.org/techniques/T1087/
+    - https://attack.mitre.org/techniques/T1003/
+    - https://attack.mitre.org/techniques/T1081/
+    - https://attack.mitre.org/techniques/T1005/
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.discovery
+    - attack.credential_access
+    - attack.collection
+    - attack.t1087
+    - attack.t1003
+    - attack.t1081
+    - attack.t1005
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'show running-config'
+        - 'show startup-config'
+        - 'show archive config'
+        - 'more'
+    condition: keywords
+falsepositives:
+    - Commonly run by administrators.
+level: low
@@ -0,0 +1,33 @@
+title: Cisco Crypto Commands
+id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
+status: experimental
+description: Show when private keys are being exported from the device, or when new certificates are installed.
+references:
+    - https://attack.mitre.org/techniques/T1145/
+    - https://attack.mitre.org/techniques/T1130/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.t1130
+    - attack.t1145
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'crypto pki export'
+        - 'crypto pki import'
+        - 'crypto pki trustpoint'
+    condition: keywords
+falsepositives:
+    - Not commonly run by administrators.  Also whitelist your known good certificates.
+level: high
@@ -0,0 +1,29 @@
+title: Cisco Disabling Logging
+id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
+status: experimental
+description: Turn off logging locally or remote
+references:
+    - https://attack.mitre.org/techniques/T1089
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'no logging'
+        - 'no aaa new-model'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,46 @@
+title: Cisco Discovery
+id: 9705a6a1-6db6-4a16-a987-15b7151e299b
+status: experimental
+description: Find information about network devices that are not stored in config files.
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.discovery
+    - attack.t1083
+    - attack.t1201
+    - attack.t1057
+    - attack.t1018
+    - attack.t1082
+    - attack.t1016
+    - attack.t1049
+    - attack.t1033
+    - attack.t1124
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'dir'
+        - 'show processes'
+        - 'show arp'
+        - 'show cdp'
+        - 'show version'
+        - 'show ip route'
+        - 'show ip interface'
+        - 'show ip sockets'
+        - 'show users'
+        - 'show ssh'
+        - 'show clock'
+    condition: keywords
+falsepositives:
+    - Commonly used by administrators for troubleshooting
+level: low
@@ -0,0 +1,28 @@
+title: Cisco Denial of Service
+id: d94a35f0-7a29-45f6-90a0-80df6159967c
+status: experimental
+description: Detect a system being shutdown or put into different boot mode
+references:
+    - https://attack.mitre.org/techniques/T1499/
+    - https://attack.mitre.org/techniques/T1495/
+author: Austin Clark
+date: 2019/08/15
+tags:
+    - attack.impact
+    - attack.t1499
+    - attack.t1495
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'shutdown'
+        - 'config-register 0x2100'
+        - 'config-register 0x2142'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands, though rarely.
+level: medium
@@ -0,0 +1,31 @@
+title: Cisco Show Commands Input
+id: 71d65515-c436-43c0-841b-236b1f32c21e
+status: experimental
+description: See what files are being deleted from flash file systems
+references:
+    - https://attack.mitre.org/techniques/T1107/
+    - https://attack.mitre.org/techniques/T1488/
+    - https://attack.mitre.org/techniques/T1487/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.defense_evasion
+    - attack.impact
+    - attack.t1107
+    - attack.t1488
+    - attack.t1487
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'erase'
+        - 'delete'
+        - 'format'
+    condition: keywords
+falsepositives:
+    - Will be used sometimes by admins to clean up local flash space.
+level: medium
@@ -0,0 +1,29 @@
+title: Cisco Show Commands Input
+id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
+status: experimental
+description: See what commands are being input into the device by other people, full credentials can be in the history
+references:
+    - https://attack.mitre.org/techniques/T1056/
+    - https://attack.mitre.org/techniques/T1139/
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.collection
+    - attack.credential_access
+    - attack.t1139
+    - attack.t1056
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'show history'
+        - 'show history all'
+        - 'show logging'
+    condition: keywords
+falsepositives:
+    - Not commonly run by administrators, especially if remote logging is configured.
