security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

3314 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan b8aedcd7aa [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391) 
* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition

* Update defense_evasion_posh_obfuscation_proportion_special_chars.toml

* ++, powershell.file.*

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 13:17:02 +01:00
Samirbous f427735610 [Tuning] Suspicious React Child Process (#5414) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Enhance EQL query for process execution detection

* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Update rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 11:26:48 +00:00
Ruben Groenewoud 612928b34c [Rule Tuning] Potential Persistence via File Modification (#5404) 2025-12-05 10:32:58 +01:00
Ruben Groenewoud e1166652c4 [New Rule] Web Server Potential Remote File Inclusion Activity (#5394) 
* [New Rule] Web Server Potential Remote File Inclusion Activity

* Add min_stack_version and comments to TOML file

Added minimum stack version and comments for clarity.

* Update rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event stats

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:57:56 +01:00
Ruben Groenewoud 4920e9a60f [New Rule] Web Server Local File Inclusion Activity (#5393) 
* [New Rule] Web Server Local File Inclusion Activity

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event statistics

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:47:29 +01:00
Samirbous 36baf8c898 [New] Suspicious React Server Child Process (#5407) 
* [New] Suspicious React Server Child Process

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-04 21:32:20 +00:00
Samirbous 166da45561 [New] Multiple Cloud Secrets Accessed by Source Address (#5388) 
* [New] Multiple Cloud Secrets Accessed by Source Address

This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
succession to expand their access or exfiltrate sensitive information.

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-12-04 18:04:25 +00:00
Ruben Groenewoud efef99befd [New Rule] Potential HTTP Downgrade Attack (#5372) 
* [New Rule] Potential HTTP Downgrade Attack

* Update defense_evasion_potential_http_downgrade_attack.toml
 2025-12-04 16:23:38 +01:00
Ruben Groenewoud f42b5143a6 [New Rule] Initial Access via File Upload Followed by GET Request (#5371) 
* [New Rule] Initial Access via File Upload Followed by GET Request

* Slightly increase timespan

* ++

* Update rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-12-04 16:10:13 +01:00
Terrance DeJesus 7a884ebe2b [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403) 
* [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform
Fixes #5402

* removed rule from Linux directory

* adjusted mitre for unit tests

* Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* expanding to S1

* adding integration metadata

* Add 'start' action to Node.js install script detection

* Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-04 09:07:12 -05:00
Samirbous f32db7b3ad [New] Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode (#5396) 
* [New] Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode

* Update credential_access_azure_entra_susp_device_code_signin.toml

* Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_azure_entra_susp_device_code_signin.toml

* Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_azure_entra_susp_device_code_signin.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-12-03 14:33:05 -05:00
Terrance DeJesus 61c9344677 [Rule Tuning] M365 OneDrive Excessive File Downloads with OAuth Token (#5365) 
* [Rule Tuning] M365 OneDrive Excessive File Downloads with OAuth Token
Fixes #5361

* adding keep operation

* updating non-ecs
 2025-12-03 14:13:35 -05:00
Isai 9b26cd21b7 [Deprecation] AWS Redshift Cluster Creation (#5367) 
`CreateCluster` is a common Redshift lifecycle operation that occurs frequently in normal workflows. Creating a new Redshift cluster offers no real advantage to an attacker and outside of cost, does not produce material impact for a target environment. This behavior aligns more with cloud infrastructure monitoring or posture management, which is important but not the focus of our detection ruleset.

Real world Redshift abuse centers on misuse of existing resources, such as snapshot sharing or copying or exposing the cluster through permissive VPC security group changes. These threat paths should be covered by other rules. Deprecating this creation-focused rule reduces noise and keeps the AWS ruleset aligned with real threat surfaces rather than infrastructure management.
 2025-12-03 13:02:19 -05:00
Eric Forte a8dbf2cf16 [FR] Expand CUSTOM_RULES_DIR to support user relative paths (#5390) 
* Add user relative path support
 2025-12-03 12:19:29 -05:00
Eric Forte 634de61d6d [FR] ES|QL remote validation support newline split indices (#5356) 
* Updated regex pattern for multiline

* Add line split unit test
 2025-12-03 11:50:51 -05:00
Isai 0e67a02594 [Rule Tuning] AWS IAM Brute Force of Assume Role Policy (#5282) 
* [Rule Tuning] AWS IAM Brute Force of Assume Role Policy

Description and primary tactic for this rule is misleading. The rule captures an IAM principal enumeration technique used by tools like PACU, it does not capture AssumeRole brute-force attempts. I've changed the primary tactic to Discover, changed the rule name and updated the rule description and Investigation Guide to more clearly reflect what behavior is being captured.

