security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Minstack version for windows integration - Pahse 2 (#4216)

Browse Source
This commit is contained in:
shashank-elastic
2024-10-28 20:25:02 +05:30
committed by GitHub
parent 92fe46b8ff
commit 123e090e7d
52 changed files with 156 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/11/03"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/cross-platform/impact_hosts_file_modified.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/07/07"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/09/19"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/08/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/09/22"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/09/22"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 75
rules/ml/execution_ml_windows_anomalous_script.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/initial_access_ml_windows_anomalous_user_name.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/ml_windows_anomalous_network_activity.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/persistence_ml_rare_process_by_host_windows.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules/ml/persistence_ml_windows_anomalous_path_activity.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules/ml/persistence_ml_windows_anomalous_service.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
anomaly_threshold = 50
rules_building_block/collection_files_staged_in_recycle_bin_root.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/24"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/collection_outlook_email_archive.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/21"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/collection_posh_compression.toml
+3 -3
View File
@@ -3,9 +3,9 @@ bypass_bbr_timing = true
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/07/17"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
rules_building_block/command_and_control_bitsadmin_activity.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/21"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/command_and_control_certutil_network_connection.toml
+3 -1
View File
@@ -2,8 +2,10 @@
creation_date = "2020/03/19"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/09/01"
updated_date = "2024/10/28"
bypass_bbr_timing = true
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules_building_block/credential_access_win_private_key_access.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/21"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_cmstp_execution.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/24"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/24"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_installutil_command_activity.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/24"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/09/26"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_posh_defender_tampering.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2024/09/11"
integration = ["windows"]
maturity = "production"
updated_date = "2024/09/11"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
rules_building_block/defense_evasion_powershell_clear_logs_script.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/07/17"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_service_path_registry.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/29"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_services_exe_path.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/29"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/09/26"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_unusual_process_path_wbem.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/defense_evasion_write_dac_access.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/15"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2022/11/01"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_generic_process_discovery.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2023/07/13"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_net_share_discovery_winlog.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/14"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_net_view.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2020/12/04"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_posh_generic.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/04/05"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
rules_building_block/discovery_posh_password_policy.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/12"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_security_software_wmic.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2020/10/19"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_system_service_discovery.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2023/01/24"
integration = ["windows", "endpoint", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/discovery_windows_system_information_discovery.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2023/07/06"
integration = ["windows", "endpoint", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/execution_settingcontent_ms_file_creation.toml
+3 -1
View File
@@ -3,7 +3,9 @@ bypass_bbr_timing = true
creation_date = "2023/08/24"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/execution_wmi_wbemtest.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/24"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/lateral_movement_at.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/21"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/lateral_movement_wmic_remote.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/24"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/persistence_transport_agent_exchange.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/14"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]