security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,475 Commits 1 Branch 0 Tags
28ffebbf5c66f42494b0fb7dade15fe79aed773d
Commit Graph

2475 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus 28ffebbf5c [New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User (#4280) 
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'

* updated version

* updating markdown

* bumping version

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-12 14:56:20 -05:00
Terrance DeJesus 0a740074c9 new rule 'Azure Entra MFA TOTP Brute Force Attempts' (#4297) 2024-12-12 11:00:02 -05:00
shashank-elastic 3fa3349216 Update versioning support for 8.17 (#4296) 2024-12-10 23:43:04 +05:30
github-actions[bot] 691126cd3d Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4295) 2024-12-10 21:43:29 +05:30
shashank-elastic f0291b440a Minstack endpoint rules with process.group.id fields (#4294) 2024-12-10 21:03:32 +05:30
Terrance DeJesus e6012b1db6 Removing ESQL query format error (#4292) 2024-12-10 09:27:37 -05:00
github-actions[bot] febdafa1f4 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291) 2024-12-09 21:38:33 +05:30
Terrance DeJesus 052672b09f [Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290) 2024-12-09 20:58:33 +05:30
Terrance DeJesus e7b88ae3fc [New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS (#4277) 
* new rule 'AWS IAM Login Profile Added for Root'

* added min-stack

* linted; fixed rule schema errors

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-09 08:55:20 -05:00
shashank-elastic 2c848c5111 Prep for Release 8.18 (#4288) 2024-12-09 18:25:13 +05:30
Isai 511c108ba1 [Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283) 
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
 2024-12-06 17:27:38 -05:00
shashank-elastic d3c05a08cc Add all historical versions for v8.17.0 and above packages (#4279) 2024-12-03 23:36:32 +05:30
shashank-elastic 801efb3d93 Protections for AWS Bedrock (#4270) 2024-12-03 21:56:39 +05:30
shashank-elastic 53cfeb76e3 Add event dataset for missing rule in Github integration (#4278) 2024-12-03 20:32:55 +05:30
github-actions[bot] 86cc61c233 Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274) 
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16

* Update detection_rules/etc/version.lock.json

* Update Patch version for version lock changes

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-11-27 09:34:54 -05:00
shashank-elastic 5ab7565923 Minstack versions for Okta and Github Integration (#4273) 2024-11-27 18:39:41 +05:30
Ruben Groenewoud 4e28895e66 [Rule Tuning] Kernel Module Removal (#4269) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-11-25 21:13:44 +01:00
Terrance DeJesus 2d79494068 new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271) 2024-11-25 10:28:43 -05:00
shashank-elastic 04e1fc1436 Account for CCS '::' index pattern (#4258) 2024-11-13 11:17:08 +05:30
github-actions[bot] ebb3675ea0 Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267) 2024-11-11 22:29:22 +05:30
terrancedejesus 4a7f83e432 Version Lock File Reconcile Ref: #4266 2024-11-11 10:48:43 -05:00
Samirbous f36845318e [New] First Time Seen User Auth via DeviceCode Protocol (#4153) 
* Create credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_first_time_seen_device_code_auth.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-11 13:04:18 +00:00
Samirbous b66d0e0a0d [New] Remote Desktop File Opened from Suspicious Path (#4251) 2024-11-11 18:08:48 +05:30
Terrance DeJesus ef453d8f4d [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) 
* adding investigation fields to specific aws rules

* updated patch

* removing min-stack requirements

* removed user.name redundancy

* adjusted order of investigation fields

* adding source address
 2024-11-08 23:11:18 -05:00
Terrance DeJesus 33d832d4e4 [Rule Tuning] Tuning Process Termination followed by Deletion (#4173) 
* adding rule tuning

* adjusted operators; fixed missing quotes

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-11-08 16:38:17 -03:00
Ruben Groenewoud 56e61a6321 [New Rule] Potential Hex Payload Execution (#4241) 
* [New Rule] Potential Hex Payload Execution