The query itself remains the same and the threshold values. I changed the execution window to the standard 5 min + 1 min lookback and was still able to capture the behavior.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* adding rule.threshold values

adding ["cloud.account.id", "user.name", "source.ip"] as group by fields

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-03 11:31:06 -05:00
Ruben Groenewoud 4fc6aa9a35 [New Rule] Unusual Web Server Command Execution (#5392) 
* [New Rule] Unusual Web Server Command Execution

* ++

* Add node and java to unusual command execution rule
 2025-12-03 16:29:08 +01:00
Ruben Groenewoud f098336ff9 [New Rule] Pod or Container Creation with Suspicious Command-Line (#5379) 
* [New Rule] Pod or Container Creation with Suspicious Command-Line

* Added container domain tag

* Update execution_suspicious_pod_or_container_creation_command_execution.toml

* Refine EQL query for suspicious pod/container creation

* Update rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml

* Update execution_suspicious_pod_or_container_creation_command_execution.toml

* Update process name conditions for suspicious execution
 2025-12-03 16:14:33 +01:00
Ruben Groenewoud d3745c21a7 [Rule Tuning] Python Startup Hook Rules (#5400) 2025-12-03 15:13:26 +01:00
Isai f8f4c0476b [Rule Tuning] AWS EFS File System Deleted (#5369) 
`DeleteFileSystem` permanently removes an Amazon EFS file system and all stored data. This operation has no recovery path and represents a clear Impact-level destructive action when performed unintentionally or by an unauthorized actor. It is rare in most environments and typically limited to infrastructure teardown or automated provisioning workflows.

Currently this rule also matches `DeleteMountTarget` events. This action appears frequently in normal EFS lifecycle workflows and is not, by itself, a strong indicator of malicious intent. Since only `DeleteFileSystem` represents irreversible destructive impact, the rule has been narrowed to focus exclusively on the meaningful threat behavior.

- removed `DeleteMountTarget` scope from query
- rule name change and toml file name change to match new scope
- reduced execution window
- updated tags
- updated description, FP and IG
- added highlighted fields
 2025-12-02 18:45:02 -05:00
Isai 3ff5f6ba72 [Rule Tunings] AWS RDS Rules (#5366) 
* [Rule Tunings] AWS RDS Rules

#### AWS RDS DB Instance Made Public
- updated description and investigation guide
- added highlighted fields

#### AWS RDS DB Instance or Cluster Deletion Protection Disabled
- updated description and investigation guide
- added highlighted fields

#### AWS RDS Snapshot Deleted
- excluded `backup.amazonaws.com` as this is expected behavior. This exclusion reduces noise in telemetry by ~77%
- updated description and investigation guide
- added highlighted fields

#### AWS Deletion of RDS Instance or Cluster > AWS RDS DB Instance or Cluster Deleted
- reduced execution window
- slight name change to align with other rules
- updated description and investigation guide
- added highlighted fields

#### AWS RDS DB Instance Restored
- `event.type` used for `event_category_override` because event.category is not mapped for these API calls
- updated description and investigation guide
- added highlighted fields

#### AWS RDS DB Instance or Cluster Password Modified
- `event.type` used for `event_category_override` because event.category is not mapped for these API calls
- updated description and investigation guide
- added highlighted fields

#### AWS RDS Snapshot Export
- reduced execution window
- updated mitre mapping
- updated description and investigation guide
- added highlighted fields

