security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Rule description tweaks (#1388)

Browse Source 
(cherry picked from commit b736d6e748)
This commit is contained in:
Justin Ibarra
2021-07-29 10:56:13 -08:00
committed by github-actions[bot]
parent 06849a82d8
commit 05d01bbfe0
16 changed files with 18 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
+1 -1
View File
@@ -10,7 +10,7 @@ description = """
This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by
system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it
should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial
access or back-door vector.
access or backdoor vector.
"""
false_positives = [
"""
rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml
+1 -1
View File
@@ -10,7 +10,7 @@ description = """
This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by
system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it
should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial
access or back-door vector.
access or backdoor vector.
"""
false_positives = [
"""
rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml
+1 -1
View File
@@ -10,7 +10,7 @@ description = """
This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by
system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector.
backdoor vector.
"""
false_positives = [
"""
rules/apm/apm_403_response_to_a_post.toml
+1 -1
View File
@@ -7,7 +7,7 @@ updated_date = "2021/07/13"
author = ["Elastic"]
description = """
A POST request to web application returned a 403 response, which indicates the web application declined to process the
request because the action requested was not allowed
request because the action requested was not allowed.
"""
false_positives = [
"""
rules/apm/apm_405_response_method_not_allowed.toml
+1 -1
View File
@@ -7,7 +7,7 @@ updated_date = "2021/07/13"
author = ["Elastic"]
description = """
A request to web application returned a 405 response which indicates the web application declined to process the request
because the HTTP method is not allowed for the resource
because the HTTP method is not allowed for the resource.
"""
false_positives = [
"""
rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
+1 -1
View File
@@ -7,7 +7,7 @@ updated_date = "2021/05/17"
author = ["Elastic", "Austin Songer"]
description = """
Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an
attempt to brute force a password or single sign-on token.
attempt to brute force a password or SSO token.
"""
false_positives = [
"""
rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module
SHA256 hashing algorithms (the default is SHA1) - see the References section for additional information on module
configuration.
"""
from = "now-9m"
rules/network/command_and_control_dns_directly_to_the_internet.toml
+2 -2
View File
@@ -7,9 +7,9 @@ updated_date = "2021/05/26"
author = ["Elastic"]
description = """
This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior
for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply,
for a managed network, and can be indicative of malware, exfiltration, command and control, or simply,
misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and
logging of DNS, and opens your network to a variety of abuses and malicious communications.
logging of DNS and opens your network to a variety of abuses and malicious communications.
"""
false_positives = [
"""
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by
system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector.
backdoor vector.
"""
false_positives = [
"""
rules/network/command_and_control_telnet_port_activity.toml
+2 -2
View File
@@ -7,9 +7,9 @@ updated_date = "2021/03/03"
author = ["Elastic"]
description = """
This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system
administrators to remotely control older or embed ed systems using the command line shell. It should almost never be
administrators to remotely control older or embedded systems using the command line shell. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing
backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing
the traffic.
"""
false_positives = [
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by
system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector.
backdoor vector.
"""
false_positives = [
"""
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by
system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector.
backdoor vector.
"""
false_positives = [
"""
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by
system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector.
backdoor vector.
"""
from = "now-9m"
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by
system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector.
backdoor vector.
"""
from = "now-9m"
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to
the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted
systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
threat actors as an initial access or back-door vector or for data exfiltration.
threat actors as an initial access or backdoor vector or for data exfiltration.
"""
from = "now-9m"
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
rules/windows/execution_ms_office_written_file.toml
+1 -1
View File
@@ -7,7 +7,7 @@ updated_date = "2021/07/19"
author = ["Elastic"]
description = """
Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often
launched via scripts inside documents or during exploitation of MS Office applications.
launched via scripts inside documents or during exploitation of Microsoft Office applications.
"""
from = "now-120m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]