security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
749 Commits 1 Branch 0 Tags
21628611a99b24abc00934de6a7e083b85b4e463
Commit Graph

749 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Justin Ibarra 21628611a9 [Bug] Community label: use getMembershipForUser (#1469) 
Use getMembershipForUser to determine the proper org membership status

(cherry picked from commit 2a7d036443)
 2021-09-01 05:33:32 +00:00
Justin Ibarra 7371608d39 [Bug] RuleTOMLContents.to_dict serialize with proper schema (#1460) 
(cherry picked from commit 9d10458be4)
 2021-09-01 05:07:14 +00:00
Justin Ibarra 2a2bcbd870 [Rule tuning] Fix spacing in reference URLs (#1455) 
(cherry picked from commit 655f7d91d0)
 2021-09-01 00:00:06 +00:00
Nic 20a814c47f [Rule tuning] Azure Active Directory High Risk Sign-in (#1463) 
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types

(cherry picked from commit 8b2c8c2e03)
 2021-08-30 22:34:47 +00:00
Ross Wolf 3204a5c366 Update main to point to 7.16 (#1457) 
* Update main to point to 7.16
* Add 7.16 -> 7.15 migration
* Update stack-schema-map
* Update conditions.kibana.version

Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 7b8b18cb20)
 2021-08-26 20:24:53 +00:00
Ross Wolf 79d3b60c9a [CI] Add GitHub actions workflow to lock versions across branches (#1456) 
* Start job to lock versions
* Update lock-versions workflow
* Call lock-multiple script
* Fix script
* Add the lock file to staging
* pass branches to the job
* Fetch all branches and tags
* Push the branch first
* Push with upstream
* Change PR params
* Remove protections machine token
* Add 7.14.0 to the lock for min_stack_version=7.14.0
* Fix branch prefix
* Add trailing newline
* Trailing newline
* Restrict to main branch

(cherry picked from commit 4adad703fc)
 2021-08-26 20:18:34 +00:00
Ross Wolf 1f7c404548 Remove the 7.15+ behavior protection promotion rule 2021-08-26 08:51:38 -06:00
Apoorva Joshi b883415914 Small update to docs (#1442) 
(cherry picked from commit 227b67e636)
 2021-08-26 06:41:40 +00:00
Ross Wolf 34ab6c81d3 [New Rule] Endpoint Security Behavior Protection (#1440) 
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 3b338baab0)
 2021-08-25 15:58:03 +00:00
Ross Wolf 8a3220ef6a Track multiple stacks in lock (#1434) 
* Save the stack versions in the lock file
* Support tracking of multiple stacks in the lock
* Update the version locking logic
* Fix bugs and test lock file
* Restore version lock
* Fix lint errors
* Call both click.echo and verbose echo separately
* Change when the change_rules message is output

(cherry picked from commit 0d47cb324a)
 2021-08-24 22:57:14 +00:00
dstepanic17 689e690f8c [New rule] Webshell Detection (#1448) 
* [new-rule] Webshell Detection

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added FP note section

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 8ddffc298b)
 2021-08-24 20:19:32 +00:00
Justin Ibarra cc75f645b6 [Rule Tuning] Add technique T1005 to 2 rules (#1405) 
(cherry picked from commit 8099e1c733)
 2021-08-20 08:20:32 +00:00
Ross Wolf 632a322431 Fix encoding of 'Any' type in jsonschema (#1438) 
(cherry picked from commit 11c443ba26)
 2021-08-19 16:16:40 +00:00
Justin Ibarra 60caedc026 Bump package versions (#1418) 
* Bump package versions
* Add 7.14 migration; use master schema map if one does not exist
* add test to ensure an entry exists in the stack-schema-map for the current package version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 2d517432e3)
 2021-08-19 05:26:47 +00:00
Ross Wolf c1b774cdb6 Skip etc/packages.yml from backport: auto (#1437) 
(cherry picked from commit d647c7b809)
 2021-08-18 22:57:34 +00:00
Austin Songer 94190321c1 [Rule Tuning] AWS Security Group Configuration Change Detection (#1426) 
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration

(cherry picked from commit 3b29498907)
 2021-08-15 04:35:07 +00:00
Christian Clauss 604fd2a18f Fix typos discovered by codespell (#1430) 
(cherry picked from commit ddec37b731)
 2021-08-15 04:30:11 +00:00
Justin Ibarra 16bc2a24f1 Remove labeling from community workflow (#1432) 
(cherry picked from commit 4a3bacae48)
 2021-08-14 10:44:37 +00:00
Justin Ibarra 52dee0d0c6 Add revised workflow for community label (#1431) 
(cherry picked from commit f63a72f1ac)
 2021-08-14 10:19:55 +00:00
Justin Ibarra 986a515a62 Add label workflow for community issues and pulls (#1406) 
* Add label workflow for community issues and pulls
* run on label changes

(cherry picked from commit 006cb0e702)
 2021-08-14 06:37:59 +00:00
Justin Ibarra 4bd62ef5c9 Add botelastic workflow for stale issues and PRs (#1414) 
(cherry picked from commit 5c8029ad55)
 2021-08-14 06:25:51 +00:00
Justin Ibarra 764cb5d0b4 Add paths-labeller workflow (#1407) 
* add botelastic workflow

(cherry picked from commit 75d6d76926)
 2021-08-14 06:14:32 +00:00
Justin Ibarra c2b7b22496 Pull latest ECS+beats schemas and update schema-map (#1417) 
(cherry picked from commit b27a20fc3a)
 2021-08-12 21:10:22 +00:00
Austin Songer e170935f1f [New Rule] AWS EC2 Security Group Configuration Change Detection (#1144) 
(cherry picked from commit 67ba66c8e7)
 2021-08-12 19:38:05 +00:00
David French 9e6c107de5 [New Rule] Whitespace Padding in Process Command Line (#1392) 
* Create defense_evasion_whitespace_padding_in_command_line.toml