* rule type change from eql to kql

changing rule type to kql since there's not eql specific functions needed for the query
 2025-12-02 17:35:36 -05:00
Jonhnathan bc6f9b55f4 [Rule Tuning] Potential PowerShell Obfuscated Script (#5389) 
* [Rule Tuning] Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml
 2025-12-02 08:30:54 -08:00
Samirbous 02979fec68 [New/Tuning] NPM Shai-Hulud coverage (#5368) 
* [New/Tuning] NPM Shai-Hulud coverage

https://socket.dev/blog/shai-hulud-strikes-again-v2

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update credential_access_trufflehog_execution.toml

* Update credential_access_trufflehog_execution.toml

* Update credential_access_trufflehog_execution.toml

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_register_github_actions_runner.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_via_github_actions_runner.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Create initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-02 10:57:12 +00:00
Ruben Groenewoud f14a527055 [New Rule] Web Server Potential SQL Injection Request (#5342) 
* [New Rule] Web Server Potential SQL Injection Request

* ++

* Update persistence_web_server_potential_sql_injection.toml

* Convert to BBR

* Update persistence_web_server_potential_sql_injection.toml

* Update persistence_web_server_potential_sql_injection.toml

* adding missing tags

* Add right tag

* Add network_traffic manifest and schema

* Refine SQL injection rule and log sources

Removed network traffic log sources and adjusted query conditions for SQL injection detection.

* Get latest schemas/mappings

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-12-02 10:46:48 +01:00
Ruben Groenewoud 046d52c902 [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370) 
* [New Rule] Execution via GitHub Runner with Audit Disabled via Environment Variables

* [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners

* ++

* ++

* Update execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

* Remove 'Use Case: Vulnerability' entry

Removed 'Use Case: Vulnerability' from the list.

* Add timestamp override to GitHub runner execution rules

* Update rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

* Enhance guide for RUNNER_TRACKING_ID tampering

Added detailed investigation guide for tampering with RUNNER_TRACKING_ID in GitHub Actions runners, including triage steps, false positive analysis, and remediation actions.
 2025-12-02 10:22:24 +01:00
Ruben Groenewoud 4a042d1a22 [Rule Tuning] File Deletion via Shred (#5381) 
* [Rule Tuning] File Deletion via Shred

* ++

* Update integrations and query for file deletion rule
 2025-12-02 10:13:29 +01:00
Ruben Groenewoud a6569a824f [Rule Tuning] At Job Created or Modified (#5378) 2025-12-02 09:55:41 +01:00
Ruben Groenewoud e8ecba7d00 [New Rule] Potential Secret Scanning via Gitleaks (#5377) 
* [New Rule] Potential Secret Scanning via Gitleaks

* Enhance investigation guide for Gitleaks credential access

Updated the note section with detailed investigation steps, false positive analysis, and response/remediation guidelines for Gitleaks usage.

* Update rules/cross-platform/credential_access_gitleaks_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-02 09:42:19 +01:00
Ruben Groenewoud 2abd3de795 [New Rule] Privileged Container Creation with Host Directory Mount (#5373) 
* [New Rule] Privileged Container Creation with Host Directory Mount

* ++

* ++

* Update execution_privileged_container_creation_with_host_reference.toml

* Update risk score and severity in TOML file

* Update execution_privileged_container_creation_with_host_reference.toml

* Update rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml

* Add reference link for container escape techniques
 2025-12-02 09:33:16 +01:00
Ruben Groenewoud e19ce18a40 [Rule Tunings] Misc. Web Server Rules (#5384) 2025-12-02 09:21:16 +01:00
Gus Carlock 7595709a25 add mitre attack rules for ML job rules, bump dates (#5333) 
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2025-12-01 15:48:59 -06:00
Jonhnathan 6915e3956f [Rule Tuning] Persistence via a Windows Installer (#5386) 2025-12-01 07:54:23 -08:00
Jonhnathan aaf3c93377 [Rule Tuning] Potential System Tampering via File Modification (#5385) 2025-12-01 07:45:03 -08:00
Jonhnathan 85a9c7180d [Rule Tuning] Windows Misc Tuning (#5382) 
* [Rule Tuning] Windows Misc Tuning

