security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
186 Commits 1 Branch 0 Tags
323c86d986a77f892f29936d1cf75fc14847f87f
Commit Graph

14 Commits

Author SHA1 Message Date
Mika Ayenson 1dfc8ca817 Release ER Production RTAs to DR (#2270) 
(cherry picked from commit 0358ec9d9a)
 2022-09-08 16:51:32 +00:00
Justin Ibarra fff6b51f6a Add test that newly introduced build-time fields for a min_stack for … (#2262) 
* add test that newly introduced build-time fields for a min_stack for applicable rules.

* account for rules without min_stack_version

* limit test to >= stack ver

(cherry picked from commit d37eac8d9d)
 2022-08-26 03:57:09 +00:00
Jonhnathan fe34eab37d Add TestRiskScoreMismatch (#2254) 
(cherry picked from commit b19a02470b)
 2022-08-25 17:30:46 +00:00
Mika Ayenson 62298d92f4 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit a52751494e)
 2022-07-18 21:25:32 +00:00
Justin Ibarra 179a3bd284 Add support for restricted fields (#2053) 
* Add support for restricted fields (fields valid only in min/max stack versions)
* add test to ensure rule backports wont exceed min compat

(cherry picked from commit cc01d3fb1a)
 2022-06-27 15:03:32 +00:00
Justin Ibarra 8564185a7d [Bug] resolves bug in Rule version methods (#2021) 
* [Bug] resolves bug in Rule version methods

* comment out unused code with notes

(cherry picked from commit 744f56d98e)
 2022-06-07 23:41:40 +00:00
Justin Ibarra c16442517e [Bug] Fix test_matrix_to_lock_version_defaults test (#2014) 
(cherry picked from commit e850f39526)
 2022-06-03 00:35:19 +00:00
Justin Ibarra 3a1a5fe12b Collapse unsupported previous version entries (#2013) 
* Collapse unsupported previous version entries
* drop the last entry in the matrix test

(cherry picked from commit f57950a3c9)
 2022-06-02 23:18:45 +00:00
Terrance DeJesus 220996b1b8 Prep for Creation of 8.4 Branch (#2001) 
* prepping for 8.4 branch

* adjusted schemas init file

* adjusted target matrix to only backport to 7.16, updated api schemas

* adjusted the lock-versions workflow to account for 7.16 and up support only

* Add test for version lock to schema map correlation

* decouple from static 7.13 references

* keep patch version for lock

* Update detection_rules/etc/packages.yml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 35b1a69ff5)
 2022-06-02 18:59:56 +00:00
Mika Ayenson 3988b2ed5e Skip previous validation on pre/post load/dump (#1942) 
* Build out the dataclasses for a base entry and version lock explicitly
* Ensure previous field does not have a nested previous
* Test validation on version lock for previous fields.

(cherry picked from commit e1266a6fd3)
 2022-05-25 17:36:12 +00:00
Mika Ayenson cc8af968e3 Move etc under detection_rules (#1885) 
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 6219fc06b9)
 2022-05-02 14:13:36 +00:00
AbdelMoumene-Hadfi 043ff67b42 [eql2kql] fix wildcard bug (#1507) 
* [eql2kql] fix wildcard bug
* add test for wildcards

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 15faf34a2f)
 2022-04-22 03:46:38 +00:00
Justin Ibarra eeb8ab7744 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:28:54 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00