* Update rules/linux/defense_evasion_hex_payload_execution.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:15:17 +01:00
Ruben Groenewoud 54bb319f7b [New Rule] Memory Swap Modification (#4239) 
* [New Rule] Memory Swap Modification

* Update rules/linux/impact_memory_swap_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:06:55 +01:00
Ruben Groenewoud 3207ca37e4 [New Rule] Unusual Interactive Shell Launched from System User (#4238) 
* [New Rule] Unusual Interactive Shell Launched from System User

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:24:30 +01:00
Ruben Groenewoud 267a6b6fa6 [New Rule] Web Server Spawned via Python (#4236) 
* [New Rule] Web Server Spawned via Python

* Update execution_python_webserver_spawned.toml

* Update rules/linux/execution_python_webserver_spawned.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_python_webserver_spawned.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:16:19 +01:00
Ruben Groenewoud 83f31e1640 [New Rule] Directory Creation in /bin directory (#4227) 
* [New Rule] Directory Creation in /bin directory

* Description fix

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:07:06 +01:00
Ruben Groenewoud 6040b6aee4 [New Rule] Hidden Directory Creation via Unusual Parent (#4226) 
* [New Rule] Hidden Directory Creation via Unusual Parent

* Update rules/linux/defense_evasion_hidden_directory_creation.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:58:13 +01:00
Ruben Groenewoud 43148a72f4 [New Rule] Security File Access via Common Utilities (#4243) 
* [New Rule] Security File Access via Common Utilities

* [New Rule] Security File Access via Common Utilities

* Update discovery_security_file_access_via_common_utility.toml
 2024-11-08 17:41:33 +01:00
Ruben Groenewoud f89e245e29 [New Rule] Potential Data Splitting Detected (#4235) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:32:59 +01:00
Ruben Groenewoud 3e268282d1 [New Rule] Private Key Searching Activity (#4242) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:13:55 +01:00
Ruben Groenewoud 40118186fb [New Rule] IPv4/IPv6 Forwarding Activity (#4240) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:06:07 +01:00
Ruben Groenewoud 993c60decb [New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237) 
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent

* OS Type update

* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 16:51:18 +01:00
github-actions[bot] ee10be70b9 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265) 2024-11-08 20:27:04 +05:30
shashank-elastic c2e0a9315c Fix extra new line in ATT&CK-coverage.md (#4263) 2024-11-08 20:13:21 +05:30
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Mika Ayenson 2ca746c4b4 [FR] Reset package version and push tag via ci (#4260) 2024-11-07 12:11:00 -06:00
Mika Ayenson 48a051e3f1 [FR] Fetch history for versioning workflow (#4259) 2024-11-07 11:57:33 -06:00
Mika Ayenson c615df680f [FR] Update the release versioning process and workflow (#4257) 2024-11-07 11:31:54 -06:00
Jonhnathan d1b102730c [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 (#4233) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8

* Update defense_evasion_powershell_windows_firewall_disabled.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:38:27 -03:00
Jonhnathan ef0f96c874 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:27:47 -03:00
Samirbous d2dfd46b3e Update credential_access_suspicious_lsass_access_generic.toml (#4188) 2024-11-07 13:56:53 +00:00
Mika Ayenson d9154c698a [Testing] Update release-drafter.yml (#4255) 2024-11-06 16:21:05 -06:00
Mika Ayenson b2b92b0edc [Testing] Update release-drafter.yml (#4254) 2024-11-06 16:00:18 -06:00
Mika Ayenson c1ac8f0fae [FR] DRAFT Release Workflow on PR Merge (#4253) 2024-11-06 15:36:09 -06:00
Terrance DeJesus a92fdc18a1 [New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User (#4245) 
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version
 2024-11-06 13:36:13 -05:00
shashank-elastic 6a39009402 Add investigation guide for Amazon Bedrock Rules (#4247) 
* Add investigation guide for Amazon Bedrock Rules

* updated date

* review comments

* review comments

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-06 12:58:02 -05:00