security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Add Supplemental Mitre Mappings (#5876)

Browse Source 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
This commit is contained in:
Mika Ayenson, PhD
2026-04-01 09:12:42 -05:00
committed by GitHub
parent 116f48ccda
commit 8993d1450b
1131 changed files with 20130 additions and 4101 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/github/execution_github_app_deleted.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -67,14 +67,31 @@ configuration where event.dataset == "github.audit" and github.category == "inte
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -72,17 +72,34 @@ github.repository_public:false
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique.subtechnique]]
id = "T1213.003"
name = "Code Repositories"
reference = "https://attack.mitre.org/techniques/T1213/003/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.threshold]
field = ["github.hashed_token"]
value = 1
rules/integrations/github/execution_new_github_app_installed.toml
+27 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -72,14 +72,39 @@ configuration where event.dataset == "github.audit" and event.action == "integra
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1072"
name = "Software Deployment Tools"
reference = "https://attack.mitre.org/techniques/T1072/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1199"
name = "Trusted Relationship"
reference = "https://attack.mitre.org/techniques/T1199/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml
+19 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/01/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -109,3 +109,21 @@ reference = "https://attack.mitre.org/techniques/T1567/001/"
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique.subtechnique]]
id = "T1213.003"
name = "Code Repositories"
reference = "https://attack.mitre.org/techniques/T1213/003/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml
+28 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2025/12/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -50,6 +50,16 @@ reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
@@ -78,6 +88,23 @@ id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique.subtechnique]]
id = "T1213.003"
name = "Code Repositories"
reference = "https://attack.mitre.org/techniques/T1213/003/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.new_terms]
field = "new_terms_fields"
value = ["source.ip", "github.repo"]
rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml
+11 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/01/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -98,6 +98,16 @@ id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml
+11 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/01/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -99,6 +99,16 @@ id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml
+11 -1
View File
@@ -4,7 +4,7 @@ integration = ["github"]
maturity = "production"
min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview"
min_stack_version = "9.2.0"
updated_date = "2026/01/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -103,6 +103,16 @@ id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml
+21 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/09"
integration = ["github"]
maturity = "production"
updated_date = "2025/12/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -84,10 +84,12 @@ event.dataset: "github.audit" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
id = "T1195.002"
name = "Compromise Software Supply Chain"
@@ -100,6 +102,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
@@ -110,6 +113,23 @@ id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.new_terms]
field = "new_terms_fields"
value = ["github.org_id", "github.repo"]
rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml
+11 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/05"
integration = ["github"]
maturity = "production"
updated_date = "2025/12/05"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -84,23 +84,30 @@ from logs-github.audit-* metadata _id, _index, _version
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
id = "T1195.001"
name = "Compromise Software Dependencies and Development Tools"
reference = "https://attack.mitre.org/techniques/T1195/001/"
[[rule.threat.technique.subtechnique]]
id = "T1195.002"
name = "Compromise Software Supply Chain"
reference = "https://attack.mitre.org/techniques/T1195/002/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
@@ -113,12 +120,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
rules/integrations/github/initial_access_github_register_self_hosted_runner.toml
+8 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/28"
integration = ["github"]
maturity = "production"
updated_date = "2025/12/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -73,23 +73,26 @@ event.dataset:"github.audit" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
id = "T1195.001"
name = "Compromise Software Dependencies and Development Tools"
reference = "https://attack.mitre.org/techniques/T1195/001/"
[[rule.threat.technique.subtechnique]]
id = "T1195.002"
name = "Compromise Software Supply Chain"
reference = "https://attack.mitre.org/techniques/T1195/002/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.new_terms]
field = "new_terms_fields"
value = ["user.name", "github.actor_ip"]
rules/integrations/github/persistence_github_org_owner_added.toml
+30 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -72,19 +72,46 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.003"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1136/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/integrations/github/persistence_new_pat_created.toml
+11 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/01/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -72,6 +72,16 @@ github.category == "personal_access_token" and event.action == "personal_access_
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.001"
name = "Additional Cloud Credentials"
reference = "https://attack.mitre.org/techniques/T1098/001/"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
rules/integrations/github/persistence_organization_owner_role_granted.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -70,19 +70,36 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"