security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
3,624 Commits 1 Branch 0 Tags
3ddbfdfbb1979a526186f89d852f9acca70bb81b
Commit Graph

703 Commits

Author SHA1 Message Date
Eric Forte aad0e4ed11 Fix percentages (#6002) 2026-05-01 19:13:53 -04:00
Mika Ayenson, PhD cc66323d1d [Bug] Omit ES|QL engine columns from required_fields (#6027) 
* Omit Esql.* columns from ES|QL rule required_fields

Kibana treats required_fields as index mappings. ES|QL stats and
similar commands expose Esql.* and Esql_priv.* result columns that
are not mapped on source indices, which produced noisy validation
warnings for shipped rules.

Filter those names when building required_fields. Add a check in
test_esql_endpoint_alerts_index when remote ES|QL validation runs.

Fixes #6026.

* Move required_fields check to its own remote test

* Iterate production rules in required_fields test

* Use direct get_required_fields call in remote test

Skip to_api_format() and call data.get_required_fields(index) directly,
gated on ESQLRuleData. Mirrors the ESQLValidator scope of the fix and
avoids the unrelated packaging steps that to_api_format runs per rule.

* Bump version to 1.6.30

* Centralize ES|QL dynamic field prefix tuple

Define ESQL_DYNAMIC_FIELD_PREFIXES = ("Esql.", "Esql_priv.") in
schemas/definitions.py and reuse it in QueryValidator.get_required_fields,
ESQLValidator.validate_columns_index_mapping, and the remote test.
Single source of truth and consistent ordering across the codebase.
 2026-05-01 17:37:31 -05:00
Eric Forte f7387bb10d [FR] [DAC] Add Exception Duplication Checking (#5689) 
* Add Exception Duplication Checking
 2026-04-29 08:57:07 -04:00
github-actions[bot] cb3c342b31 Lock versions for releases: 8.19,9.2,9.3,9.4 (#5998) 2026-04-29 00:52:04 +05:30
wingiti 0f521a0848 Fix value lists within exception lists (#5963) 
* Fix value lists within exception lists
 2026-04-24 12:23:06 -04:00
Mika Ayenson, PhD b6886f310c [FR] Add enforcement for deprecated_reason (#5953) 2026-04-23 17:15:47 +05:30
github-actions[bot] 2dac152094 Lock versions for releases: 8.19,9.2,9.3,9.4 (#5972) 
* Locked versions for releases: 8.19,9.2,9.3,9.4

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
 2026-04-22 20:15:10 -04:00
Eric Forte 2029654e79 ESQL validation support fix (#5970) 2026-04-22 16:52:37 -04:00
shashank-elastic 7a54f8be99 Prep for Release 9.4 (#5965) 2026-04-23 00:13:05 +05:30
Mika Ayenson, PhD 876e4ed535 [Bug ]Fix Kibana version parsing for package version (#5962) 
* [Bug ]Fix kibana version parsing for package version

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2026-04-22 11:25:06 -04:00
Susan d8a39869c5 Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2026-04-22 17:36:35 +05:30
Eric Forte 9736407ef3 [FR] [DAC] Initial Yaml Support (#5821) 
* Initial Yaml Support
 2026-04-10 11:29:15 -04:00
Eric Forte 984be4a1ac [Bug] Small bugfix to address update navigator edge case (#5942) 
* [Bug] Small bugfix to address update navigator edge case
 2026-04-10 08:53:56 -04:00
Eric Forte 1503976d10 [FR] Load ECS mapping based on supplied stack version (#5925) 
* Load ECS mapping based on supplied stack version
 2026-04-09 12:40:10 -04:00
github-actions[bot] c601edfbb3 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5930) 2026-04-08 19:44:16 +05:30
github-actions[bot] 88bc42265f Lock versions for releases: 8.19,9.1,9.2,9.3 (#5926) 2026-04-07 17:45:00 +05:30
Terrance DeJesus 48128c1c66 [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field (#5894) 
* [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field
Fixes #5893

