security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

3314 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ross Wolf 47cb03314a Fix KQL sorting 2020-07-17 15:09:38 -06:00
Justin Ibarra 1bf60551ff Update lateral_movement_dns_server_overflow.toml 2020-07-17 15:52:04 -05:00
Justin Ibarra 1cfb8f92bb Windows DNS server vulnerability (CVE-2020-1350) rules (#69) 2020-07-17 14:32:52 -05:00
Ross Wolf 89d6498c42 Add webinar link 2020-07-17 09:31:57 -06:00
Justin Ibarra 7647699e2b Add support for threshold rules (#65) 2020-07-16 19:06:34 -05:00
Ross Wolf f1b669e59d Loosen yaml requirement (#62) 
* Loosen yaml requirement
* Bump to ~=5.3
 2020-07-15 09:00:32 -06:00
Justin Ibarra 916917a619 Update rule.py 2020-07-15 09:40:07 -05:00
Ross Wolf db4f50d4b8 Improve the validation and testing time (#61) 
* Improve the validation and testing time
* Lint fix
* Cache schema validation
 2020-07-15 08:05:55 -06:00
Garrett Spong 13ceed5410 Add Global Endpoint Exception List to Elastic Endpoint rule (#60) 2020-07-14 21:26:29 -06:00
Devon Kerr f75b126ec4 Update terminology in ML job rules 2020-07-14 21:22:34 -06:00
Craig Chamberlain f24666bf12 [New Rule] Add Cloudtrail ML Rules 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com>
 2020-07-14 15:16:58 -06:00
Ben Skelker 680a04da8f Fix terminology and doc links (#54) 2020-07-13 12:47:42 -06:00
Ross Wolf e96eabaa2e Generate linted .ts in package (#49) 
* Generate linted .ts in package
* (Lin|ni)t changes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-09 17:33:28 -06:00
Garrett Spong c28795c25e [New Rule] Elastic Endpoint and External Alerts (#42) 
* Adds the Elastic Endpoint and External Alerts rules and required schema updates
* Optimizing queries to fix tests
* Apply PEP257 changes
* Apply suggestions from code review
* Update rules/cross-platform/external_alerts.toml
* Last fixes from review
* Fixing test for unrequired default
* Adding increased default max_signals to not interfere with testing
* Make promotions folder
* Refining Elastic Endpoint rule index

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-09 15:24:36 -06:00
Ross Wolf a0b50152b3 Fix new rule template 2020-07-09 10:59:52 -06:00
Ross Wolf 8a561b3817 Add kibana-push command (#38) 
* Add kibana-push command
* Add ctx.exit instead of return
* Make the base branch configurable
 2020-07-08 18:02:12 -06:00
Justin Ibarra 119c98f05f Package kibana index file with release rules (#40) 2020-07-08 18:58:00 -05:00
Ross Wolf 4fe3aaff1a Add test for duplicate file names (#34) 2020-07-08 14:00:28 -06:00
Andrew Pease e0f2e8b4a9 Add dataset and index to network rules (#15) 
* Add dataset and index to network rules
* Restore iptables changes
* Fix beats parsing logic
* Updated date and ECS version
* Only update modules if empty

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 13:19:35 -06:00
Samirbous 676be30199 [New rule] AWS Secrets Manager and System Manager 
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 12:48:04 -06:00
Justin Ibarra 29a92f8976 Package notice file with release (#32) 2020-07-08 13:17:42 -05:00
Seth Goodwin c577426510 Update Lookback Interval for AWS Rules 2020-07-08 08:50:01 -06:00
Ross Wolf 316be47e27 Rename AWS to aws 2020-07-08 08:43:30 -06:00
Derek Ditch 3ee7aa3822 Add vscode directory to gitignore (#26) 2020-07-07 15:56:50 -06:00
Craig Chamberlain 94974c3895 Detect DeleteRule events with AWS WAF Deletion 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:44:11 -06:00
Craig Chamberlain ee82874c24 [New Rule] AWS Config Service Tampering 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:43:22 -06:00
Justin Ibarra 95908c22a4 Improve ECS compatibility for endpoint rules 2020-07-07 15:41:23 -06:00
seth-goodwin cae5fee025 [New Rule] Add AWS Password Recovery Requested 2020-07-07 15:38:52 -06:00
Seth Goodwin 8052a1ea1f [New Rule] Add rule for AWS UpdateAssumeRolePolicy 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:38:18 -06:00
Craig Chamberlain a2a0b2bf0c [New Rule] AWS EC2 Snapshot Activity 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:10:06 -06:00
Seth Goodwin c1a1cf6854 [New Rule] AWS Root Login Without MFA 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:07:17 -06:00
David French a98eca06d0 Add event.module value to Okta rules (#19) 2020-07-06 14:26:18 -06:00
Ross Wolf 0ba6d187ba Add note on preferred logic order when writing queries (#13) 
* Add note on logic order when writing queries
* Change wording for categorization values
 2020-07-02 14:15:48 -06:00
David French 51fed4f537 Update defense_evasion_attempt_to_disable_iptables_or_firewall.toml (#11) 2020-07-02 11:31:19 -06:00
David French f438a222d5 [New Rule] Attempt to Modify or Delete Okta Application Sign On Policy (#10) 
* Add okta rule for policy modification/delete

* Update rule name

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add event.module value to query

* Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Add event.category and event.type values to query

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-02 08:52:55 -06:00
Ross Wolf a3b9be60d7 Fix issue templates 2020-07-01 12:37:08 -06:00
Ross Wolf 80c584f0dd Fix issue templates 2020-07-01 12:36:26 -06:00
Ross Wolf f8c3e3c33d Fix yaml in issue templates 2020-07-01 12:35:08 -06:00
Francesco Soncina 46a4008570 [Rule tuning] Fix evasion for disable iptables rule (#5) 2020-07-01 12:08:32 -06:00
Ross Wolf f800050e6b Update default labels for issues 2020-07-01 11:08:20 -06:00
Erkin Djindjiev 1fac018f10 Update MySQL port to 3306 not 3336 (#2) 2020-07-01 09:52:04 -06:00
Ross Wolf e48a987ce4 Cleanup issue/PR templates 2020-06-30 14:58:46 -06:00
Ross Wolf 4fd66d690d Fix blog post link 2020-06-30 11:20:42 -06:00
Ross Wolf d8675b0599 Add links to blog post and rule reference 2020-06-30 10:57:45 -06:00
Ross Wolf 975aa61bc0 Remove links to empty rules subfolders 2020-06-30 10:32:03 -06:00
Ross Wolf e2d97b0a74 Remove unreachable and legacy code 
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-30 10:12:23 -06:00
Ross Wolf fac5473aca Rename PsRunner_License to PsRunner_LICENSE 2020-06-30 10:04:11 -06:00
Ross Wolf ba50b6dd20 Create PsRunner_License 2020-06-30 10:03:41 -06:00
Ross Wolf 5e7ea22eef Fix directory order 2020-06-30 09:57:02 -06:00
Ross Wolf e1317386ca Edits to documentation 2020-06-30 08:08:30 -06:00