sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ruben Groenewoud	1c1632e0b9	[Rule Tuning] Linux DR Tuning - 3 (#5483 ) * [Rule Tuning] Linux DR Tuning - 3 * Update rules/linux/credential_access_aws_creds_search_inside_container.toml * Adjust thresholds and expand event action handling * Update credential_access_potential_linux_ssh_bruteforce_external.toml * Increase threshold for SSH brute force detection * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Update credential_access_ssh_backdoor_log.toml Removed 'auditbeat-' from the index list. Refactor credential access rule for clarity Removed redundant event.action expansion and filtering logic. * Refactor ESQL query for SSH brute force detection Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic. * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Update credential_access_potential_successful_linux_ftp_bruteforce.toml * Update credential_access_potential_successful_linux_rdp_bruteforce.toml * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Add time window truncation to bruteforce rule * Add time window truncation to SSH brute force rule * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Update SSH brute force detection rule to EQL * Update CIDR match conditions for SSH brute force rule * Update EQL query for SSH brute force detection	2026-01-08 13:32:43 +01:00
Ruben Groenewoud	3b1f780435	[D4C Conversion] Converting Compatible D4C Rules to DR (#4532 ) * [D4C Conversion] Converting Compatible D4C Rules to DR * added host.os.type * Rename * Update rules/linux/execution_container_management_binary_launched_inside_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/privilege_escalation_mount_launched_inside_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/privilege_escalation_mount_launched_inside_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>	2025-04-10 14:26:40 +02:00

Author

SHA1

Message

Date

Ruben Groenewoud

1c1632e0b9

[Rule Tuning] Linux DR Tuning - 3 (#5483 )

* [Rule Tuning] Linux DR Tuning - 3

* Update rules/linux/credential_access_aws_creds_search_inside_container.toml

* Adjust thresholds and expand event action handling

* Update credential_access_potential_linux_ssh_bruteforce_external.toml

* Increase threshold for SSH brute force detection

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update credential_access_ssh_backdoor_log.toml

Removed 'auditbeat-*' from the index list.

* Refactor credential access rule for clarity

Removed redundant event.action expansion and filtering logic.

* Refactor ESQL query for SSH brute force detection

Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update credential_access_potential_successful_linux_ftp_bruteforce.toml

* Update credential_access_potential_successful_linux_rdp_bruteforce.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Add time window truncation to bruteforce rule

* Add time window truncation to SSH brute force rule

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update SSH brute force detection rule to EQL

* Update CIDR match conditions for SSH brute force rule

* Update EQL query for SSH brute force detection

2026-01-08 13:32:43 +01:00

Ruben Groenewoud

3b1f780435

[D4C Conversion] Converting Compatible D4C Rules to DR (#4532 )

* [D4C Conversion] Converting Compatible D4C Rules to DR

* added host.os.type

* Rename

* Update rules/linux/execution_container_management_binary_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

2025-04-10 14:26:40 +02:00

2 Commits