sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ruben Groenewoud	1c1632e0b9	[Rule Tuning] Linux DR Tuning - 3 (#5483 ) * [Rule Tuning] Linux DR Tuning - 3 * Update rules/linux/credential_access_aws_creds_search_inside_container.toml * Adjust thresholds and expand event action handling * Update credential_access_potential_linux_ssh_bruteforce_external.toml * Increase threshold for SSH brute force detection * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Update credential_access_ssh_backdoor_log.toml Removed 'auditbeat-' from the index list. Refactor credential access rule for clarity Removed redundant event.action expansion and filtering logic. * Refactor ESQL query for SSH brute force detection Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic. * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Update credential_access_potential_successful_linux_ftp_bruteforce.toml * Update credential_access_potential_successful_linux_rdp_bruteforce.toml * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Add time window truncation to bruteforce rule * Add time window truncation to SSH brute force rule * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Update SSH brute force detection rule to EQL * Update CIDR match conditions for SSH brute force rule * Update EQL query for SSH brute force detection	2026-01-08 13:32:43 +01:00
Ruben Groenewoud	37e18af7a5	[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232 ) * First batch * Second batch * Batch 2	2025-11-10 16:03:39 +01:00
Ruben Groenewoud	9f5793759c	[New Rule] GitHub Authentication Token Access via Node.js (#5130 )	2025-09-24 20:48:19 +02:00

Author

SHA1

Message

Date

Ruben Groenewoud

1c1632e0b9

[Rule Tuning] Linux DR Tuning - 3 (#5483 )

* [Rule Tuning] Linux DR Tuning - 3

* Update rules/linux/credential_access_aws_creds_search_inside_container.toml

* Adjust thresholds and expand event action handling

* Update credential_access_potential_linux_ssh_bruteforce_external.toml

* Increase threshold for SSH brute force detection

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update credential_access_ssh_backdoor_log.toml

Removed 'auditbeat-*' from the index list.

* Refactor credential access rule for clarity

Removed redundant event.action expansion and filtering logic.

* Refactor ESQL query for SSH brute force detection

Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update credential_access_potential_successful_linux_ftp_bruteforce.toml

* Update credential_access_potential_successful_linux_rdp_bruteforce.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Add time window truncation to bruteforce rule

* Add time window truncation to SSH brute force rule

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update SSH brute force detection rule to EQL

* Update CIDR match conditions for SSH brute force rule

* Update EQL query for SSH brute force detection

2026-01-08 13:32:43 +01:00

Ruben Groenewoud

37e18af7a5

[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232 )

* First batch

* Second batch

* Batch 2

2025-11-10 16:03:39 +01:00

Ruben Groenewoud

9f5793759c

[New Rule] GitHub Authentication Token Access via Node.js (#5130 )

2025-09-24 20:48:19 +02:00

3 Commits