+level: medium
@@ -0,0 +1,27 @@
+title: Cisco Local Accounts
+id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
+status: experimental
+description: Find local accounts being created or modified as well as remote authentication configurations
+references:
+    - https://attack.mitre.org/techniques/T1098/
+    - https://attack.mitre.org/techniques/T1136/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.persistence
+    - attack.t1136
+    - attack.t1098
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'username'
+        - 'aaa'
+    condition: keywords
+falsepositives:
+    - When remote authentication is in place, this should not change often.
+level: high
@@ -0,0 +1,38 @@
+title: Cisco Modify Configuration
+id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
+status: experimental
+description: Modifications to a config that will serve an adversary's impacts or persistence
+references:
+    - https://attack.mitre.org/techniques/T1100/
+    - https://attack.mitre.org/techniques/T1168/
+    - https://attack.mitre.org/techniques/T1493/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.impact
+    - attack.t1493
+    - attack.t1100
+    - attack.t1168
+    - attack.t1490
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'ip http server'
+        - 'ip https server'
+        - 'kron policy-list'
+        - 'kron occurrence'
+        - 'policy-list'
+        - 'access-list'
+        - 'ip access-group'
+        - 'archive maximum'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands.
+level: medium
@@ -0,0 +1,39 @@
+title: Cisco Stage Data
+id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
+status: experimental
+description: Various protocols maybe used to put data on the device for exfil or infil
+references:
+    - https://attack.mitre.org/techniques/T1074/
+    - https://attack.mitre.org/techniques/T1105/
+    - https://attack.mitre.org/techniques/T1498/
+    - https://attack.mitre.org/techniques/T1002/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.collection
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.exfiltration
+    - attack.impact
+    - attack.t1074
+    - attack.t1105
+    - attack.t1492
+    - attack.t1002
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'tftp'
+        - 'rcp'
+        - 'puts'
+        - 'copy'
+        - 'configure replace'
+        - 'archive tar'
+    condition: keywords
+falsepositives:
+    - Generally used to copy configs or IOS images.
+level: low
@@ -0,0 +1,27 @@
+title: Cisco Sniffing
+id: b9e1f193-d236-4451-aaae-2f3d2102120d
+status: experimental
+description: Show when a monitor or a span/rspan is setup or modified
+references:
+    - https://attack.mitre.org/techniques/T1040
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'monitor capture point'
+        - 'set span'
+        - 'set rspan'
+    condition: keywords
+falsepositives:
+    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
+level: medium
@@ -1,12 +1,14 @@
 title: Equation Group C2 Communication
+id: 881834a4-6659-4773-821e-1c151789d873
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
 references:
-    - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
-    - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
+    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
 tags:
    - attack.command_and_control
    - attack.g0020
 author: Florian Roth
+date: 2017/04/15
 logsource:
    category: firewall
 detection:
@@ -1,13 +1,15 @@
 title: Possible DNS Tunneling
+id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
 status: experimental
-description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. 
+description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
+    which can be an indicator that DNS is used to transfer data.
