security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

20 Commits

Author SHA1 Message Date
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
shashank-elastic 7175b3ab06 Add investigation guides for detection rules (#4886) 2025-07-08 00:25:42 +05:30
Jonhnathan 9af2bf4a66 [Rule Tuning] Unusual Scheduled Task Update (#4714) 2025-05-19 21:51:14 +05:30
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Jonhnathan c0f12ddecf [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464) 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
 2025-02-19 12:54:31 -03:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Samirbous 7aa8a7b5fb [Rules Tuning] diverse tuning (#2506) 
* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_remote_services.toml

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_rdp_enabled_registry.toml

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_updated.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/persistence_scheduled_task_updated.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-30 18:57:00 +01:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Jonhnathan d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) 
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-15 20:31:59 -03:00
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-05 11:41:19 -07:00
Mika Ayenson 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) 2023-02-02 16:22:44 -05:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Jonhnathan 9c1bd50a63 [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF (#2438) 
* [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF

* s/host.id/winlog.computer_name
 2022-12-21 11:30:04 -03:00
Samirbous 85e8c0abad [Rule Tuning] Update User.ID or Registry.Path to include Azure Users SID (#2378) 
Azure AD SIDs start with S-1-12-1-* and we have 8 rules that uses user.id or registry.path to limit activity to AD/local users which starts with S-1-5-21-*.

![image](https://user-images.githubusercontent.com/64742097/198011301-638e95a6-2a3f-452b-a9d3-b45d4a01dfb4.png)

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-11-01 17:45:39 +00:00
Samirbous 4609a5e8fe [New Rule] Scheduled Task Creation using winlog (#2277) 
* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 18:50:45 +02:00