security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

58 Commits

Author SHA1 Message Date
Jan Calanog 7feaf0f1c0 Add security product to docset.yml (#5654) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-03 17:40:05 -06:00
Jonhnathan 1119c3f137 [Docs] Fix Docs Unit Test (#5496) 
* Update docset.yml

* Rename README.md to readme.md

* Update pyproject.toml
 2025-12-18 05:56:09 -08:00
Jonhnathan a2bf7f088d [Security Content] Windows Setup Guides - WinEventLog & Sysmon (#5162) 
* [Security Content] Windows Setup Guides

* Move it to the right folder

* Fix link

* test

* ++

* ++

* ++

* ++

* ++

* ++

* ++

* ++

* Fix links

* ++

* ++

* Update pyproject.toml

* Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update docs/audit_policies/windows/audit_powershell_scriptblock.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update pyproject.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-11-14 09:22:31 -08:00
Mika Ayenson, PhD 8bb5e2493b Update docset.yml (#4590) 
Remove diagnostic hint
 2025-04-03 13:46:01 -05:00
Martijn Laarman 3bbe24d154 Create new detection rule set documentation to be included in the new docs. (#4508) 
* move docs folder to docs-dev

* Add new docs folder

* update docset.yml to reflect latest usage

* Add rules_building_block folder

* revert changes to docs-dev/experimental-machine-learning/url-spoof.md

* bump patch versions

* revert bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-03-24 17:23:06 +01:00
Sergey Polzunov 3bdda091e1 chore: use docs-dev instead of docs dir for docs (#4522) 
* chore: use `docs-dev` instead of `docs` folder

* patch version bump

* Rollback an incorrect rename

* Use exact docs dir in the helper comment

* Revert some overeager renamings

* Moving `docs` to `docs-dev`

* Update Docs Paths

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-03-07 14:34:51 +01:00
traut 6eed757b66 Revert "Moving docs to docs-dev" 
This reverts commit 75abb8d0b5.
 2025-03-06 16:29:37 +01:00
traut 75abb8d0b5 Moving docs to docs-dev 2025-03-06 16:27:26 +01:00
github-actions[bot] 9b8b917598 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4398) 2025-01-21 17:32:14 +05:30
github-actions[bot] 2edc062b53 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4344) 2025-01-07 22:13:30 +05:30
shashank-elastic 3fa3349216 Update versioning support for 8.17 (#4296) 2024-12-10 23:43:04 +05:30
github-actions[bot] ee10be70b9 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265) 2024-11-08 20:27:04 +05:30
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Mika Ayenson c615df680f [FR] Update the release versioning process and workflow (#4257) 2024-11-07 11:31:54 -06:00
Mika Ayenson d9154c698a [Testing] Update release-drafter.yml (#4255) 2024-11-06 16:21:05 -06:00
Mika Ayenson 63732436b4 [FR] Update release-drafter.yml (#4252) 2024-11-06 09:02:55 -06:00
Mika Ayenson 77f42f1168 [FR] Add Versioning Processes to DR (#4223) 2024-11-06 08:14:50 -06:00
github-actions[bot] fab842b414 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4091) 
* Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md

* Update docs/ATT&CK-coverage.md

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-09-19 23:25:32 +05:30
Eric Forte 47d7a3acaa [DaC] Beta Release (#3889) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2024-08-06 18:07:12 -04:00
shashank-elastic f3b0dc1954 Prep for next release 8.16 (#3919) 2024-07-24 11:19:56 -04:00
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Mika Ayenson 79f575b33c [FR] Normalize yml ext to yaml (#3675) 2024-05-15 15:18:39 -05:00
Justin Ibarra c567d3731a Refresh Kibana module with API updates (#3466) 
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-04-26 11:12:50 -06:00
Jonhnathan aeb1f91320 [Security Content] Introduce Investigate Plugin in Investigation Guides (#3080) 
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-08 11:54:40 -07:00
Apoorva Joshi 29cf37eeec Adding deprecation notes to experimental ML docs (#2393) 
* Adding deprecation notes to host and user risk score documentation

* Adding deprecation notes to experimental ML packages
 2022-11-09 09:42:34 -08:00
Janeen Mikell-Straughn 13c63ceaef Fixing doc bugs reported by QA. (#2065) 
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
 2022-06-30 15:59:48 -04:00
Craig Chamberlain 1bb2273c0c user risk score docs (#2055) 
* user risk score

initial create of user risk score docs

* add paragraph

adding another paragraph for explainabiltiy as suggested by pm

* Update docs/experimental-machine-learning/readme.md

Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>

* Update user-risk-score.md

fixes and suggestions

* Update user-risk-score.md

rm int script reference

* Update docs/experimental-machine-learning/user-risk-score.md

Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>

* Update user-risk-score.md

* Update user-risk-score.md

* Update user-risk-score.md

Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
 2022-06-28 11:52:38 -04:00
Mika Ayenson 6219fc06b9 Move etc under detection_rules (#1885) 
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-05-02 10:11:21 -04:00
Apoorva Joshi b6737aa2c3 Updating beaconing docs (#1815) 
* Updating beaconind docs