 references:
    - https://zeltser.com/c2-dns-tunneling/
    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
 author: Patrick Bareiss
 date: 2019/04/07
 logsource:
-    product: dns
+    category: dns
 detection:
    selection:
        parent_domain: '*'
@@ -16,4 +18,5 @@ falsepositives:
    - Valid software, which uses dns for transferring data
 level: high
 tags:
-    - attack.t1043
+    - attack.t1048
+    - attack.exfiltration
@@ -0,0 +1,29 @@
+action: global
+title: High DNS Bytes Out
+id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
+description: High DNS queries bytes amount from host per short period of time
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
+level: medium
+---
+logsource:
+    category: dns
+detection:
+    selection:
+        query: '*'
+    timeframe: 1m
+    condition: selection | sum(question_length) by src_ip > 300000
+---
+logsource:
+    category: firewall
+detection:
+    selection:
+        dst_port: 53
+    timeframe: 1m
+    condition: selection | sum(message_size) by src_ip > 300000
@@ -0,0 +1,29 @@
+action: global
+title: High DNS Requests Rate
+id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
+description: High DNS requests amount from host per short period of time
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate high DNS requests rate to domain name which should be added to whitelist
+level: medium
+---
+logsource:
+    category: dns
+detection:
+    selection:
+        query: '*'
+    timeframe: 1m
+    condition: selection | count() by src_ip > 1000
+---
+logsource:
+    category: firewall
+detection:
+    selection:    
+        dst_port: 53
+    timeframe: 1m
+    condition: selection | count() by src_ip > 1000
@@ -0,0 +1,19 @@
+title: High NULL Records Requests Rate
+id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
+description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    selection:    
+        record_type: "NULL"
+    timeframe: 1m
+    condition: selection | count() by src_ip > 50
+falsepositives:
+    - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
+level: medium
@@ -0,0 +1,19 @@
+title: High TXT Records Requests Rate
+id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
+description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    selection:
+        record_type: "TXT"
+    timeframe: 1m
+    condition: selection | count() by src_ip > 50
+falsepositives:
+    - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
+level: medium
@@ -1,4 +1,5 @@
 title: Cobalt Strike DNS Beaconing
+id: 2975af79-28c4-4d2f-a951-9095f229df29
 status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 references:
@@ -1,4 +1,5 @@
-title: Suspicious DNS Query with B64 Encoded String   
+title: Suspicious DNS Query with B64 Encoded String
+id: 4153a907-2451-4e4f-a578-c52bb6881432
 status: experimental
 description: Detects suspicious DNS queries using base64 encoding
 references:
@@ -1,6 +1,7 @@
-title: DNS TXT Answer with possible execution strings    
+title: DNS TXT Answer with Possible Execution Strings
+id: 8ae51330-899c-4641-8125-e39f2e07da72
 status: experimental
-description: Detects strings used in command execution in DNS TXT Answer 
+description: Detects strings used in command execution in DNS TXT Answer
 references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
@@ -1,6 +1,8 @@
 title: Network Scans
+id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
+date: 2017/02/19
 logsource:
    category: firewall
 detection:
@@ -1,4 +1,5 @@
 title: Telegram Bot API Request
+id: c64c5175-5189-431b-a55e-6d9882158251
 status: experimental
 description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
 references:
@@ -0,0 +1,23 @@
+title: Kerberos Network Traffic RC4 Ticket Encryption
+id: 503fe26e-b5f2-4944-a126-eab405cc06e5
+status: experimental
+date: 2020/02/12
+description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
+references:
+    - https://adsecurity.org/?p=3458
+tags:
+    - attack.credential_access
+    - attack.t1208
+logsource:
+    product: zeek
+    service: kerberos
+detection:
+    selection:
+        request_type: 'TGS'
+        cipher: 'rc4-hmac'
+    computer_acct:
+        service: '$*'
+    condition: selection and not computer_acct
+falsepositives:
+    - normal enterprise SPN requests activity
+level: medium
@@ -1,20 +1,21 @@
-title: APT40 Dropbox Tool User Agent
-status: experimental
-description: Detects suspicious user agent string of APT40 Dropbox tool
-references:
-    - Internal research from Florian Roth
-author: Thomas Patzke
-logsource:
-    category: proxy
-detection:
-    selection:
-      UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
-      r-dns: 'api.dropbox.com'
-    condition: selection
-fields:
-    - c-ip
-    - cs-uri
-falsepositives:
-    - Old browsers
