security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

10 Commits

Author SHA1 Message Date
Terrance DeJesus dad008ea34 [Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324) 
* rule tuning Okta and AWS lookback times

* adjusted Query Registry using Built-in Tools

* adjusted My First Rule

* Update rules/cross-platform/guided_onboarding_sample_rule.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-12-19 13:03:50 -05:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan 1bc59bdc04 [Rule Tuning] Windows BBR Rule Tuning - 2 (#3580) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-08 09:34:26 -03:00
Jonhnathan b47b91b9ec [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-01 20:45:12 -03:00
Justin Ibarra a6c5cfc418 [Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330) 
* [Rule Tuning] Optimize query for Query Registry using Built-in Tools

* reduce history window to 7d

* use args vs command_line wildcards

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2023-12-14 19:55:36 -07:00
Ruben Groenewoud 4cdf52129a [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-11 09:43:26 +02:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Jonhnathan 6966a6df09 [New Rule] Building Block Rules - Part 3 (#2924) 
* [New Rule] Building Block Rules - Part 3

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Apply suggestions from code review

* Update rules_building_block/discovery_generic_account_groups.toml

* Apply suggestions from code review

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-31 10:28:25 -03:00