security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

37 Commits

Author SHA1 Message Date
Jonhnathan b5d77951b5 [Rule Tuning] Remote Execution via File Shares (#5066) 
* [Rule Tuning] Remote Execution via File Shares

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-11 16:40:59 -07:00
Jonhnathan 3e0ba33749 [Rule Tuning] Remote Execution via File Shares (#4448) 2025-02-05 14:51:47 -03:00
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Jonhnathan aca416a779 [Rule Tuning] Windows misc Rule Tuning (#4298) 2025-01-02 07:44:01 -03:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
Jonhnathan 127a56aede [Rule Tuning] Remote Execution via File Shares (#4067) 
* [Rule Tuning] Remote Execution via File Shares

* Update lateral_movement_execution_via_file_shares_sequence.toml
 2024-09-11 10:49:41 -03:00
Jonhnathan 207dc55ede [Rule Tuning] Windows File-based Rules Tuning (#3963) 
* [Rule Tuning] Windows File-based Rules Tuning

* Update credential_access_lsass_memdump_file_created.toml

* .
 2024-08-09 12:26:58 -03:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan 5004ff115c [Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-16 13:26:42 -03:00
Jonhnathan f6ba12a700 [Rule Tuning] Windows DR Tuning - 12 (#3364) 2024-01-17 13:19:12 -03:00
Jonhnathan f53f46efd5 [Rule Tuning] Fix Menasec Expired Links (#3271) 2023-11-14 10:18:34 -03:00
Samirbous 24b0aa5c63 [Tuning] Adjusted Rules for Anti-Evasion (#3163) 
* Update lateral_movement_executable_tool_transfer_smb.toml

* Update lateral_movement_incoming_wmi.toml

* Update lateral_movement_execution_via_file_shares_sequence.toml

* Update lateral_movement_executable_tool_transfer_smb.toml

* Update lateral_movement_execution_via_file_shares_sequence.toml

* Update lateral_movement_executable_tool_transfer_smb.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-16 17:56:09 +01:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Justin Ibarra 411ec36ff0 Validate markdown plugin fields (#2602) 2023-03-28 09:17:50 -04:00
Jonhnathan 0273d118a6 [Rule Tuning] Add endgame support for Windows Rules (#2428) 
* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* 1/2

* bump updated_date

* 2/3

* Finale

* Update persistence_evasion_registry_ifeo_injection.toml

* .

* Multiple fixes

* Missing index

* Missing AND
 2023-03-06 12:47:11 -03:00
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-05 11:41:19 -07:00
Jonhnathan 1a4510c9d4 [Security Content] Add Investigation Guides to Windows Rules - 2 (#2534) 
* [Security Content] Add Investigation Guides to Windows Rules - 2

* tags

* Adjust some phrasing based on the review

* Update credential_access_bruteforce_admin_account.toml

* Missing Osquery Note

* Missing note
 2023-03-01 21:23:09 -03:00
Jonhnathan f17b6f1702 [Security Content] Fix verbiage used on Osquery Note (#2513) 
* [Security Content] Fix verbiage used on Osquery Note

* Adjust verbiage

* date bump

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-02-22 12:33:23 -03:00
Jonhnathan 7725e32126 [Security Content] Fix Osquery Markdown Plugin Escaped queries (#2447) 
* [Security Content] Fix Osquery Markdown Plugin Escaped queries

* Re-add line

* Update credential_access_credential_dumping_msbuild.toml

* Update command_and_control_common_webservices.toml
 2023-01-09 14:45:31 -03:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Jonhnathan ac01718bb6 [Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352) 
* [Rule Tuning] Add tags to flag Sysmon-only rules

* Modify tags

* Revert "Modify tags"

This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.

* Modify tags

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py
 2022-11-18 12:32:27 -03:00
Jonhnathan 6055d0db60 [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides (#2387) 
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides

* Remove min_stack and add Note

* Fix Typo and preffix

* Update command_and_control_certutil_network_connection.toml

* Add unit test to check Note about Osquery Markdown plugin and Version limitations

* Update test_all_rules.py

* Update test_all_rules.py

* Change Note Verbiage
 2022-11-17 18:38:34 -03:00
Jonhnathan 9861958833 [Security Content] Add missing "has_guide" tag (#2349) 
* Add missing "has_guide" tag

* bump updated_date
 2022-10-11 06:30:19 -07:00
Jonhnathan f5c992b6de [Security Content] Add Investigation Guides - 2 - 8.5 (#2314) 
* [Security Content] Add Investigation Guides - 2 - 8.5

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

* Merge branch 'main' into investigation_guides_8.5_2

* Revert "Merge branch 'main' into investigation_guides_8.5_2"

This reverts commit fb3c3f0245301d49229534d8776478c32f6c190e.

* Apply suggested changes from review

* Update discovery_security_software_grep.toml

* Apply suggestions from review

* Apply suggestions from review
 2022-09-26 12:59:39 -03:00
Jonhnathan d52c0d2257 [Rule Tuning] Remove "process_started" from Windows Rules (#2238) 
* [Rule Tuning] Remove "process_started" from Windows Rules

* Additional, pending ones

* Update defense_evasion_code_injection_conhost.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 13:06:30 -05:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Samirbous 3deff0eeb8 [New Rule] Remote Execution via File Shares (#455) 
* [New Rule] Remote Execution via File Shares

* removed timeline_id

* fixed tags

* added extension to reduce response time

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:20:13 +01:00