security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,449 Commits 1 Branch 0 Tags
013dace20fcdc107e357cae080e48fd7fb40197e
Commit Graph

238 Commits

Author SHA1 Message Date
Eric Forte 5adc118f92 [Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value (#5747) 
* Add reverse lookup check against Kibana value

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-20 15:29:51 -05:00
Mika Ayenson, PhD a1c3267529 [FR] Add deprecated file to release for upstream testing (#5749) 2026-02-20 14:16:27 -06:00
Mika Ayenson, PhD 25f3d6a879 [FR] Add copilot instructions to catch the gotchas (#5733) 
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-18 10:37:00 -06:00
Eric Forte f306404fe5 [Bug] CLI adds frequency field to system actions (.cases), causing import failure (#5690) 
* No frequency field to cases
 2026-02-11 15:18:20 -05:00
Eric Forte f74c04d11a [Bug] ESQL validation keep Clause Reported Missing Metadata Fields (#5717) 
* Update Keep Field to Handle Comments

* Update for handling inline comments

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-11 15:02:23 -05:00
github-actions[bot] df9c27d82e Lock versions for releases: 8.19,9.1,9.2,9.3 (#5708) 2026-02-10 11:14:23 +05:30
shashank-elastic 70d7f2b6b1 Monthly Manifest and Schema Updation (#5697) 2026-02-10 09:17:04 +05:30
Ruben Groenewoud 694376bd7a [Bug] Fix UTF-8 Encoding for Rule File Operations (#5684) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Bug] Fix UTF-8 Encoding for Rule File Operations
 2026-02-05 14:21:30 +01:00
Sergey Polzunov 59e394f36b [doc fix] Adjust wording in the docs for Kibana import/export commands (#5600) 
* Wording fix

* Version bump

* Style fixes

* Style fix for tests
 2026-02-04 11:17:58 +01:00
Sergey Polzunov 3ce5379ef5 README fixes (#5616) 
* Small fixes

* Version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-03 16:22:17 -06:00
github-actions[bot] 8b8c0beec7 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5639) 2026-01-28 18:37:52 +05:30
Eric Forte d252cae4ee Ignore Keep * for ES|QL hash calc (#5638) 
* Ignore Keep * for ES|QL hash calc

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>


---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-27 23:01:27 -05:00
Eric Forte 070b457659 Test remote_cli update test indices 2026-01-27 20:08:19 +05:30
Eric Forte 7ff19b3497 [Rule Tuning] Accepted Default Telnet Port Connection (#5629) 
* Add Additional Data Sources
 2026-01-26 20:43:23 -05:00
Samirbous 6d9eef48b0 [New] Multiple Vulnerabilities by Asset via Wiz (#5598) 
* [New] Wiz - Multiple Vulnerabilities by Container

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* add wiz manif and schema

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update pyproject.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* ++

* Update external_alerts.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Delete detection_rules/etc/integration-manifests.json.gz

* Revert "add wiz manif and schema"

This reverts commit a1e9e7440dcb46ea2abebec834cfc0291e3b60ae.

* Revert "Update pyproject.toml"

This reverts commit 47ab9d2dc8239207126b8512006f353a3fd4affc.

* update manifest and schema for wiz
 2026-01-26 17:26:17 +00:00
Ruben Groenewoud fe4418d7f5 [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561) 
* [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset

* ++

* Removed Reintroduced Rules from Deprecated Folder

* Updated Rule Names

* Added maturity field

* [Update] Large D4C Compatibility Overhaul

* Added busybox

* Remove file that was accidently added in this PR

* Creation date revert

* ++

* Update pyproject.toml

* ++

* ++

* Update

* Update schemas/manifests

* ++
 2026-01-26 16:37:34 +01:00
Mika Ayenson, PhD bbe83452b4 Revert "[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578)" (#5620) 
This reverts commit c608b673bf.
 2026-01-26 08:31:53 -06:00
Ruben Groenewoud c608b673bf [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578) 
* [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules

* Update manifests & schemas

* [New/Updated] Migrated `process.command_line` --> `process.args` for Compatibility

* Pyproject.toml Patch

* ++
 2026-01-26 13:28:08 +01:00
Sergey Polzunov 5b092d7831 [fix] Preserve actions[].params.message field formatting during rule export from the repo (#5597) 
* Preserve `message` field formatting

* Note the JSON path explicitely in the comment

* version bump fix
 2026-01-26 13:04:36 +01:00
Aaron Jewitt 5fff45ec93 Added logic to main.py to use the created_at and updated_at values if they exist (#5444) 
* Added logic to main.py to use the created_at and updated_at values from the ndjson file if they exist.