* Update execution_suspicious_powershell_imgload.toml

* I need some coffee
 2025-12-01 07:28:25 -08:00
Samirbous bcd1b5049a Update multiple_alerts_elastic_defend_netsecurity_by_host.toml (#5375) 2025-12-01 07:18:19 -08:00
Samirbous 5e1ac4f450 [Tuning] Powershell Atomics test gaps for T1059.001 (#5380) 
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
 2025-12-01 15:06:48 +00:00
Jonhnathan 20d86c8b47 [Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383) 2025-12-01 05:06:38 -08:00
Samirbous c3d09165c4 [Tuning] Suspicious Kerberos Authentication Ticket Request (#5364) 
* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update lateral_movement_credential_access_kerberos_correlation.toml
 2025-11-26 18:45:30 +00:00
Gus Carlock 03ce151b82 Add rules for Azure Activity Logs/GCP Audit ML jobs (#5191) 
* rules for Azure/GCP jobs

* Add GCP Audit Logs tag

* add `min_stack_version`

* add `min_stack_comments`

* Add mitre tactics

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: susan <shuhsuan.chang@elastic.co>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2025-11-26 13:15:23 -05:00
Ruben Groenewoud d10dc0809f [Rule Tuning] Credential Access via TruffleHog Execution (#5362) 2025-11-25 12:18:42 +01:00
github-actions[bot] 18d249aae6 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5360) 2025-11-25 02:26:54 +05:30
Terrance DeJesus d510d32730 [New Rule] Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (#5345) 
* [New Rule] Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
Fixes #5344

* Update rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

* added investigation guide

* removed vulnerability tag

* Update rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

* Update rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

* Update rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

* Update rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-11-24 15:08:39 -05:00
shashank-elastic 5386345ca7 Add Investigation Guides for Rules (#5357) 2025-11-25 01:08:15 +05:30
Terrance DeJesus 22a94c6e0b [New Rule] Okta Multiple OS Names Detected for a Single DT Hash (#5241) 
* [New Rule] Okta Multiple OS Names Detected for a Single DT Hash
Fixes #5240

* updated query logic

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

* fixed verbiage

* updated query logic

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added investigation guide tag

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added license field

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-11-25 00:57:08 +05:30
Terrance DeJesus e8d74260f2 [Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts (#5315) 
* [Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts
Fixes #5314

* added min stack

* added index

* fixed query optimization

* fixed investigation guide

* added min-stack comments
 2025-11-24 14:16:08 -05:00
Eric Forte 13738b5d17 Tune rule indices (#5359) 2025-11-24 14:03:50 -05:00
Ruben Groenewoud 94ff4b0e3e [New Rule] Web Server Potential Command Injection Request (#5341) 
* [New Rule] Web Server Potential Command Injection Request

* Update variable names to use consistent casing

* Add 'Domain: Network' tag to command injection rule

* Update persistence_web_server_potential_command_injection.toml

* adding missing tags

* Update rules/cross-platform/persistence_web_server_potential_command_injection.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/cross-platform/persistence_web_server_potential_command_injection.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-25 00:11:28 +05:30
Ruben Groenewoud b0cc0cbe13 [New Rule] Web Server Suspicious User Agent Request Spike (#5340) 
* [New Rule] Web Server Unusual User Agent Request

* [New Rule] Web Server Suspicious User Agent Request Spike

* Update reconnaissance_web_server_unusual_user_agents.toml

* Update reconnaissance_web_server_unusual_user_agents.toml

* ++

* ++

* Rename rule for suspicious user agent requests

* fixing from indices formatting

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-25 00:00:22 +05:30
Ruben Groenewoud 4f8c967185 [New Rule] Web Server Unusual Spike in Error Logs (#5339) 
* [New Rule] Web Server Unusual Spike in Error Logs

* Update reconnaissance_web_server_unusual_spike_in_error_logs.toml

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

* ++

* Remove event limit from error log rule

Removed limit on the number of events in the rule.

* Rename rule to 'Web Server Potential Spike in Error Logs'

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 13:18:23 -05:00
Ruben Groenewoud 296049e1ff [New Rule] Web Server Unusual Spike in Error Response Codes (#5338) 
* [New Rule] Web Server Unusual Spike in Error Response Codes

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* Update tags in reconnaissance web server rule

* Add network domain tag and modify ESQL queries

* Remove url.path from error response rules

* ++

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* fixing from indices formatting

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 13:08:25 -05:00