* Update beaconing.md

* Update beaconing.md
 2022-03-04 11:34:40 -08:00
Justin Ibarra bb105a3c43 Replace * in navigator filenames (#1813) 2022-03-04 08:45:55 -09:00
Justin Ibarra 254b4eb23f Generate ATT&CK navigator layer files and links (#1787) 
* Generate attack layer files and build with package
* add update-navigator-gists command
* add workflow to update navigator gists on pushes to main
* Add coverage readme
* fix keys for links
* update navigator layer names
* purge gist files prior to update; add badge
* Update how the navigator links are displayed
* moved navigator code to dedicated and refactored to dataclasses
* convert gist links to permalink versions
* alphabetize; catch 404 for gist update
 2022-03-04 08:20:44 -09:00
Apoorva Joshi 0122e1e65f Updating Host Risk Score docs (#1716) 
* Updating host risk score docs

* Small update

* Add host risk documentation for Kibana 8.1 features

* Update host-risk-score.md

* Rearranging some stuff

* Improve host risk SS

* Adding stack version info where applicable

* Update host-risk-score.md

* Update host-risk-score.md

* Update host-risk-score.md

* Update host-risk-score.md

* Update host-risk-score.md

Add host by risk table note

* Update host-risk-score.md

Co-authored-by: Pablo Neves Machado <pablo.nevesmachado@elastic.co>
 2022-02-28 15:19:31 -08:00
Apoorva Joshi 0bdb6dec2f Changing naming terminology (#1671) 2021-12-16 16:19:38 -03:00
Ece Özalp 0935a853fb Updates Host Risk Score documentation (#1643) 
* update host-risk-score.md
* Update docs/experimental-machine-learning/host-risk-score.md

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
 2021-12-07 15:05:11 -09:00
Apoorva Joshi 237dcd2e19 Adding Beaconing docs (#1621) 
* Adding beaconing docs

* Adding a call out about import options

* Adding a note about the AD job

* Adding more clarity on the release bundle

* Update beaconing.md

* Update docs/experimental-machine-learning/beaconing.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-12-01 13:44:42 -03:00
Apoorva Joshi d061bf8e7c Updating host risk score and experimental detections docs (#1639) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-30 16:24:37 -03:00
Ece Özalp e29a1ca25c Create host-risk-score.md (#1599) 
update the script name to match shipped artifact
 2021-11-03 11:05:59 +03:00
Apoorva Joshi 0b57778be6 Updating docs to highlight explainability (#1542) 
* Updating docs to highlight explainability

* Update typosquatting_rule.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 13:34:19 -07:00
Apoorva Joshi 74fa8ebe48 Updating host risk score docs (#1518) 
* Updating host risk score docs

* Update docs/experimental-machine-learning/host-risk-score.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Making some changes

* Adding space to :all the things:

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-07 20:38:24 -07:00
David French 90aa65aed3 Generate detection rule to alert on traffic to typosquatting/homonym domains (#1199) 
* create new cli commands

* add kibana object to create_dnstwist_rule

* Adding code for index-dnstwist-results

* Changed es to es_client

* Tested. it works!

* flake8-ed

* Adding timestamps

* use eql.utils.load_dump to load json file

* rename data to dnstwist_data

* start working on create-dnstwist-rule command

* add print statements for user

* tweak formatting for line length

* add template threat match rule file

* continue working on threat match rule creation

* create rule using TomlRuleContents

* save rule to toml file

* Moving rule creation to eswrap.py

* Moving create dnstwist rule stuff to eswrap

* Fixed imports

* flake8 fixes

* More flake8 fixes

* fix usage of @add_client('kibana')

* use ctx.invoke to upload rule

* cleanup record assembly and use bulk api

* swap order of notes in `note` for sample rule

* small modifications

* move command to root click group

* remove unused click group

* Update detection_rules/main.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* remove rule upload and convert template to ndjson

* Adding docs for typosquatting rule

* renaming the file

* Adding a note

* separate index and rule prep commands

* Final changes

Co-authored-by: Apoorva <appujo@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
 2021-09-03 13:35:59 -07:00
Apoorva Joshi 227b67e636 Small update to docs (#1442) 2021-08-25 22:40:39 -08:00
dishadasgupta 7be58b7b09 Adding docs for URL Spoofing (#1400) 
* Adding docs for urlspoof

* Fixing typo in readme

* Editing documentation to reflect rule upload process

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-08-04 17:13:10 -07:00
Apoorva Joshi 06a9ba6463 Update Host Risk Score docs (#1397) 2021-08-02 20:52:12 -08:00
Apoorva Joshi c283d2a2f3 Adding host risk score docs (#1390) 
* Adding host risk score docs
* Highlighting caveats around hostname
* Update host-risk-score.md
* Adding host risk score to the experimental detections readme
 2021-08-02 13:43:27 -08:00