security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

2412 Commits

Author SHA1 Message Date
Brent Murphy 0fc78b3c3b [New Rule] Azure Key Vault Modified (#230) 
* [New Rule] Azure Update to Key Vault

* Update rules/azure/credential_access_key_vault_update.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_key_vault_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 11:30:01 -04:00
Brent Murphy 70cc7fd112 [Rule Tuning] AWS Root Login Without MFA (#229) 
* Update privilege_escalation_root_login_without_mfa.toml

* Update privilege_escalation_root_login_without_mfa.toml

* update index

* Update privilege_escalation_root_login_without_mfa.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:57:51 -04:00
Brent Murphy e49b69af10 [New Rule] Azure Blob Container Access Level Modification (#192) 
* Create discovery_blob_container_access_mod.toml

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:48:21 -04:00
David French 6d3955bd8a [New Rule] High Number of Okta User Password Reset or Unlock Attempts (#187) 
* new-rule-high-number-of-okta-password-reset-or-unlock-attempts

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Update ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Update schedule

* Update FP information and format query for readability

* Update .gitignore

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

* Tweak formatting of query

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Update description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 08:38:06 -06:00
David French 230b59dfc9 rule-tuning-user-added-as-owner-for-azure-service-principal (#258) 2020-09-04 08:36:20 -06:00
Brent Murphy bcd698add2 [New Rule] Azure Event Hub Deletion (#170) 
* Create defense_evasion_event_hub_deletion.toml

* Update rules/azure/defense_evasion_event_hub_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/azure/defense_evasion_event_hub_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:23:43 -04:00
Brent Murphy a49d102de3 [New Rule] Azure Event Hub Authorization Rule Created or Updated (#173) 
* Create collection_update_event_hub_auth_rule.toml

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 09:32:30 -04:00
Brent Murphy 0ac7f3d672 [New Rule] Azure Firewall Policy Deletion (#169) 
* Create defense_evasion_firewall_policy_deletion.toml

* Update rules/azure/defense_evasion_firewall_policy_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 09:28:58 -04:00
Brent Murphy 9025a7d183 [New Rule] Azure Diagnostic Settings Deletion (#157) 
* Create azure_diagnostic_settings_deletion.toml

* Update azure_diagnostic_settings_deletion.toml
 2020-09-04 09:20:13 -04:00
Brent Murphy b4a15960cb [New Rule] Azure Command Execution on Virtual Machine (#155) 
* Create execution_command_virtual_machine.toml

* Update execution_command_virtual_machine.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:09:40 -04:00
Brent Murphy 6b04105936 [New Rule] Azure Resource Group Deletion (#158) 
* Create impact_resource_group_deletion.toml

* Update rules/azure/impact_resource_group_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:06:43 -04:00
David French 1f555c289f [New Rule] Azure Privileged Identity Management Role Modified (#238) 
* new-rule-azure-pim-role-modified

* Add ATT&CK metadata to rule

* Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml
 2020-09-03 15:02:14 -06:00
David French 89db7384a0 [New Rule] Azure Automation Runbook Deleted (#235) 
* new-rule-azure-automation-runbook-deleted

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Fix typo in rule description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Remove superfluous parens from query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 13:09:40 -06:00
David French 225aba61c9 [New Rule] Multi-Factor Authentication Disabled for an Azure User (#195) 
* new-rule-mfa-disabled-for-an-azure-user

* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml

Update ECS version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 12:42:27 -06:00
David French 43204391b6 [New Rule] User Added as Owner for Azure Service Principal (#194) 
* new-rule-user-added-as-owner-for-azure-service-principal

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Add parens to query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Update ECS version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 12:21:44 -06:00
David French 43f657ac4e [New Rule] User Added as Owner for Azure Application (#191) 
* new-rule-user-added-as-owner-for-azure-application

* Update rule name and description

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Update query to remove superfluous quotes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Add ATT&CK metadata to rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 12:15:33 -06:00
David French 75474387a8 [New Rule] Attempts to Brute Force an Okta User Account (#186) 
* new-rule-attempts-to-brute-force-an-okta-user-account

* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

Update ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 11:23:56 -06:00
David French 4c431d2408 [New Rule] Azure Automation Webhook Created (#179) 
* new-rule-azure-automation-webhook-created

* Update rules/azure/persistence_azure_automation_webhook_created.toml

Update description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/persistence_azure_automation_webhook_created.toml

Update ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 11:20:50 -06:00
David French 98f216404a [New Rule] Azure Automation Runbook Created or Modified (#178) 
* new-rule-azure-automation-runbook-created-or-modified

* Update rules/azure/persistence_azure_automation_runbook_created_or_modified.toml

Update ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 11:16:42 -06:00
David French 85e799b378 [New Rule] Azure Automation Account Created (#177) 
* new-rule-azure-automation-account-created

