security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2058 add setup field to metadata (#2061)

Browse Source 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit a52751494e)
This commit is contained in:
Mika Ayenson
2022-07-18 15:41:32 -04:00
committed by github-actions[bot]
parent c2bcfc575f
commit 62298d92f4
416 changed files with 944 additions and 804 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_evasion_linux_binary.toml
+1 -1
View File
@@ -62,7 +62,7 @@ Initiate the incident response process based on the outcome of the triage.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
mean time to respond (MTTR).
## Config
## Setup
The session view analysis for the command alerted is avalible in versions 8.2 and above.
"""