sigma-rules

Author	SHA1	Message	Date
Jonhnathan	8f441a7191	[Rule Tuning] Creation or Modification of Root Certificate (#4970 ) * [Rule Tuning] Creation or Modification of Root Certificate * Update defense_evasion_create_mod_root_certificate.toml * Update rules/windows/defense_evasion_create_mod_root_certificate.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2025-08-13 09:41:57 -03:00
shashank-elastic	e8c54169a4	Prep main for 9.1 (#4555 ) * Prep for Release 9.1 * Update Patch Version * Update Patch version * Update Patch version	2025-03-26 11:04:14 -04:00
Jonhnathan	2c07e88c07	[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )	2024-10-15 23:57:44 +05:30
Jonhnathan	f021229da4	[Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021 ) * [Rule Tuning] 3rd Party EDR Compatibility - 4 * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * bump updated_date to 8.16 release date * min_stack for merge, bump updated_date	2024-10-11 13:33:32 -03:00
Jonhnathan	9b85079da1	[Rule Tuning] Windows Registry Rules Tuning - 1 (#3957 )	2024-08-06 17:05:17 +05:30
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Jonhnathan	b47b91b9ec	[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549 ) * [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules * Delete test.pkl --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-01 20:45:12 -03:00
Jonhnathan	f5254f3b5e	[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501 ) * Initial commit * Date bump	2024-03-13 10:27:44 -03:00
Jonhnathan	458e67918a	[Security Content] Small tweaks on the setup guides (#3308 ) * [Security Content] Small tweaks on the setup guides * Additional Fixes * Avoid touching deprecated rules	2024-03-11 09:09:40 -03:00
Jonhnathan	e5d676797e	[Rule Tuning] Windows DR Tuning - 5 (#3229 ) * [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-12-05 19:20:40 -03:00
shashank-elastic	a568c56bc1	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 )	2023-10-30 16:53:04 +05:30
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Jonhnathan	9981cca275	[Security Content] Investigation Guides Line breaks refactor (#2454 ) * [Security Content] Investigation Guides Line breaks refactor (#2412) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key * Remove changes to deprecated rules * Update command_and_control_certutil_network_connection.toml	2023-01-09 13:28:10 -03:00
Terrance DeJesus	b1a689b6fd	Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 ) This reverts commit `d1481e1a88`.	2023-01-09 10:44:54 -05:00
Jonhnathan	d1481e1a88	[Security Content] Investigation Guides Line breaks refactor (#2412 ) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key	2023-01-09 11:56:39 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	ac01718bb6	[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352 ) * [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py	2022-11-18 12:32:27 -03:00
Jonhnathan	183b1ffdd3	[Rule Tuning] Add endgame support for Windows Rules (#2285 ) * [Rule Tuning] Add endgame support for Windows Rules * Update collection_email_powershell_exchange_mailbox.toml * Supported Rules - First Half * bum updated_date * Add tag * Revert compat * missing tags	2022-10-19 08:27:44 -07:00
Jonhnathan	f02ffbbe13	[Security Content] Add Investigation Guides - 8.5 (#2305 ) * [Security Content] Add Investigation Guides - 8.5 * Update persistence_run_key_and_startup_broad.toml * Apply suggestions from security-docs review review * Update execution_suspicious_jar_child_process.toml * Apply suggestions from review	2022-09-23 18:44:24 -03:00
Jonhnathan	ec04a39413	[Security Content] Tag rules with robust Investigation Guides (#2297 )	2022-09-23 14:20:32 -03:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Samirbous	b89d6185b2	[Rule Tuning] Reduce FPs (#2223 ) 9 rules tuned to exclude common noisy FP patterns. Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-08-15 09:15:48 -05:00
Jonhnathan	fc7a384d19	[Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144 ) * [Security Content] 8.4 - Add Investigation Guides - Windows - 2 * update date * Apply suggestions from review * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-08-08 21:34:05 -03:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Justin Ibarra	6bdfddac8e	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields	2022-04-01 15:27:08 -08:00
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
Justin Ibarra	645a0cd67b	[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) * [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation	2021-02-17 19:49:58 -09:00
Brent Murphy	02ee8195ab	[New Rule] Creation or Modification of Root Certificate (#927 ) * Create defense_evasion_create_mod_root_certificate.toml * update description * Update defense_evasion_create_mod_root_certificate.toml * spacing * Update rules/windows/defense_evasion_create_mod_root_certificate.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * removing process names that could lead to fn Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 10:01:59 -05:00

32 Commits