* Fix rule name format 😄

* Update rules/azure/persistence_azure_automation_account_created.toml

Update maturity to production

* Update rules/azure/persistence_azure_automation_account_created.toml

Update ecs_version to 1.6.0

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 11:08:38 -06:00
brokensound77 aec3ec31b9 Merge branch '7.9' into main 2020-08-27 15:54:44 -08:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Justin Ibarra be08536880 Increase lookback for endpoint rules (#200) 2020-08-21 12:23:43 -05:00
Ross Wolf cb1c401e27 Merge branch '7.9' into main 2020-08-03 15:20:36 -06:00
Brent Murphy 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-08-03 17:15:15 -04:00
Ross Wolf a99b7c96fe Merge branch '7.9' into main 2020-08-03 14:03:15 -06:00
Brent Murphy 7efe33e01d [Rule Tuning] Update Index Pattern for Detection Engine Rules (#101) 
* [Rule Tuning] Update Index Pattern for Detection Engine Rules

* update indices
 2020-08-03 15:46:57 -04:00
Yara Tercero 3c4a383947 Add list_id to exceptions_list and remove endgame:* from external alerts (#98) 2020-07-28 07:30:48 -06:00
Ross Wolf 978a8d9df8 [Bug] Set threshold.field to empty string instead of null (#87) 2020-07-22 19:31:09 -04:00
Ross Wolf 4ba23ad6cd Merge branch '7.9' into main 2020-07-22 14:39:18 -06:00
Garrett Spong 4b17cb37f0 Update External Alerts rule index to match default securitySolution:defaultIndex value (#86) 
## Summary
Updates the External Alerts rule index to match default securitySolution:defaultIndex value


``` toml
index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
```

Note: extra spaces are from running `toml-lint`

## Contributor checklist

- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? Yes!
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)? Yes!
 2020-07-22 14:37:19 -06:00
Brent Murphy b5213e66b2 [Rule Tuning} Correct Promotion Rule Descriptions (#85) 2020-07-22 12:36:18 -04:00
Brent Murphy b4d8985105 [Rule Tuning] Update terms in promotion rules (#72) 
* [Rule Tuning] Update terms in promotion rules

* Update Endpoint terms and lint
 2020-07-21 14:28:30 -04:00
Brent Murphy e08ff6c55d [Rule Tuning] Update Cloud rules with note field (#79) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-21 12:27:42 -04:00
David French aaef4b99f4 [New Rule] Okta Brute Force or Password Spraying Attack (#66) 
* Create credential_access_okta_brute_force_or_password_spraying.toml

* Update maturity to production

* Update severity and risk score

* Aggregate by source.ip field

To ensure that investigate in timeline displays expected events

* Update false positive information

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Tweak false positive info

* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-07-20 12:44:59 -06:00
David French 4784342723 [New Rule] AWS IAM Brute Force of Assume Role Policy (#67) 
* Create credential_access_aws_iam_assume_role_brute_force.toml

* Update maturity to production

* Update formatting for query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rule name

* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rule description

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update note field in rule

... to inform users that AWS Filebeat module must be enabled to use this rule.

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* lint rule

* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-07-20 12:43:26 -06:00
Justin Ibarra 1bf60551ff Update lateral_movement_dns_server_overflow.toml 2020-07-17 15:52:04 -05:00
Justin Ibarra 1cfb8f92bb Windows DNS server vulnerability (CVE-2020-1350) rules (#69) 2020-07-17 14:32:52 -05:00
Garrett Spong 13ceed5410 Add Global Endpoint Exception List to Elastic Endpoint rule (#60) 2020-07-14 21:26:29 -06:00
Devon Kerr f75b126ec4 Update terminology in ML job rules 2020-07-14 21:22:34 -06:00
Craig Chamberlain f24666bf12 [New Rule] Add Cloudtrail ML Rules 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com>
 2020-07-14 15:16:58 -06:00
Ben Skelker 680a04da8f Fix terminology and doc links (#54) 2020-07-13 12:47:42 -06:00
Garrett Spong c28795c25e [New Rule] Elastic Endpoint and External Alerts (#42) 
* Adds the Elastic Endpoint and External Alerts rules and required schema updates
* Optimizing queries to fix tests
* Apply PEP257 changes
* Apply suggestions from code review
* Update rules/cross-platform/external_alerts.toml
* Last fixes from review
* Fixing test for unrequired default
* Adding increased default max_signals to not interfere with testing
* Make promotions folder
* Refining Elastic Endpoint rule index

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-09 15:24:36 -06:00
Andrew Pease e0f2e8b4a9 Add dataset and index to network rules (#15) 
* Add dataset and index to network rules
* Restore iptables changes
* Fix beats parsing logic
* Updated date and ECS version
* Only update modules if empty

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 13:19:35 -06:00
Samirbous 676be30199 [New rule] AWS Secrets Manager and System Manager 
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 12:48:04 -06:00
Seth Goodwin c577426510 Update Lookback Interval for AWS Rules 2020-07-08 08:50:01 -06:00
Ross Wolf 316be47e27 Rename AWS to aws 2020-07-08 08:43:30 -06:00
Craig Chamberlain 94974c3895 Detect DeleteRule events with AWS WAF Deletion 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:44:11 -06:00
Craig Chamberlain ee82874c24 [New Rule] AWS Config Service Tampering 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:43:22 -06:00
Justin Ibarra 95908c22a4 Improve ECS compatibility for endpoint rules 2020-07-07 15:41:23 -06:00