security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)

Browse Source 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Justin Ibarra
2023-03-05 09:41:19 -09:00
committed by GitHub
parent a71620a99b
commit 59da2da474
450 changed files with 1038 additions and 998 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/01"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
@@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=10s
[authentication where event.action in ("ssh_login", "user_login") and
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10
'''