sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mika Ayenson, PhD	8993d1450b	[Rule Tuning] Add Supplemental Mitre Mappings (#5876 ) --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2026-04-01 09:12:42 -05:00
Colson Wilhoit	49b660a135	[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780 ) * [New Rules] New Terms rules for malicious Python/Pickle model activity on macOS Adds three new_terms SIEM detection rules to close the detection gap identified in ia-trade-team#666 where malicious pickle/PyTorch model files execute arbitrary commands via Python deserialization without triggering existing GenAI-parent-gated endpoint rules. Co-authored-by: Cursor <cursoragent@cursor.com> * Address PR feedback: broaden descriptions and simplify process.name - Update descriptions across all three rules to not over-attribute to pickle/PyTorch — these rules detect any malicious Python activity (scripts, compromised dependencies, model deserialization, etc.) - Simplify process.name from explicit enumeration to python* wildcard since KQL matching is case-insensitive - Update investigation guides to reflect broader scope of potential attack vectors Made-with: Cursor * Apply suggestion from @DefSecSentinel * Apply suggestion from @DefSecSentinel * Apply suggestion from @DefSecSentinel --------- Co-authored-by: Cursor <cursoragent@cursor.com>	2026-03-17 10:59:08 -05:00

Author

SHA1

Message

Date

Mika Ayenson, PhD

8993d1450b

[Rule Tuning] Add Supplemental Mitre Mappings (#5876 )

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>

2026-04-01 09:12:42 -05:00

Colson Wilhoit

49b660a135

[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780 )

* [New Rules] New Terms rules for malicious Python/Pickle model activity on macOS

Adds three new_terms SIEM detection rules to close the detection gap identified in ia-trade-team#666 where malicious pickle/PyTorch model files execute arbitrary commands via Python deserialization without triggering existing GenAI-parent-gated endpoint rules.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Address PR feedback: broaden descriptions and simplify process.name

- Update descriptions across all three rules to not over-attribute to
  pickle/PyTorch — these rules detect any malicious Python activity
  (scripts, compromised dependencies, model deserialization, etc.)
- Simplify process.name from explicit enumeration to python* wildcard
  since KQL matching is case-insensitive
- Update investigation guides to reflect broader scope of potential
  attack vectors

Made-with: Cursor

* Apply suggestion from @DefSecSentinel

* Apply suggestion from @DefSecSentinel

* Apply suggestion from @DefSecSentinel

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-03-17 10:59:08 -05:00

2 Commits