sigma-rules

Author	SHA1	Message	Date
Jonhnathan	567b82cb2f	[Rule Tuning] Windows High Severity - 2 (#5093 ) * [Rule Tuning] Windows High Severity - 2 * [Rule Tuning] Windows High Severity - 3 * Revert "[Rule Tuning] Windows High Severity - 3" This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234.	2025-09-15 07:53:31 -07:00
shashank-elastic	93ac471574	Monthly Schema Updates (#5046 )	2025-09-01 20:42:42 +05:30
Jonhnathan	0fbf57c1d9	[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018 ) * [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_file_creation_mult_extension.toml * Update rules/windows/defense_evasion_file_creation_mult_extension.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2025-08-28 10:55:21 -07:00
shashank-elastic	e8c54169a4	Prep main for 9.1 (#4555 ) * Prep for Release 9.1 * Update Patch Version * Update Patch version * Update Patch version	2025-03-26 11:04:14 -04:00
Mika Ayenson	fe8c81d762	[FR] Generate investigation guides (#4358 )	2025-01-22 11:17:38 -06:00
Jonhnathan	2c07e88c07	[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )	2024-10-15 23:57:44 +05:30
Jonhnathan	f91a6fa8d6	[Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022 ) * [Rule Tuning] 3rd Party EDR Compatibility - 5 * bump updated_date to 8.16 release date * min_stack for merge, bump updated_date	2024-10-11 14:21:17 -03:00
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Jonhnathan	b47b91b9ec	[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549 ) * [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules * Delete test.pkl --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-01 20:45:12 -03:00
Jonhnathan	f5254f3b5e	[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501 ) * Initial commit * Date bump	2024-03-13 10:27:44 -03:00
Jonhnathan	458e67918a	[Security Content] Small tweaks on the setup guides (#3308 ) * [Security Content] Small tweaks on the setup guides * Additional Fixes * Avoid touching deprecated rules	2024-03-11 09:09:40 -03:00
shashank-elastic	a568c56bc1	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 )	2023-10-30 16:53:04 +05:30
Ruben Groenewoud	c2822e175c	[Tuning] Windows Execution Rule Tuning for UEBA (#3107 ) * Update defense_evasion_execution_msbuild_started_by_script.toml * Mostly updated Execution tags, also new_terms conv * removed index * Removed index * WMIPrvSE tuning * Additional tuning * Tuning & changes * Additional tuning * Applied unit test optimization * Addressed feedback * Update rules/windows/execution_command_shell_started_by_svchost.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * caseless unit testing fix * fixed caseless executable unit test * unit testing fix * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_ms_office_written_file.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml * Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml * Added user ids to new terms * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/execution_unsigned_service_executable.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update execution_unsigned_service_executable.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-10-11 10:15:29 +02:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Jonhnathan	8e02c60ef6	[Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486 )	2023-01-31 16:56:19 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	183b1ffdd3	[Rule Tuning] Add endgame support for Windows Rules (#2285 ) * [Rule Tuning] Add endgame support for Windows Rules * Update collection_email_powershell_exchange_mailbox.toml * Supported Rules - First Half * bum updated_date * Add tag * Revert compat * missing tags	2022-10-19 08:27:44 -07:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Justin Ibarra	6bdfddac8e	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields	2022-04-01 15:27:08 -08:00
LaZyDK	43f0d77033	Update defense_evasion_execution_windefend_unusual_path.toml (#1492 ) * Update defense_evasion_execution_windefend_unusual_path.toml Add Microsoft Security Client to exclusions. * Update defense_evasion_execution_windefend_unusual_path.toml Update updated_date * Updated author Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-05 16:38:01 -03:00
Samirbous	9fadc4c1dc	[New Rule] Complementary Rules for Recent REvil TTPs (#1329 ) * [New Rule] Complementary Rules for Recent REvil TTPs * added OFN * relinted and added T1574.002 * removed new line * Update defense_evasion_disabling_windows_defender_powershell.toml * corrected rule name * added a reference url * Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-07-07 17:02:40 +02:00

26 Commits