security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
2,678 Commits 1 Branch 0 Tags
2d2c5b4d8859a68265fc34f3b99cf9f8d4a947a6
Commit Graph

87 Commits

Author SHA1 Message Date
Eric Forte 2d2c5b4d88 [Bug] Update Custom Rules Markdown Location (#4565) 
* Update to custom-rules markdown location

* bump version

* Update link reference
 2025-03-26 10:00:52 -04:00
Sergey Polzunov 65170c394b fix: removing outdated code in Kibana client auth (#4495) 
* Simplify kibana session management

* Drop removed options from `kibana_args` set

* Style fix

* Patch version bump

* Bumping kibana lib version

* Relax CLI requirement, making `api_key` optional, to allow `help` to run
 2025-03-24 12:28:36 +01:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Eric Forte 5ccb7ed4af Min stack rules from 4516 (#4549) 2025-03-19 20:27:30 -04:00
Eric Forte 5b3dc4a4a7 Revert "Add new ML detection rules for Privileged Access Detection (#4516)" (#4548) 
This reverts commit 2ff8d1bb56.
 2025-03-19 20:08:08 -04:00
Kirti Sodhi 2ff8d1bb56 Add new ML detection rules for Privileged Access Detection (#4516) 
Add detection-rules for privileged access detection integration
 2025-03-19 11:02:28 -04:00
Eric Forte 40a97f719f Temporaily Disable Changed FIles Workflow (#4538) 
* Temporaily Disable Changed FIles Workflow

* bump version
 2025-03-14 23:42:48 -04:00
github-actions[bot] a64b6a39a7 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4531) 2025-03-12 19:02:53 +05:30
github-actions[bot] 02be7cac0a Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4530) 2025-03-12 12:49:43 +05:30
Eric Forte 4deb6a73b8 [FR] [DaC] Update Readme with DaC Support References (#4526) 
* Update Readme with DaC Support References

* Patch bump

* Call out DaC Pipeline support
 2025-03-10 21:24:12 -04:00
Eric Forte eadcd9d3e0 [FR] Add Env Var DR_CLI_MAX_WIDTH and DaC Docs Updates (#4518) 
* Add Env Var DR_CLI_MAX_WIDTH

* Version Bump

* Update limit from 120 to 240

* Clean references to reference main

* Update Readme with DaC Info

* Add DaC to Table of Contents

* Bump Patch Version

* Updated naming and add dac md

* Organize Imports

* Deprecate upload-rule

* Update docs/detections-as-code.md

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* move docs to docs-dev

* Sort custom rules imports

* Remove duplicate

* Fix typo

* Bump Patch Version

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-03-10 12:59:12 -04:00
Sergey Polzunov 3bdda091e1 chore: use docs-dev instead of docs dir for docs (#4522) 
* chore: use `docs-dev` instead of `docs` folder

* patch version bump

* Rollback an incorrect rename

* Use exact docs dir in the helper comment

* Revert some overeager renamings

* Moving `docs` to `docs-dev`

* Update Docs Paths

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-03-07 14:34:51 +01:00
Sergey Polzunov 5f54eb8006 chore: Removing RTAs (#4437) 
* Delete RTAs

* Delete RTA-related orchestration code

* Drop RTAs from tests

* Remove RTAs from README

* Further cleanup

* Readme update

* Version bump and no more RTAs

* Styling fixes

* Drop RTAs from config files

* Drop `rule-mapping.yaml`

* Bring back event collector / normalizer

* Drop rta mention

* Cleanup rta leftovers

* Style fix

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-03-05 12:35:57 +01:00
Eric Forte 4b8676c586 [Bug] [DaC] Fix Typo in CLI.md (#4491) 
* Fix Typo in CLI.md
 2025-02-24 10:15:19 -05:00
shashank-elastic 66996ac597 Fix typo in error message (#4489) 2025-02-24 20:16:43 +05:30
Terrance DeJesus ec4523a6a9 [Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466) 
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'

* bumping patch version

* fixed investigation guide unit test failure

* bump patch
 2025-02-20 10:29:04 -05:00
Jonhnathan c0f12ddecf [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464) 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
 2025-02-19 12:54:31 -03:00
github-actions[bot] bd62867465 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4463) 2025-02-17 18:27:01 +05:30
shashank-elastic aded9deb79 Modify Unit Test to Support Alert Suppression for EQL Sequences (#4457) 2025-02-14 00:14:28 +05:30
github-actions[bot] 2bf4cf0b2a Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4453) 2025-02-07 21:41:29 +05:30
Sergey Polzunov a650b028f3 Bumping number of versions per rule to 4 in total (#4451) 
* Bumping number of versions per rule to 4 in total