* Add comment for parsing created_at and updated_at fields to metadata

* updated the date metadata code based on PR feedback

* Add --dates-import option to rule import command

Introduce a new option `--dates-import` to parse `created_at` and `updated_at` fields from rule content. This allows users to import date metadata while preventing conflicts with existing date options.

* Update version to 1.5.23 for release preparation

This update increments the version number in the project metadata
to reflect the upcoming release. No other changes were made.

* Update date metadata logic to include timezone information

Modified the handling of creation and updated dates to ensure
that the datetime objects are timezone-aware by replacing the
timezone info with UTC. This change improves the accuracy of
date metadata in the rules.

* Updated format of main.py using ruff

* Update project version to 1.5.29

* updating pyproject version

---------

Co-authored-by: Sergey Polzunov <traut@users.noreply.github.com>
 2026-01-26 11:00:45 +01:00
Eric Forte 891aa8b6d5 [FR] Add keep metadata check to esql schema test (#5441) 
* Add keep metadata check to esql schema test

* Update unit tests

* Allow for keep *

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-14 16:03:24 -05:00
github-actions[bot] e5291f455c Lock versions for releases: 8.19,9.1,9.2,9.3 (#5553) 2026-01-12 23:52:08 +05:30
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Eric Forte dd707b384d [Bug] Importing rules from directory uses wrong type (#5428) 
* Type Fix
 2025-12-19 12:41:09 -05:00
Samirbous 30883ab9c0 [New] React2Shell Network Security Alert (#5445) 
* [New] React2Shell Network Security Alert

KQL query that reports network security signatures for React2Shell from 4 integrations (Suricata, Fortigate, Cisco FTD and PANW).

* Update initial_access_react_server_rce_network_alerts.toml

* cisco_ftd schema

 build-schemas -i cisco_ftd

* Update initial_access_react_server_rce_network_alerts.toml

* Update pyproject.toml

* Update rules/network/initial_access_react_server_rce_network_alerts.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* cisco_ftd schema and manifest

* Update pyproject.toml

* Revert "cisco_ftd schema and manifest"

This reverts commit ff2200f70f0e0cf94864c49fe8e8a13fda930bc9.

* Revert "Update pyproject.toml"

This reverts commit d382fcdaaa992cac2d4370f5656f81c530b6ec5a.

* Reapply "cisco_ftd schema"

This reverts commit 1494d4aa3e4f07cebd448fcc2597b4c836a989db.

* Revert "Update pyproject.toml"

This reverts commit 39e1f5e9e34cc0500bd82bc4662ece259a5234ba.

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* ++

* Update pyproject.toml

* integration_cisco_ftd

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-19 12:22:44 +00:00
Jonhnathan 1119c3f137 [Docs] Fix Docs Unit Test (#5496) 
* Update docset.yml

* Rename README.md to readme.md

* Update pyproject.toml
 2025-12-18 05:56:09 -08:00
Samirbous 6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) 
* [Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

* add checkpoint_email manifest and schema

* Update pyproject.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml
 2025-12-15 15:33:10 +00:00
github-actions[bot] 793ecfe34a Lock versions for releases: 8.19,9.0,9.1,9.2 (#5426) 2025-12-09 00:29:19 +05:30
shashank-elastic 58a514340b December Schema Refresh (#5420) 2025-12-08 22:07:46 +05:30
Mika Ayenson, PhD f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 12:26:56 -06:00
Eric Forte a8dbf2cf16 [FR] Expand CUSTOM_RULES_DIR to support user relative paths (#5390) 
* Add user relative path support
 2025-12-03 12:19:29 -05:00
Eric Forte 634de61d6d [FR] ES|QL remote validation support newline split indices (#5356) 
* Updated regex pattern for multiline

* Add line split unit test
 2025-12-03 11:50:51 -05:00
github-actions[bot] 18d249aae6 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5360) 2025-11-25 02:26:54 +05:30
Ruben Groenewoud 167def0bc1 [New Rule] Web Server Discovery or Fuzzing Activity (#5337) 
* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update fortigate schemas

* Revert "Update fortigate schemas"

This reverts commit b7c87b0ff50c6d36ba7e6c223de2813d7edceb03.

