sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	578e86eeae	[Tuning] event.action and event.type change (#3495 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit `9f8638a004`)	2024-03-13 09:16:15 +00:00
Jonhnathan	b1989a921b	[Security Content] Small tweaks on the setup guides (#3308 ) * [Security Content] Small tweaks on the setup guides * Additional Fixes * Avoid touching deprecated rules Removed changes from: - rules/integrations/beaconing/command_and_control_beaconing.toml - rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_dac_permissions.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit `458e67918a`)	2024-03-11 12:14:53 +00:00
shashank-elastic	9c271c6591	Enhance Setup Guide information (#3256 ) (cherry picked from commit `d52546eee5`)	2023-11-03 13:41:40 +00:00
Ruben Groenewoud	9b2e74b220	[Rule Tuning] Linux Rules (#3092 ) * [Rule Tuning] [WIP] Linux DR * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Fixed tag * Added additional tuning * unit test fix * Additional tuning * tuning * added max signals * Added max_signals=1 to brute force rules * Cross-Platform Tuning * Small fix * new_terms conversion * typo * new_terms conversion * Ransomware rule tuning * performance tuning * new_terms conversion for auditd_manager * tune * Need coffee * kql/eql stuff * formatting improvement * new_terms sudo hijacking conversion * exclusion * Deprecations that were added last tuning * Deprecations that were added last tuning * Increased max timespan for brute force rules * version bump * added domain tag * Two tunings * More tuning * Additional tuning * updated_date bump * query optimization * Tuning * Readded the exclusions for this one * Changed int comparison * Some tunings * Update persistence_systemd_scheduled_timer_created.toml * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml * Update rules/linux/command_and_control_cat_network_activity.toml * Update persistence_message_of_the_day_execution.toml * Changed max_signals * Revert "Merge branch 'main' into rule-tuning-ongoing-dr" This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8. * Revertable merge * Update defense_evasion_ld_preload_env_variable_process_injection.toml * File name change --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit `020fff3aea`)	2023-10-23 14:34:55 +00:00
shashank-elastic	60475f6aa0	Move Setup information into setup filed (#3206 ) (cherry picked from commit `7254c582c5`)	2023-10-23 14:04:26 +00:00
shashank-elastic	a7e83681e3	Setup information for Linux Rules - Set5 (#3188 ) (cherry picked from commit `2a48db0598`)	2023-10-17 13:46:52 +00:00
Jonhnathan	063386829c	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> (cherry picked from commit `4233fef238`)	2023-09-05 18:28:40 +00:00
Ruben Groenewoud	a7ff449fbc	[Rule Tuning] Some Tunings of several 8.9 rules (#2985 ) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml	2023-08-03 15:25:33 +02:00
Ruben Groenewoud	9794f8f0af	[New Rule] Postgresql Code Execution (#2863 ) * [New Rule] Postgresql Code Execution * Update rules/linux/execution_remote_code_execution_via_postgresql.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_remote_code_execution_via_postgresql.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-06-30 13:17:24 +02:00

9 Commits