* adding non-admin consented filter

* converting to ESQL

* additional query adjustments

* adjusted query KEEP

* updating non-ecs

* Apply suggestion from @terrancedejesus
 2026-04-06 09:40:21 -04:00
shashank-elastic 199a4d6160 Monthly Manifest and Schema Updation (#5920) 2026-04-06 17:35:33 +05:30
github-actions[bot] d9890db6ff Lock versions for releases: 8.19,9.1,9.2,9.3 (#5888) 
* Locked versions for releases: 8.19,9.1,9.2,9.3

* Update pyproject.toml

---------

Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com>
 2026-03-26 12:31:50 -05:00
Terrance DeJesus cd19b25485 [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme (#5878) 
* [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme
Fixes #5877

* adding microsoft_exchange_online_message_trace to manifests/schemas; bumping patch

* updated mitre

* Update rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* bumping patch

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2026-03-26 10:50:15 -05:00
Eric Forte 75ffa5ec4e [FR] [DaC] Add fine-grained bypass env var for ES|QL keep and metadata validation (#5869) 
* Add fine grain 'keep' req bypass

* Add metadata bypass
 2026-03-24 14:36:45 -04:00
github-actions[bot] b14dec9efa Lock versions for releases: 8.19,9.1,9.2,9.3 (#5875) 2026-03-23 23:45:25 +05:30
Mika Ayenson, PhD ade7de7be4 [New Rules] External Promotion Alert for IBM QRadar (#5843) 2026-03-20 14:42:43 -05:00
Davis Plumlee cb5b89f83e [FR] Includes deprecated rule stubs to the package for upstream testing (#5813) 
* adds scripting to include deprecated rule stubs in package

* remove deprecated manifest from package

* adds 9.4 gate

* bump version

* fix merge conflict

* test

* revert commit hash

* adds deprecated_reason logic from comment

* fix lint error

* fix lint error

* fix formatting

* test

* revert commit hash

* Update detection_rules/packaging.py

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-03-18 14:34:25 -05:00
Ruben Groenewoud 8b140d5811 [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules (#5837) 
* [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules

* ++

* Bump pyproject.toml

* Bump pyproject.toml
 2026-03-17 17:28:47 +01:00
Terrance DeJesus 937a7a35e6 [New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824) 
* [New Rule] Azure Arc Kubernetes Cluster Connect Abuse
Fixes #5823

* rename, adjusted query

* adding KEEP *

* adjusting maturity

* added to non-ecs schema

* updating rule

* addressing unit test failures

* adjustments to logic, mitre mappings, unit test failures, etc.

* Update rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-03-17 11:06:47 -04:00
Mika Ayenson, PhD 49c9c283e6 [FR] Reset deprecated lock to the latest state during lock (#5827) 2026-03-16 17:04:56 -05:00
Eric Forte 57bf1546dd [Bug] [DAC] Add filtering to export-rules-from-repo (#5769) 
* Add filtering to export-rules-from-repo
 2026-03-10 13:03:52 -04:00
github-actions[bot] 61211a2670 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5820) 2026-03-10 18:49:55 +05:30
github-actions[bot] 87badac5a0 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5818) 2026-03-10 15:33:16 +05:30
Eric Forte 26d37dd62e [Bug] Ignore Other Keep Wildcards (#5792) 
* Ignore other Keep Wildcards

* Added a unit test for multiple keeps

* Add keep star unit tests
 2026-03-09 19:33:27 -04:00
shashank-elastic e08f234b1c Monthly Manifest and Schema Updation (#5816) 
* Monthly Manifest and Schema Updation

* Update Patch Version
 2026-03-09 08:15:06 -05:00
Terrance DeJesus 5ecbc0f0b9 [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access (#5777) 
* [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access
Fixes #5776

* adjusting UUIDs

* added additional strings

* adjusted investigation guide

* fixed mitre mappings

* fixed mitre mappings

* Apply suggestion from @terrancedejesus
 2026-02-26 14:29:14 -05:00
Terrance DeJesus 71c461d867 [New Rule] M365 MFA Notification Email Deleted or Moved (#5779) 
* [New Rule] M365 MFA Notification Email Deleted or Moved
Fixes #5778

