security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
766 Commits 1 Branch 0 Tags
216d06ef3067c5f96bcb76d8ebfe751f70e7a3a8
Commit Graph

11 Commits

Author SHA1 Message Date
Austin Songer 216d06ef30 [New Rule] AWS STS GetSessionToken Abuse (#1213) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 93b8038d7d)
 2021-09-22 19:29:04 +00:00
Justin Ibarra 98735808ab [Rule Tuning] Fix typos in rule metadata (#1494) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 8e3b1d28c4)
 2021-09-21 19:32:05 +00:00
dstepanic17 c864538606 [rule-tuning] Adding more context with triage/investigation (#1481) 
* [rule-tuning] Adding more context with triage/investigation

* Adding mimikatz rule

* Fixed updated date on mimikatz rule

* Adding Defender update

* Adding scheduled task

* Adding AdFind

* Adding rare process

* Adding cloudtrail country

* Adding cloudtrail spike

* Adding threat intel

* Fixed minor spelling/syntax

* Fixed minor spelling/syntax p2

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_rare_process_by_host_windows.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Removed MITRE link, added Microsoft

* Update ml_cloudtrail_error_message_spike.toml

* Update ml_cloudtrail_rare_method_by_country.toml

* Update ml_rare_process_by_host_windows.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update discovery_adfind_command_activity.toml

* Update lateral_movement_dns_server_overflow.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9ff3873ee7)
 2021-09-16 01:08:23 +00:00
Ross Wolf 2ef59e918f Revert #1440 new endpoint promotion rule (#1470) 
* Revert #1440 new endpoint promotion rule
* Set the updated_at date

Removed changes from:
- rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml

(selectively cherry picked from commit c9d6527280)
 2021-09-03 14:08:22 +00:00
Nic 20a814c47f [Rule tuning] Azure Active Directory High Risk Sign-in (#1463) 
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types

(cherry picked from commit 8b2c8c2e03)
 2021-08-30 22:34:47 +00:00
Ross Wolf 1f7c404548 Remove the 7.15+ behavior protection promotion rule 2021-08-26 08:51:38 -06:00
Ross Wolf 34ab6c81d3 [New Rule] Endpoint Security Behavior Protection (#1440) 
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 3b338baab0)
 2021-08-25 15:58:03 +00:00
Austin Songer 94190321c1 [Rule Tuning] AWS Security Group Configuration Change Detection (#1426) 
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration

(cherry picked from commit 3b29498907)
 2021-08-15 04:35:07 +00:00
Justin Ibarra 742253c61d [Rule tuning] Revise rule description and other text (#1398) 
(cherry picked from commit f8f643041a)
 2021-08-03 21:08:48 +00:00
Justin Ibarra 05d01bbfe0 [Rule Tuning] Rule description tweaks (#1388) 
(cherry picked from commit b736d6e748)
 2021-07-29 18:57:11 +00:00
Ross Wolf 600acca704 [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

(cherry picked from commit 1882f4456c)
 2021-07-21 21:25:48 +00:00