security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,600 Commits 1 Branch 0 Tags
2bf4cf0b2a4bbbe17d0b9ccf4c5560a151cd2049
Commit Graph

67 Commits

Author SHA1 Message Date
github-actions[bot] 2bf4cf0b2a Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4453) 2025-02-07 21:41:29 +05:30
Sergey Polzunov a650b028f3 Bumping number of versions per rule to 4 in total (#4451) 
* Bumping number of versions per rule to 4 in total

* Add explicit caps

* Simpler comment

* Renaming constants

* Drop to 8.17 again

* Clearer constants

* Drop if condition and extend the comment

* Shorten the lines

* Version bump

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2025-02-07 16:28:36 +01:00
github-actions[bot] 1dfb05ec1c Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4442) 2025-02-04 00:05:59 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
shashank-elastic aba793f3e5 Add prerelease version Integration manifests & schemas for sentinel_one_cloud_funnel (#4438) 2025-02-03 09:15:14 -05:00
shashank-elastic 350474b7b4 Refresh ECS & Beats schemas, Integration manifests & schemas (#4436) 2025-02-03 19:18:49 +05:30
Terrance DeJesus bf1caf8b5f [Rule Tuning] December-January AWS Rule Tuning (#4425) 
* [Rule Tuning] AWS Monthly Rule Tunings

* Adding several more AWS tunings

* updating patch version

* updating non-ecs type to boolean

* fixed cloudtrail index
 2025-01-31 10:35:18 -05:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
github-actions[bot] 8093655f76 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4400) 2025-01-21 19:35:57 +05:30
github-actions[bot] 9b8b917598 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4398) 2025-01-21 17:32:14 +05:30
Eric Forte 2ea674ce84 [Bug] [DaC] Metadata maturity field default mismatch and poor enforcement of rule naming conventions (#4285) 
* Add stub for solution

* Add date and maturity logic

* Add date and maturity logic

* Version Bump

* Remove Date Inheritance

* Remove Datetime import
 2025-01-17 12:16:32 -05:00
Terrance DeJesus 5162067a51 [New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377) 
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'

* updated pyproject patch version

* bump repo version

* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

* updating patch version

* updating patch version

* Adding additional threshold rule
 2025-01-15 14:11:58 -05:00
Terrance DeJesus 97b3f43870 [New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery (#4328) 
* new rule 'AWS EC2 Deprecated AMI Discovery'

* updated type

* updated non-ecs; bumped package version

* updated query

* added missing index

* updated patch version
 2025-01-15 11:53:18 -05:00
shashank-elastic 32f596629d Provide Deprecate Warnings for Experimental ML commands (#4365) 2025-01-15 21:53:16 +05:30
Eric Forte cc00963fc3 [Bug] [DaC] Actions Connector Defaults to None (#4376) 
* Add explicit calls to pass directories

* Bump Version
 2025-01-15 09:31:23 -05:00
Ruben Groenewoud e822af47a4 [Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351) 
* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml
 2025-01-13 16:53:09 +01:00
Terrance DeJesus 46637f38a4 maintenance repository config update pt 4 (#4364) 2025-01-09 18:05:55 -05:00
Terrance DeJesus ad180777cf [Maintenance] Repository Config Update (#4359) 
* updating tokens

* bumped patch

* updated navigator gist ID

* updated naming

* Update .github/workflows/manual-backport.yml

* updated navigator url

* updated noreply email

* updated naming

* Update .github/workflows/manual-backport.yml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* updating README

* updated gist token

* replaced guidelines token with GITHUB_TOKEN

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-01-09 16:35:18 -05:00
github-actions[bot] 47571956a7 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4347) 2025-01-07 22:54:34 +05:30
github-actions[bot] 2edc062b53 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4344) 2025-01-07 22:13:30 +05:30
Ruben Groenewoud a2b280a6fd [New Hunts] Adding Several Hunting PRs into this Main PR (#4342) 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-01-07 14:29:17 +01:00
shashank-elastic 318ab3ffa0 Enhance Readability of KQL validation check failures (#4329) 2025-01-06 22:18:05 +05:30
shashank-elastic 52db5e0361 Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. (#4332) 2025-01-06 21:48:11 +05:30
Samirbous 419e5c1ad3 [Tuning] Suspicious WMI Event Subscription Created (#4327) 
* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

