sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ruben Groenewoud	229f3adf75	[New/Tuning] Misc. New D4C Rules and Tunings (#5692 ) * Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword * [New/Tuning] Misc. New D4C Rules and Tunings * Added IGs for High Severity Rules * Apply suggestion from @Aegrah * ++ * Update discovery_privilege_boundary_enumeration_from_interactive_process.toml * ++ * Update rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_interactive_file_creation_followed_by_execution.toml * Some updates based on feedback * Rule name changes * ++ --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2026-02-09 16:58:27 +01:00
shashank-elastic	3ee0a72a65	Add investigation guides (#5630 )	2026-01-27 14:28:06 +05:30
Ruben Groenewoud	c5b64c9fbf	[New/Tuning] General API Abuse D4C/K8s Rules (#5591 ) * [New/Tuning] General API Abuse D4C/K8s Rules * [New Rule] DNS Enumeration Detected via Defend for Containers * [New Rule] Tool Enumeration Detected via Defend for Containers * [New Rule] Tool Installation Detected via Defend for Containers * Service Account File Reads * [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers * Rule name update * [New Rules] D4C K8S MDA API Request Rules * Add 'tor' to the list of allowed process args * ++ * ++ * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update description * Update rules/integrations/cloud_defend/execution_tool_installation.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/integrations/cloud_defend/execution_tool_installation.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/integrations/cloud_defend/execution_tool_installation.toml * Update non-ecs-schema.json --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>	2026-01-26 16:59:14 +01:00

Author

SHA1

Message

Date

Ruben Groenewoud

229f3adf75

[New/Tuning] Misc. New D4C Rules and Tunings (#5692 )

* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New/Tuning] Misc. New D4C Rules and Tunings

* Added IGs for High Severity Rules

* Apply suggestion from @Aegrah

* ++

* Update discovery_privilege_boundary_enumeration_from_interactive_process.toml

* ++

* Update rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_interactive_file_creation_followed_by_execution.toml

* Some updates based on feedback

* Rule name changes

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2026-02-09 16:58:27 +01:00

shashank-elastic

3ee0a72a65

Add investigation guides (#5630 )

2026-01-27 14:28:06 +05:30

Ruben Groenewoud

c5b64c9fbf

[New/Tuning] General API Abuse D4C/K8s Rules (#5591 )

* [New/Tuning] General API Abuse D4C/K8s Rules

* [New Rule] DNS Enumeration Detected via Defend for Containers

* [New Rule] Tool Enumeration Detected via Defend for Containers

* [New Rule] Tool Installation Detected via Defend for Containers

* Service Account File Reads

* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers

* Rule name update

* [New Rules] D4C K8S MDA API Request Rules

* Add 'tor' to the list of allowed process args

* ++

* ++

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update description

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

2026-01-26 16:59:14 +01:00

3 Commits