security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,718 Commits 1 Branch 0 Tags
60475f6aa05be1984b986b122a13238eeeaac437
Commit Graph

5 Commits

Author SHA1 Message Date
shashank-elastic 60475f6aa0 Move Setup information into setup filed (#3206) 
(cherry picked from commit 7254c582c5)
 2023-10-23 14:04:26 +00:00
shashank-elastic a7e83681e3 Setup information for Linux Rules - Set5 (#3188) 
(cherry picked from commit 2a48db0598)
 2023-10-17 13:46:52 +00:00
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
 2023-09-05 18:28:40 +00:00
Ruben Groenewoud ed2daecb25 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1716bd673)
 2023-08-25 12:09:16 +00:00
Ruben Groenewoud e5d6d6e4a7 [New Rule] sus cmds executed by unknown executable (#2858) 
* [New Rule] sus cmds executed by unknown executable

* added an event.action filter

* Added endgame support, fixed stack version comment

* Update execution_suspicious_executable_running_system_commands.toml

* Update rules/linux/execution_suspicious_executable_running_system_commands.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_suspicious_executable_running_system_commands.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-06 17:32:56 +02:00