sigma-rules

Author	SHA1	Message	Date
Jonhnathan	d95919b7e3	[Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules (#6042 ) * checkpoint * ++ * Update credential_access_dcsync_user_backdoor.toml * Update defense_evasion_posh_high_entropy.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml	2026-05-04 11:17:05 -03:00
Mika Ayenson, PhD	8993d1450b	[Rule Tuning] Add Supplemental Mitre Mappings (#5876 ) --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2026-04-01 09:12:42 -05:00
shashank-elastic	e8c54169a4	Prep main for 9.1 (#4555 ) * Prep for Release 9.1 * Update Patch Version * Update Patch version * Update Patch version	2025-03-26 11:04:14 -04:00
Mika Ayenson	fe8c81d762	[FR] Generate investigation guides (#4358 )	2025-01-22 11:17:38 -06:00
Jonhnathan	2c07e88c07	[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )	2024-10-15 23:57:44 +05:30
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Jonhnathan	5004ff115c	[Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-16 13:26:42 -03:00
Jonhnathan	f5254f3b5e	[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501 ) * Initial commit * Date bump	2024-03-13 10:27:44 -03:00
Jonhnathan	f584fb6e31	[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165 ) * [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules * Fix dates * Fix unit test errors * updated tags and fixed branch conflicts updated tags and fixed branch conflicts * description nit * Reverting unintended changes * Update initial_access_suspicious_ms_office_child_process.toml --------- Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>	2023-10-15 18:12:20 -03:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Jonhnathan	0273d118a6	[Rule Tuning] Add endgame support for Windows Rules (#2428 ) * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * 1/2 * bump updated_date * 2/3 * Finale * Update persistence_evasion_registry_ifeo_injection.toml * . * Multiple fixes * Missing index * Missing AND	2023-03-06 12:47:11 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
shashank-elastic	f8e97da549	Rule Tuning Update MITRE Details (#2526 ) Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-02-10 23:05:28 +05:30
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	d52c0d2257	[Rule Tuning] Remove "process_started" from Windows Rules (#2238 ) * [Rule Tuning] Remove "process_started" from Windows Rules * Additional, pending ones * Update defense_evasion_code_injection_conhost.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-09-19 13:06:30 -05:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Samirbous	50bb821708	[Rules Tuning] Add support for Sysmon ImageLoad Events (#2215 ) * [Rules Tuning] Add support for Sysmon ImageLoad Events added correct event.category and event.action to rules using library events to support sysmon eventid 7. `event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded")` `dll.name` --> `file.name` added Suspicious RDP ActiveX Client Loaded * Delete workspace.xml	2022-08-02 18:40:26 +02:00
Justin Ibarra	0b65678d8c	[Rule tuning] Correct tags with associated threat mappings (#1003 )	2021-03-08 14:12:29 -09:00
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
Justin Ibarra	645a0cd67b	[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) * [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation	2021-02-17 19:49:58 -09:00
Brent Murphy	ffe8e5bfc5	[Rule Tuning] Update file.name to dll.name for Library events (#893 ) * [Rule Tuning] Update file.name to dll.name for Library events * replace == with : * updated_date * removed spacing inconsistencies * jibs likes spaces * NOT again jibs	2021-02-03 11:09:29 -05:00
Justin Ibarra	a0e86e20d6	[Rule Tuning] Add windows integration index to rules (#923 )	2021-01-28 20:53:57 -09:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00

26 Commits