* Update detection_rules/etc/non-ecs-schema.json

* Update pyproject.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-06 09:40:26 -03:00
shashank-elastic 2ff2965cb9 Enhance Readability of validation check failures (#4299) 2024-12-13 19:03:47 +05:30
Terrance DeJesus 28ffebbf5c [New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User (#4280) 
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'

* updated version

* updating markdown

* bumping version

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-12 14:56:20 -05:00
shashank-elastic 3fa3349216 Update versioning support for 8.17 (#4296) 2024-12-10 23:43:04 +05:30
github-actions[bot] 691126cd3d Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4295) 2024-12-10 21:43:29 +05:30
github-actions[bot] febdafa1f4 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291) 2024-12-09 21:38:33 +05:30
shashank-elastic 2c848c5111 Prep for Release 8.18 (#4288) 2024-12-09 18:25:13 +05:30
shashank-elastic d3c05a08cc Add all historical versions for v8.17.0 and above packages (#4279) 2024-12-03 23:36:32 +05:30
github-actions[bot] 86cc61c233 Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274) 
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16

* Update detection_rules/etc/version.lock.json

* Update Patch version for version lock changes

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-11-27 09:34:54 -05:00
shashank-elastic 04e1fc1436 Account for CCS '::' index pattern (#4258) 2024-11-13 11:17:08 +05:30
github-actions[bot] ebb3675ea0 Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267) 2024-11-11 22:29:22 +05:30
Terrance DeJesus ef453d8f4d [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) 
* adding investigation fields to specific aws rules

* updated patch

* removing min-stack requirements

* removed user.name redundancy

* adjusted order of investigation fields

* adding source address
 2024-11-08 23:11:18 -05:00
github-actions[bot] ee10be70b9 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265) 2024-11-08 20:27:04 +05:30
shashank-elastic c2e0a9315c Fix extra new line in ATT&CK-coverage.md (#4263) 2024-11-08 20:13:21 +05:30
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Mika Ayenson 2ca746c4b4 [FR] Reset package version and push tag via ci (#4260) 2024-11-07 12:11:00 -06:00
Mika Ayenson 48a051e3f1 [FR] Fetch history for versioning workflow (#4259) 2024-11-07 11:57:33 -06:00
Mika Ayenson c615df680f [FR] Update the release versioning process and workflow (#4257) 2024-11-07 11:31:54 -06:00
Mika Ayenson d9154c698a [Testing] Update release-drafter.yml (#4255) 2024-11-06 16:21:05 -06:00
Mika Ayenson b2b92b0edc [Testing] Update release-drafter.yml (#4254) 2024-11-06 16:00:18 -06:00
Mika Ayenson c1ac8f0fae [FR] DRAFT Release Workflow on PR Merge (#4253) 2024-11-06 15:36:09 -06:00
Terrance DeJesus a92fdc18a1 [New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User (#4245) 
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version
 2024-11-06 13:36:13 -05:00
Mika Ayenson 77f42f1168 [FR] Add Versioning Processes to DR (#4223) 2024-11-06 08:14:50 -06:00
shashank-elastic b1e91ddb14 Add setuptools as project dependency (#4160) 2024-10-16 20:09:23 +05:30
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-10-03 12:47:40 -04:00
shashank-elastic 9d019dcf26 Fix nodeenv version dependancy (#3715) 2024-05-29 18:52:34 +05:30
Mika Ayenson 78837549e8 [FR] Bundle KQL & Kibana libs into base dependencies (#3662) 2024-05-13 14:29:03 -05:00