* add newline

* update description

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 14493689b9)
 2021-08-11 16:16:05 +00:00
Justin Ibarra dca8f2b712 [Bug] Flatten method improperly added subtechniques (#1404) 
(cherry picked from commit 95486ecfdf)
 2021-08-05 19:17:17 +00:00
Ross Wolf 5a33f634a7 Add RuleCollection.load_git_branch (#1403) 
(cherry picked from commit 17bf3c1e16)
 2021-08-05 07:16:38 +00:00
dishadasgupta 91e1d1abfc Adding docs for URL Spoofing (#1400) 
* Adding docs for urlspoof

* Fixing typo in readme

* Editing documentation to reflect rule upload process

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 7be58b7b09)
 2021-08-05 00:14:12 +00:00
Justin Ibarra 121431b40b Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes

(cherry picked from commit d31ea6253e)
 2021-08-04 22:17:11 +00:00
Justin Ibarra 742253c61d [Rule tuning] Revise rule description and other text (#1398) 
(cherry picked from commit f8f643041a)
 2021-08-03 21:08:48 +00:00
Austin Songer fcd2071ca9 [Rule Tuning] NTDS or SAM Database File Copied (#1378) 
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit d2365783fa)
 2021-08-03 20:29:19 +00:00
Apoorva Joshi 99c9995967 Update Host Risk Score docs (#1397) 
(cherry picked from commit 06a9ba6463)
 2021-08-03 04:53:06 +00:00
Apoorva Joshi 197bb86459 Adding host risk score docs (#1390) 
* Adding host risk score docs
* Highlighting caveats around hostname
* Update host-risk-score.md
* Adding host risk score to the experimental detections readme

(cherry picked from commit c283d2a2f3)
 2021-08-02 21:44:26 +00:00
Justin Ibarra 05d01bbfe0 [Rule Tuning] Rule description tweaks (#1388) 
(cherry picked from commit b736d6e748)
 2021-07-29 18:57:11 +00:00
Ross Wolf 06849a82d8 [CI] Add missing clone for Fleet on-demand job (#1387) 
(cherry picked from commit 2e8f7cd13f)
 2021-07-27 22:56:37 +00:00
Ross Wolf f6d9295ead [CI] Fix kibana PR command again (#1386) 
(cherry picked from commit 92937a1ad1)
 2021-07-27 22:30:54 +00:00
Ross Wolf 51f8ea7526 Fix kibana_pr for click.Context (#1385) 
(cherry picked from commit 64977b01bd)
 2021-07-27 22:04:31 +00:00
Ross Wolf 32c0e9fff5 Disable missing rule check for the version lock (#1384) 
(cherry picked from commit c31a344593)
 2021-07-27 19:49:31 +00:00
Ross Wolf a534cd4e85 Update the version lock for 7.14.0 and 0.13.3 (#1383) 
(cherry picked from commit 5eccaf0cd5)
 2021-07-27 18:26:14 +00:00
Justin Ibarra 3c9079faf3 Ensure EQL rules with maxspan have a long enough lookback window (#1361) 
* Add the following properties to EQLRuleData:
   - max_span
   - look_back
   - interval_ratio

* Add the following tests:
   - test_eql_lookback
   - test_eql_interval_to_maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 7759fa2500)
 2021-07-22 21:54:04 +00:00
Ross Wolf 0ae93632fc [Rule Tuning] Remove \Program Files*\ style wildcards (#1369) 
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex

(cherry picked from commit 7b62fe296d)
 2021-07-22 17:56:25 +00:00
Justin Ibarra 8deeab2c4d [Rule Tuning] Update EQL rules with lookback < maxspan (#1362) 
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 4aab1278bf)
 2021-07-22 17:10:08 +00:00
Ross Wolf cae7fac266 Fix metadata.extended (#1377) 
(cherry picked from commit 5ba1c26cf1)
 2021-07-22 16:30:41 +00:00
Ross Wolf 600acca704 [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

(cherry picked from commit 1882f4456c)
 2021-07-21 21:25:48 +00:00
Ross Wolf 6d9997435f [Rule Tuning] Convert unusual extension rule to regex (#1368) 
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension

(cherry picked from commit 9f3d5328f4)
 2021-07-21 17:50:36 +00:00
Ross Wolf fc2f5866a2 [Rule Tuning] Creation of Hidden Files and Directories (#1357) 
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex

(cherry picked from commit 9b559d0cd9)
 2021-07-21 17:48:37 +00:00
David French f0270973bb [Rule Tuning] Update Google Workspace rules to use google_workspace event schema (#1374) 
* use google_workspace event schema

* update to use google_workspace schema

(cherry picked from commit 23626b814c)
 2021-07-21 17:39:45 +00:00
dstepanic17 cb3ceb93da [New Rule] Windows Defender Exclusions Added via PowerShell (#1370) 
* Added new rule

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Added pwsh.exe to original name

* Added PowerShell MITRE reference

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fbd4cf2117)
 2021-07-21 16:55:08 +00:00
Justin Ibarra 07a7784659 Update cardinality field in schema for threshold rules (#1349) 
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array

* Add two new rules to detect agent spoofing

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 163d9e3864)
 2021-07-21 16:33:59 +00:00
Austin Songer bc82e214c7 [Rule Tuning] Mimikatz powershell module activity detected (#1297) 
* update query
* add indexes

(cherry picked from commit 95e6458c6e)
 2021-07-21 07:09:02 +00:00