* Revert "++"

This reverts commit 7f5d860da6012218c586f90e98cb5eb0c9c0ede5.

* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Added schema/manifest updates

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* revert manifests / schemas to main

* adds nginx, iis, apache_tomcat, apache to integration manifests and schemas

* bumping patch version

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 12:40:12 -05:00
Samirbous d946bb36b7 [New] Elastic Defend and Network Security Alerts Correlation (#5332) 
* [New] Elastic Defend and NG-Firewall Alerts Correlation

This rule correlate any Elastic Defend alert with a set of suspicious events from Next-Gen Firewall like PAN and Fortigate by host.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Add suricata and fortinet_fortigate

* ++

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update pyproject.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 22:15:15 +05:30
Samirbous 7fe3831078 [New] SOCKS Traffic from an Unusual Process (#5324) 
* [New] SOCKS Traffic from an Unusual Process

This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.

* Update command_and_control_socks_fortigate_endpoint.toml

* Update command_and_control_socks_fortigate_endpoint.toml

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update command_and_control_socks_fortigate_endpoint.toml

* add fortinet schema and manif

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-11-24 13:18:30 +00:00
shashank-elastic 5db396f084 Skip unit test for protected prebuilt-rules on DAC env (#5323) 2025-11-17 21:41:46 +05:30
shashank-elastic 79607723df Renovate Updates (#5258) 2025-11-17 20:22:11 +05:30
Jonhnathan a2bf7f088d [Security Content] Windows Setup Guides - WinEventLog & Sysmon (#5162) 
* [Security Content] Windows Setup Guides

* Move it to the right folder

* Fix link

* test

* ++

* ++

* ++

* ++

* ++

* ++

* ++

* ++

* Fix links

* ++

* ++

* Update pyproject.toml

* Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update docs/audit_policies/windows/audit_powershell_scriptblock.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update pyproject.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-11-14 09:22:31 -08:00
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
Eric Forte 033145adf4 [Bug] Add synthetic properties check to remote ESQL validation (#5308) 
* Add synthetic properties check

* Add additional unit test for schema conflicts
 2025-11-13 15:25:42 -05:00
Eric Forte 29d4aeb37a [Bug] [DAC] Auto Gen Schema Fails on Certain Subqueries (#5256) 
* Add alignment checking for sub-queries

* Allow field to be over written with original field

* Update rule prompt to allow for int 0 values

* Support custom schema index overwrite

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-11-12 11:21:53 -05:00
github-actions[bot] 32fb003781 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5300) 2025-11-11 18:58:05 +05:30
shashank-elastic e938ecf41a Refresh Manifest and Schemas November Update (#5298) 2025-11-11 18:04:20 +05:30
Eric Forte 7604c20d9e [FR] Add ESQL rules to dataset exception (#5249) 
* Add ESQL rules to dataset exception

* Add unit test
 2025-10-27 11:03:48 -04:00
shashank-elastic 9345e0ec27 Add unit test for protected prebuilt-rules (#5242) 2025-10-24 19:15:52 +05:30
Eric Forte 566242772f Remove toml filtering for branches (#5243) 2025-10-23 12:53:15 -04:00
github-actions[bot] b9b8e24514 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5234) 2025-10-17 22:10:05 +05:30
shashank-elastic 818978975d Prep 9.2 (#5231) 2025-10-17 21:01:13 +05:30
Sergey Polzunov c7246313f7 feat: ESQL query validation against Elastic cluster (#4955) 
* Add remote ESQL validation
---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-10-15 15:17:07 -04:00