security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

216 Commits

Author SHA1 Message Date
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Eric Forte dd707b384d [Bug] Importing rules from directory uses wrong type (#5428) 
* Type Fix
 2025-12-19 12:41:09 -05:00
Samirbous 30883ab9c0 [New] React2Shell Network Security Alert (#5445) 
* [New] React2Shell Network Security Alert

KQL query that reports network security signatures for React2Shell from 4 integrations (Suricata, Fortigate, Cisco FTD and PANW).

* Update initial_access_react_server_rce_network_alerts.toml

* cisco_ftd schema

 build-schemas -i cisco_ftd

* Update initial_access_react_server_rce_network_alerts.toml

* Update pyproject.toml

* Update rules/network/initial_access_react_server_rce_network_alerts.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* cisco_ftd schema and manifest

* Update pyproject.toml

* Revert "cisco_ftd schema and manifest"

This reverts commit ff2200f70f0e0cf94864c49fe8e8a13fda930bc9.

* Revert "Update pyproject.toml"

This reverts commit d382fcdaaa992cac2d4370f5656f81c530b6ec5a.

* Reapply "cisco_ftd schema"

This reverts commit 1494d4aa3e4f07cebd448fcc2597b4c836a989db.

* Revert "Update pyproject.toml"

This reverts commit 39e1f5e9e34cc0500bd82bc4662ece259a5234ba.

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* ++

* Update pyproject.toml

* integration_cisco_ftd

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-19 12:22:44 +00:00
Jonhnathan 1119c3f137 [Docs] Fix Docs Unit Test (#5496) 
* Update docset.yml

* Rename README.md to readme.md

* Update pyproject.toml
 2025-12-18 05:56:09 -08:00
Samirbous 6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) 
* [Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

* add checkpoint_email manifest and schema

* Update pyproject.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml
 2025-12-15 15:33:10 +00:00
github-actions[bot] 793ecfe34a Lock versions for releases: 8.19,9.0,9.1,9.2 (#5426) 2025-12-09 00:29:19 +05:30
shashank-elastic 58a514340b December Schema Refresh (#5420) 2025-12-08 22:07:46 +05:30
Mika Ayenson, PhD f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 12:26:56 -06:00
Eric Forte a8dbf2cf16 [FR] Expand CUSTOM_RULES_DIR to support user relative paths (#5390) 
* Add user relative path support
 2025-12-03 12:19:29 -05:00
Eric Forte 634de61d6d [FR] ES|QL remote validation support newline split indices (#5356) 
* Updated regex pattern for multiline

* Add line split unit test
 2025-12-03 11:50:51 -05:00
github-actions[bot] 18d249aae6 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5360) 2025-11-25 02:26:54 +05:30
Ruben Groenewoud 167def0bc1 [New Rule] Web Server Discovery or Fuzzing Activity (#5337) 
* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update fortigate schemas

* Revert "Update fortigate schemas"

This reverts commit b7c87b0ff50c6d36ba7e6c223de2813d7edceb03.

* Revert "++"

This reverts commit 7f5d860da6012218c586f90e98cb5eb0c9c0ede5.

* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Added schema/manifest updates

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* revert manifests / schemas to main

* adds nginx, iis, apache_tomcat, apache to integration manifests and schemas

* bumping patch version

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 12:40:12 -05:00
Samirbous d946bb36b7 [New] Elastic Defend and Network Security Alerts Correlation (#5332) 
* [New] Elastic Defend and NG-Firewall Alerts Correlation

This rule correlate any Elastic Defend alert with a set of suspicious events from Next-Gen Firewall like PAN and Fortigate by host.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Add suricata and fortinet_fortigate

* ++

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update pyproject.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 22:15:15 +05:30
Samirbous 7fe3831078 [New] SOCKS Traffic from an Unusual Process (#5324) 
* [New] SOCKS Traffic from an Unusual Process

This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.

* Update command_and_control_socks_fortigate_endpoint.toml

* Update command_and_control_socks_fortigate_endpoint.toml

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update command_and_control_socks_fortigate_endpoint.toml

* add fortinet schema and manif

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-11-24 13:18:30 +00:00
shashank-elastic 5db396f084 Skip unit test for protected prebuilt-rules on DAC env (#5323) 2025-11-17 21:41:46 +05:30
shashank-elastic 79607723df Renovate Updates (#5258) 2025-11-17 20:22:11 +05:30
Jonhnathan a2bf7f088d [Security Content] Windows Setup Guides - WinEventLog & Sysmon (#5162) 
* [Security Content] Windows Setup Guides

* Move it to the right folder

* Fix link

* test

* ++

* ++

* ++

* ++

* ++

* ++

* ++

* ++

* Fix links

* ++

* ++

* Update pyproject.toml

* Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update docs/audit_policies/windows/audit_powershell_scriptblock.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update pyproject.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-11-14 09:22:31 -08:00
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
Eric Forte 033145adf4 [Bug] Add synthetic properties check to remote ESQL validation (#5308) 
* Add synthetic properties check

* Add additional unit test for schema conflicts
 2025-11-13 15:25:42 -05:00
Eric Forte 29d4aeb37a [Bug] [DAC] Auto Gen Schema Fails on Certain Subqueries (#5256) 
* Add alignment checking for sub-queries

