sigma-rules

Author	SHA1	Message	Date
Jonhnathan	ba354ceff9	[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038 )	2025-09-01 08:25:52 -07:00
Jonhnathan	00c6e785cb	[Rule Tuning] Windows - Small Adjusts for Compatibility (#5032 )	2025-08-28 10:20:13 -07:00
Jonhnathan	532b68cc93	[Rule Tuning] PowerShell Script Block Logging Disabled (#4980 )	2025-08-14 17:29:45 -03:00
shashank-elastic	e8c54169a4	Prep main for 9.1 (#4555 ) * Prep for Release 9.1 * Update Patch Version * Update Patch version * Update Patch version	2025-03-26 11:04:14 -04:00
Jonhnathan	2c07e88c07	[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )	2024-10-15 23:57:44 +05:30
Jonhnathan	f021229da4	[Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021 ) * [Rule Tuning] 3rd Party EDR Compatibility - 4 * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * bump updated_date to 8.16 release date * min_stack for merge, bump updated_date	2024-10-11 13:33:32 -03:00
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Jonhnathan	b47b91b9ec	[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549 ) * [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules * Delete test.pkl --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-01 20:45:12 -03:00
Jonhnathan	f5254f3b5e	[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501 ) * Initial commit * Date bump	2024-03-13 10:27:44 -03:00
Jonhnathan	f584fb6e31	[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165 ) * [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules * Fix dates * Fix unit test errors * updated tags and fixed branch conflicts updated tags and fixed branch conflicts * description nit * Reverting unintended changes * Update initial_access_suspicious_ms_office_child_process.toml --------- Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>	2023-10-15 18:12:20 -03:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Jonhnathan	c3d8bac402	[Security Content] Add Investigation Guides to Windows rules (#2521 ) * [Security Content] Add Investigation Guides to Windows rules * . * Add IG tag * Apply suggestions from review * Address reviews * address note * Update defense_evasion_amsi_bypass_dllhijack.toml * Update defense_evasion_amsi_bypass_powershell.toml	2023-02-22 18:13:13 -03:00
Jonhnathan	9981cca275	[Security Content] Investigation Guides Line breaks refactor (#2454 ) * [Security Content] Investigation Guides Line breaks refactor (#2412) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key * Remove changes to deprecated rules * Update command_and_control_certutil_network_connection.toml	2023-01-09 13:28:10 -03:00
Terrance DeJesus	b1a689b6fd	Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 ) This reverts commit `d1481e1a88`.	2023-01-09 10:44:54 -05:00
Jonhnathan	d1481e1a88	[Security Content] Investigation Guides Line breaks refactor (#2412 ) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key	2023-01-09 11:56:39 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	ac01718bb6	[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352 ) * [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py	2022-11-18 12:32:27 -03:00
Jonhnathan	183b1ffdd3	[Rule Tuning] Add endgame support for Windows Rules (#2285 ) * [Rule Tuning] Add endgame support for Windows Rules * Update collection_email_powershell_exchange_mailbox.toml * Supported Rules - First Half * bum updated_date * Add tag * Revert compat * missing tags	2022-10-19 08:27:44 -07:00
Jonhnathan	ec04a39413	[Security Content] Tag rules with robust Investigation Guides (#2297 )	2022-09-23 14:20:32 -03:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Jonhnathan	817b97f428	[Security Content] Refactor Existing Investigation Guides (#1959 ) * Initial commit * Update Investigation guides - security-docs review * Update command_and_control_dns_tunneling_nslookup.toml * Update defense_evasion_amsienable_key_mod.toml * Apply security-docs review * Remove dot * Update rules/windows/command_and_control_rdp_tunnel_plink.toml Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply changes from review * Apply the suggestion Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-05-18 12:59:39 -03:00
Jonhnathan	3a5fceac3b	[Security Content] Add Investigation Guides - 3 (#1836 ) * [Security Content] Add Investigation Guides - 3 * Adjust Investigation Guides and Config * Adjust Config Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>	2022-04-12 15:58:50 -08:00
Justin Ibarra	6bdfddac8e	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields	2022-04-01 15:27:08 -08:00
Jonhnathan	7dac52f1cf	[New Rule] PowerShell Script Block Logging Disabled (#1749 ) * PowerShell Script Block Logging Disabled * Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update defense_evasion_disable_posh_scriptblocklogging.toml * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-02-04 15:44:27 -03:00

29 Commits