security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

18 Commits

Author SHA1 Message Date
shashank-elastic 9b292b97ea Prep 8.19/9.1 (#4869) 
* Prep 8.19/9.1 Release

* Download Beats Schema

* Download API Schema

* Download 8.18.3 Beats Schema

* Download Latest Integrations manifest and schema

* Comment old schemas

* Update Patch version
 2025-07-07 11:27:48 -04:00
shashank-elastic 2b3095a13c Update Max signals value to supported limits (#4556) 2025-03-27 09:02:25 +05:30
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Mika Ayenson c7f5385711 [Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450) 2025-02-07 08:30:35 -06:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Terrance DeJesus 9fb2dea7aa [New Rule] Endpoint Security Promotion Rules for Specific Events (#3533) 
* new endpoint security rules for specific alerts

* updated risk scores

* fixed rule names and UUIDs

* changed logic to use message field for detection vs prevention

* reverting changes

* reverting changes

* reverting to old commit

* reverting to old commit

* reverting to old commit

* reverting to old commit

* changed naming to Elastic Defend

* updated rule dates and min-stacks

* linted; adjusted queries

* updated ransomware, memory sig or shellcode risk

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* updated promotion rule

* fixed typos in naming

* updated setup guides

* added intervals

* added MITRE

* added investigation guide for Memory Threat

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update defense_evasion_elastic_memory_threat_prevented.toml

* toml-lint

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-12-19 13:24:23 -05:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Mika Ayenson f07a9e6fbc [FR] Add max_signal note, unit test, and rule tuning (#3669) 2024-05-14 11:15:12 -05:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 71d12bdda4 [Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682) 
* add promotion to rulemeta schema class and updated promotion rules

* add promotion to rulemeta schema class and updated promotion rules

* adjusted test_integration_tag and okta rule missing dataset

* fixed flake errors

* updated manifests and schemas to include cloud defend
 2023-04-03 09:42:40 -04:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Ross Wolf c9d6527280 Revert #1440 new endpoint promotion rule (#1470) 
* Revert #1440 new endpoint promotion rule
* Set the updated_at date
 2021-09-03 08:07:20 -06:00
Ross Wolf 675e870a30 Set min stack to 7.15 for Behavior Protection promotion 2021-08-26 08:53:02 -06:00
Ross Wolf 3b338baab0 [New Rule] Endpoint Security Behavior Protection (#1440) 
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-08-25 09:56:59 -06:00