* Allow field to be over written with original field

* Update rule prompt to allow for int 0 values

* Support custom schema index overwrite

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-11-12 11:21:53 -05:00
github-actions[bot] 32fb003781 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5300) 2025-11-11 18:58:05 +05:30
shashank-elastic e938ecf41a Refresh Manifest and Schemas November Update (#5298) 2025-11-11 18:04:20 +05:30
Eric Forte 7604c20d9e [FR] Add ESQL rules to dataset exception (#5249) 
* Add ESQL rules to dataset exception

* Add unit test
 2025-10-27 11:03:48 -04:00
shashank-elastic 9345e0ec27 Add unit test for protected prebuilt-rules (#5242) 2025-10-24 19:15:52 +05:30
Eric Forte 566242772f Remove toml filtering for branches (#5243) 2025-10-23 12:53:15 -04:00
github-actions[bot] b9b8e24514 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5234) 2025-10-17 22:10:05 +05:30
shashank-elastic 818978975d Prep 9.2 (#5231) 2025-10-17 21:01:13 +05:30
Sergey Polzunov c7246313f7 feat: ESQL query validation against Elastic cluster (#4955) 
* Add remote ESQL validation
---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-10-15 15:17:07 -04:00
Eric Forte a5c100a65b [Bug] Add unit tests and fix Alert Suppression schema validation for ThresholdQueryRuleData (#5196) 
* Add schema validation for AlertSuppressionMapping

* Add support for indicator match alert suppression

* Add unit tests

* Update order and remove validates_schema method

* Add comments

* Add test for query rule duration only
 2025-10-09 16:21:21 -04:00
shashank-elastic ebb7bb5bce Update Package Category (#5192) 2025-10-08 19:26:11 +05:30
github-actions[bot] 49637fbfc7 Lock versions for releases: 8.18,8.19,9.0,9.1 (#5188) 2025-10-06 22:14:15 +05:30
shashank-elastic 3397b7e707 Monthly Schema Updates (#5187) 2025-10-06 21:39:14 +05:30
Eric Forte 7410ec7db9 [Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151) 
* Updated ESQL rules based on validation results

* Patch bump

* Updated regex patterns

* added missing azure fields to non-ecs-schema.json; adjusted okta query logic to use LIKE instead of RLIKE

* fixed incorrect field in non-ecs-schema.json; changed logs-azure.signinlogs* sightings to logs-azure.signinlogs-*

* Add and

* Additional non-ecs fields

* Add EOF

* Add kibana.alert.rule.name

* removed azure.platforlogs.identity.claim.objectid; updated query for 'c07f7898-5dc3-11f0-9f27-f661ea17fbcd'

* Field removed from query removing from keep

* Patch Bump

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-30 00:36:29 -04:00
Eric Forte 42be8bc8ba [Bug] Add Required to the Annotation (#5159) 
* Add Required to the Annotation

* Additional required fields

* remove nonempty sting validation

* Required Types via Annotated and Dataclass

* remove space

* Remove inline comment

* Switch to getting a list

* Fix typo and sort

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-29 18:30:50 -04:00
shashank-elastic e147188939 Add SIEM package category (#5128) 2025-09-18 19:15:53 +05:30
Eric Forte 80c01cf665 [Bug] Annotated Fields Ignored (#5125) 
* Add Note for stop gap
 2025-09-17 17:34:42 -04:00
github-actions[bot] 8f79d58f3f Lock versions for releases: 8.18,8.19,9.0,9.1 (#5123) 2025-09-16 19:56:59 +05:30
Eric Forte 99ebad576b Added handling for unauth error (#5115) 2025-09-16 18:25:10 +05:30
Eric Forte b2b9d677c7 [Bug] Github Gist API Now Requires Auth (#5119) 
* Add headers to public call
 2025-09-16 08:18:48 -04:00
elastic-renovate-prod[bot] 39b6f19eb9 Pin dependencies (#5086) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-09-12 22:46:24 +05:30
Mika Ayenson, PhD f0f7d217c0 [FR] Refactor Schema Validation & Support Multi-Dataset Sequence Validation (#5059) 2025-09-10 13:11:04 -05:00
shashank-elastic 6adee51410 Fix Ruff failures (#5083) 2025-09-10 22:24:07 +05:30
shashank-elastic a6dfd2c0e1 Add test_min_stack_version_supported testcase (#5077) 2025-09-10 20:12:36 +05:30
Mika Ayenson, PhD 35b000b7ab [FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2) (#5041) 2025-09-09 10:58:53 -05:00
Eric Forte cbb892b4bc [Bug] Incorrect Integrations Schema Parsing for Nested Fields (#5058) 
* Add proper handling for nested fields

* Updated schemas

* bump patch

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-04 14:12:33 -04:00
Mika Ayenson, PhD 3c1de72f6b [FR] Add support for 5 group_by fields in threshold rules (>=9.2) (#5040) 2025-09-04 09:24:36 -05:00
github-actions[bot] f2291e0261 Lock versions for releases: 8.18,8.19,9.0,9.1 (#5049) 2025-09-01 23:19:12 +05:30
shashank-elastic 93ac471574 Monthly Schema Updates (#5046) 2025-09-01 20:42:42 +05:30
shashank-elastic ee70674e2c Add all rule types DaC testing (#4969) 2025-08-20 19:04:57 +05:30
Eric Forte dde448ee6b [Bug] Rule Toml Write Formatting Wrongly Formats \\\\x (#4978) 
* Fix rule and mitigate py toml

* Bump patch version

* Add reference to issue

* Add unit test for path issues

* Update comment

* Certain strings were not properly escaped

* Updated to use json instead of repr

* replace _old_dump_str with json.dumps

* Bump Version
 2025-08-18 17:03:51 -04:00