-level: high
-
+title: APT40 Dropbox Tool User Agent
+id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
+status: experimental
+description: Detects suspicious user agent string of APT40 Dropbox tool
+references:
+    - Internal research from Florian Roth
+author: Thomas Patzke
+date: 2019/11/12
+logsource:
+    category: proxy
+detection:
+    selection:
+      c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
+      r-dns: 'api.dropbox.com'
+    condition: selection
+fields:
+    - c-ip
+    - c-uri
+falsepositives:
+    - Old browsers
+level: high
@@ -1,4 +1,5 @@
 title: Chafer Malware URL Pattern
+id: fb502828-2db0-438e-93e6-801c7548686d
 status: experimental
 description: Detects HTTP requests used by Chafer malware
 references:
@@ -9,12 +10,12 @@ logsource:
    category: proxy
 detection:
    selection:
-        c-uri-query: '*/asp.asp?ui=*'
+        c-uri: '*/asp.asp?ui=*'
    condition: selection
 fields:
    - ClientIP
-    - URL
-    - UserAgent
+    - c-uri
+    - c-useragent
 falsepositives:
    - Unknown
 level: critical
@@ -1,27 +1,29 @@
-title: CobaltStrike Malleable Amazon browsing traffic profile
-status: experimental
-description: Detects Malleable Amazon Profile 
-references:
-    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
-    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
-author: Markus Neis
-tags:
-    - attack.t1102
-logsource:
-    category: proxy
-detection:
-    selection1:
-      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
-      HttpMethod: 'GET'
-      URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
-      Host: 'www.amazon.com'
-      Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
-    selection2:
-      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
-      HttpMethod: 'POST'
-      URL: '/N4215/adj/amzn.us.sr.aps'
-      Host: 'www.amazon.com'
-    condition: selection1 or selection2
-falsepositives:
-    - Unknown
-level: high
+title: CobaltStrike Malleable Amazon Browsing Traffic Profile
+id: 953b895e-5cc9-454b-b183-7f3db555452e
+status: experimental
+description: Detects Malleable Amazon Profile
+references:
+  - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
+  - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
+author: Markus Neis
+date: 2019/11/12
+tags:
+  - attack.t1102
+logsource:
+  category: proxy
+detection:
+  selection1:
+    c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+    cs-method: 'GET'
+    c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
+    cs-host: 'www.amazon.com'
+    cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+  selection2:
+    c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+    cs-method: 'POST'
+    c-uri: '/N4215/adj/amzn.us.sr.aps'
+    cs-host: 'www.amazon.com'
+  condition: selection1 or selection2
+falsepositives:
+  - Unknown
+level: high
@@ -1,19 +1,21 @@
-title: CobaltStrike Malleable (OCSP) Profile
-status: experimental
-description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
-references:
-    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
-author: Markus Neis
-tags:
-    - attack.t1102
-logsource:
-    category: proxy
-detection:
-    selection:
-      URL: '*/oscp/*'
-      Host: 'ocsp.verisign.com'
-     
-    condition: selection 
-falsepositives:
-    - Unknown
-level: high
+title: CobaltStrike Malleable (OCSP) Profile
+id: 37325383-740a-403d-b1a2-b2b4ab7992e7
+status: experimental
+description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
+author: Markus Neis
+date: 2019/11/12
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      c-uri: '*/oscp/*'
+      cs-host: 'ocsp.verisign.com'
+
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,21 +1,23 @@
-title: CobaltStrike Malleable OneDrive browsing traffic profile
-status: experimental
-description: Detects Malleable OneDrive Profile 
-references:
-    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile    
-author: Markus Neis
-tags:
-    - attack.t1102
-logsource:
-    category: proxy
-detection:
-    selection:
-      HttpMethod: 'GET'
-      URL: '*?manifest=wac'
-      Host: 'onedrive.live.com'
-    filter:
-      URL: 'http*://onedrive.live.com/*'     
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
+title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
+id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
+status: experimental
+description: Detects Malleable OneDrive Profile
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
+author: Markus Neis
+date: 2019/11/12
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      cs-method: 'GET'
+      c-uri: '*?manifest=wac'
+      cs-host: 'onedrive.live.com'
+    filter:
+      c-uri: 'http*://onedrive.live.com/*'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
--- a/Show More
+++ b/Show More