security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

4 Commits

Author SHA1 Message Date
Ruben Groenewoud a2b280a6fd [New Hunts] Adding Several Hunting PRs into this Main PR (#4342) 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-01-07 14:29:17 +01:00
Terrance DeJesus 4b4b2cc9c8 [Hunt Tuning] Enforce STATS or KEEP functions in ES|QL hunting queries (#4157) 
* enforcing aggregate or keep in ES|QL queries

* Update hunting/definitions.py

* Update hunting/definitions.py

* Update hunting/definitions.py

* updated capitalization of linting

* updated raise value error

* Update hunting/definitions.py

* added note about stats in best practices
 2024-10-16 09:16:28 -04:00
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-10-03 12:47:40 -04:00
Terrance DeJesus 9181c00586 [New Hunt] Add Initial Okta Hunting Queries (#4064) 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs
 2024-09-16 14:36:44 -04:00