security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[FR] Generate investigation guides (#4358)

Browse Source
This commit is contained in:
Mika Ayenson
2025-01-22 11:17:38 -06:00
committed by GitHub
parent d55d5d9695
commit fe8c81d762
941 changed files with 29301 additions and 1912 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/threat_intel/threat_intel_indicator_match_address.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/06/10"
updated_date = "2025/01/15"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel IP Address Indicator Match"
note = """## Triage and Analysis
note = """## Triage and analysis
### Investigating Threat Intel IP Address Indicator Match
@@ -113,7 +113,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"]
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
rules/threat_intel/threat_intel_indicator_match_hash.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/06/10"
updated_date = "2025/01/15"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel Hash Indicator Match"
note = """## Triage and Analysis
note = """## Triage and analysis
### Investigating Threat Intel Hash Indicator Match
@@ -112,7 +112,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"]
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
rules/threat_intel/threat_intel_indicator_match_registry.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/06/10"
updated_date = "2025/01/15"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel Windows Registry Indicator Match"
note = """## Triage and Analysis
note = """## Triage and analysis
### Investigating Threat Intel Windows Registry Indicator Match
@@ -107,7 +107,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"]
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
rules/threat_intel/threat_intel_indicator_match_url.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/06/10"
updated_date = "2025/01/15"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel URL Indicator Match"
note = """## Triage and Analysis
note = """## Triage and analysis
### Investigating Threat Intel URL Indicator Match
@@ -116,7 +116,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"]
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
rules/threat_intel/threat_intel_rapid7_threat_command.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["ti_rapid7_threat_command"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for Rapid7 Threat Command Integration"
min_stack_version = "8.13.0"
updated_date = "2024/08/06"
updated_date = "2025/01/10"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Rapid7 Threat Command CVEs Correlation"
note = """## Triage and Analysis
note = """## Triage and analysis
### Investigating Rapid7 Threat Command CVEs Correlation