* updated non-ecs

* adjusted rule name

* Apply suggestion from @terrancedejesus
 2026-02-26 13:21:08 -05:00
Terrance DeJesus 8593116f58 [New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752) 
* [New Rule] Okta User Authentication via Proxy Followed by Security Alert
Fixes #5751

* adjusted to EQL

* fixed syntax

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* removed defense evasion; adjusted maxspan to 30m

* removed Okta tag

* adding Okta back as integration tag

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2026-02-26 11:32:25 -05:00
Terrance DeJesus 04ad018f27 [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads (#5767) 
* [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads
Fixes #5766

* updated non-ecs

* fixing keep command
 2026-02-26 10:38:59 -05:00
Terrance DeJesus 201660af36 [Bug] Adding Deprecated Rules to Rules Package Breaks Current Package Build (#5773) 
* applying patch fix for historical rules and deprecated JSON object

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-02-24 13:54:46 -05:00
github-actions[bot] 92a379e034 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5765) 2026-02-24 18:49:27 +05:30
Eric Forte 5adc118f92 [Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value (#5747) 
* Add reverse lookup check against Kibana value

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-20 15:29:51 -05:00
Mika Ayenson, PhD a1c3267529 [FR] Add deprecated file to release for upstream testing (#5749) 2026-02-20 14:16:27 -06:00
Terrance DeJesus f773103519 [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection (#5702) 
* [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection
Fixes #5701

* updated mitre mapping ID

* adjusted mitre mappings; non-ecs schema file

* fixed trailing comma in non-ecs; adjusted file name

* adjusted file name; fixed non-ecs schema for upstream ESQL validation

* Apply suggestion from @terrancedejesus

* Apply suggestion from @terrancedejesus

* changed lookback to 9 minutes; adjusted keep values

* added setup; added tag
 2026-02-19 15:58:12 -05:00
Terrance DeJesus 63f76cf004 [Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client (#5681) 
* [Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing
Fixes #5680

* adjusted query format for unit test; added additional domain tag for storage

* Apply suggestion from @terrancedejesus

* Fix formatting in non-ecs-schema.json

* adjusted description

* re-order mappings
 2026-02-19 10:09:15 -05:00
Terrance DeJesus 62cc9f105d [Rule Tuning] Okta User Assigned Administrator Role (#5671) 
Fixes #5670
 2026-02-12 09:33:25 -05:00
Eric Forte f306404fe5 [Bug] CLI adds frequency field to system actions (.cases), causing import failure (#5690) 
* No frequency field to cases
 2026-02-11 15:18:20 -05:00
Eric Forte f74c04d11a [Bug] ESQL validation keep Clause Reported Missing Metadata Fields (#5717) 
* Update Keep Field to Handle Comments

* Update for handling inline comments

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-11 15:02:23 -05:00
github-actions[bot] df9c27d82e Lock versions for releases: 8.19,9.1,9.2,9.3 (#5708) 2026-02-10 11:14:23 +05:30
shashank-elastic 70d7f2b6b1 Monthly Manifest and Schema Updation (#5697) 2026-02-10 09:17:04 +05:30
Ruben Groenewoud 64a08cd6af [New Rules] Misc. K8s RBAC Abuse Rules (#5673) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. K8s RBAC Abuse Rules

* --

* Update non-ecs-schema

* Update to make unit tests happy

* Mitre mapping updates

* Fix query logic for service account role bindings

* Fix formatting in persistence_service_account_bound_to_clusterrole rule
 2026-02-05 17:42:03 +01:00
Ruben Groenewoud 694376bd7a [Bug] Fix UTF-8 Encoding for Rule File Operations (#5684) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Bug] Fix UTF-8 Encoding for Rule File Operations
 2026-02-05 14:21:30 +01:00
Samirbous 362c459094 [New] Multiple Machine Learning Alerts by Influencer Field (#5660) 
* [New] Multiple Machine Learning Alerts by Influencer Field

This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.

* Update multiple_machine_learning_jobs_by_entity.toml

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json
 2026-02-04 12:25:59 +00:00