* Add explicit caps

* Simpler comment

* Renaming constants

* Drop to 8.17 again

* Clearer constants

* Drop if condition and extend the comment

* Shorten the lines

* Version bump

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2025-02-07 16:28:36 +01:00
github-actions[bot] 1dfb05ec1c Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4442) 2025-02-04 00:05:59 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
shashank-elastic aba793f3e5 Add prerelease version Integration manifests & schemas for sentinel_one_cloud_funnel (#4438) 2025-02-03 09:15:14 -05:00
shashank-elastic 350474b7b4 Refresh ECS & Beats schemas, Integration manifests & schemas (#4436) 2025-02-03 19:18:49 +05:30
Terrance DeJesus bf1caf8b5f [Rule Tuning] December-January AWS Rule Tuning (#4425) 
* [Rule Tuning] AWS Monthly Rule Tunings

* Adding several more AWS tunings

* updating patch version

* updating non-ecs type to boolean

* fixed cloudtrail index
 2025-01-31 10:35:18 -05:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
github-actions[bot] 8093655f76 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4400) 2025-01-21 19:35:57 +05:30
github-actions[bot] 9b8b917598 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4398) 2025-01-21 17:32:14 +05:30
Eric Forte 2ea674ce84 [Bug] [DaC] Metadata maturity field default mismatch and poor enforcement of rule naming conventions (#4285) 
* Add stub for solution

* Add date and maturity logic

* Add date and maturity logic

* Version Bump

* Remove Date Inheritance

* Remove Datetime import
 2025-01-17 12:16:32 -05:00
Terrance DeJesus 5162067a51 [New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377) 
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'

* updated pyproject patch version

* bump repo version

* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

* updating patch version

* updating patch version

* Adding additional threshold rule
 2025-01-15 14:11:58 -05:00
Terrance DeJesus 97b3f43870 [New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery (#4328) 
* new rule 'AWS EC2 Deprecated AMI Discovery'

* updated type

* updated non-ecs; bumped package version

* updated query

* added missing index

* updated patch version
 2025-01-15 11:53:18 -05:00
shashank-elastic 32f596629d Provide Deprecate Warnings for Experimental ML commands (#4365) 2025-01-15 21:53:16 +05:30
Eric Forte cc00963fc3 [Bug] [DaC] Actions Connector Defaults to None (#4376) 
* Add explicit calls to pass directories

* Bump Version
 2025-01-15 09:31:23 -05:00
Ruben Groenewoud e822af47a4 [Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351) 
* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml
 2025-01-13 16:53:09 +01:00
Terrance DeJesus 46637f38a4 maintenance repository config update pt 4 (#4364) 2025-01-09 18:05:55 -05:00
Terrance DeJesus ad180777cf [Maintenance] Repository Config Update (#4359) 
* updating tokens

* bumped patch

* updated navigator gist ID

* updated naming

* Update .github/workflows/manual-backport.yml

* updated navigator url

* updated noreply email

* updated naming

* Update .github/workflows/manual-backport.yml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* updating README

* updated gist token

* replaced guidelines token with GITHUB_TOKEN

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-01-09 16:35:18 -05:00
github-actions[bot] 47571956a7 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4347) 2025-01-07 22:54:34 +05:30
github-actions[bot] 2edc062b53 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4344) 2025-01-07 22:13:30 +05:30
Ruben Groenewoud a2b280a6fd [New Hunts] Adding Several Hunting PRs into this Main PR (#4342) 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-01-07 14:29:17 +01:00
shashank-elastic 318ab3ffa0 Enhance Readability of KQL validation check failures (#4329) 2025-01-06 22:18:05 +05:30
shashank-elastic 52db5e0361 Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. (#4332) 2025-01-06 21:48:11 +05:30
Samirbous 419e5c1ad3 [Tuning] Suspicious WMI Event Subscription Created (#4327) 
* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

* Update detection_rules/etc/non-ecs-schema.json

* Update pyproject.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-06 09:40:26 -03:00
shashank-elastic 2ff2965cb9 Enhance Readability of validation check failures (#4299) 2024-12-13 19:03:47 +05:30
Terrance DeJesus 28ffebbf5c [New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User (#4280) 
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'

* updated version

* updating markdown

* bumping version

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-12 14:56:20 -05:00
shashank-elastic 3fa3349216 Update versioning support for 8.17 (#4296) 2024-12-10 23:43:04 +05:30
github-actions[bot] 691126cd3d Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4295) 2024-12-10 21:43:29 +05:30
github-actions[bot] febdafa1f4 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291) 2024-12-09 21:38:33 +05:30
shashank-elastic 2c848c5111 Prep for Release 8.18 (#4288) 2024-12-09 18:25:13 +05:30