security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
409 Commits 1 Branch 0 Tags
6177458bd8ea65e01acecde9842a01ac1a472d08
Commit Graph

60 Commits

Author SHA1 Message Date
Justin Ibarra 6177458bd8 Add empty technique array to rules (#828) 
* [Rule Tuning] Add empty arrays in place of tactic only threat mappings
* dynamically insert empty technique array in payload
* use replace_id as function parameter
 2021-01-11 08:58:18 -09:00
Justin Ibarra 992eabd6dc update incomplete bug fix from 736 for 7.11 -> 7.10 downgrade logic 2020-12-18 22:04:19 -09:00
Justin Ibarra 425e0ddf64 Add flattened subtechniques to rule-search (#739) 2020-12-18 14:21:37 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Ross Wolf 7dcb666d81 Fix 7.11 -> 7.10 ATT&CK downgrade logic for optional techiques (#736) 2020-12-18 09:28:05 -07:00
Ross Wolf 331d321648 Make threat.technique optional (#727) 2020-12-17 20:22:59 -09:00
Justin Ibarra b6aa6c6548 Auth to Kibana connector using an existing cookie (#711) 2020-12-15 13:20:46 -07:00
Justin Ibarra 7c2abc68d7 [Docs] Update ML_DGA.md (#707) 2020-12-09 13:06:35 -09:00
Justin Ibarra e272800a5d Add ATT&CK sub-technique support to CLI (#614) 
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
 2020-12-08 21:56:55 -09:00
Justin Ibarra 0ed1e1df71 Add support to validate against dev ECS and beats schemas (#691) 2020-12-08 13:29:56 -09:00
Justin Ibarra 200fbe939e [Bug] Allow duplicative queries across different rule types (#704) 2020-12-08 13:16:59 -09:00
Ross Wolf 8c92ae7348 Add ATT&CK subtechniques to the schema (#337) 
* Add ATT&CK subtechniques to the schema
* Switch subtechniques to the 7.11 schema
* Make technique still required
* Lint fixes
* Cleanup EQL constant
* Trim more cruft
* Restore EQL for 710

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 14:57:30 -07:00
Brent Murphy 6a296c64c5 [New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578) 
* [New Rule] O365 Exchange DKIM Signing Configuration Disabled

* rebrand to m365

* still req non ecs schema

* Remove the ECS override

* Update _flatten_schema logic

* Allow fields with * in the path

* Allow explicit fields to overwrite implicit * fields

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-08 16:38:00 -05:00
Justin Ibarra 366e5002e1 [FR] Add experimental ML DGA CLI support (#361) 
* Add DGA model commands
* Add upload/delete ML job command
* Add DGA release management commands
* Add Manifest handling
* Add GithubClient object
 2020-12-01 22:25:33 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Justin Ibarra ad4a2ef0eb Add test commands to search and survey rule hits (#485) 2020-11-17 13:08:00 -09:00
brokensound77 75d37e9271 Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main 2020-11-12 00:59:31 -09:00
Ross Wolf 8ca32f1423 Fix ClientError (NoneType) suffix 2020-11-09 11:08:36 -07:00
Justin Ibarra 3b597bdb72 fix auth args in get_es_client 2020-10-30 09:19:50 -08:00
Justin Ibarra 3827d01a65 fix bugs in es client retrieval 2020-10-29 21:20:49 -08:00
Justin Ibarra a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) 2020-10-29 11:06:24 -08:00
Ross Wolf 7da343e89f Fix kibana upload command (#425) 2020-10-28 10:16:36 -06:00
Ross Wolf a0a8d63baf Merge branch '7.10' into main 2020-10-28 09:40:15 -06:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra 0a992d716a [Rule Tuning] Update EQL rules for 7.10 (#399) 
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
 2020-10-21 12:35:18 -08:00
Stijn Holzhauer 60b3d47efd Add kibana-upload --space option (#251) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-10-08 12:21:54 -06:00
Justin Ibarra bd680a2bd4 Re-organize commands under more specific click groups (#356) 
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files 
* distinguish variable names for better env/config parsing
 2020-10-07 12:15:33 -08:00
Justin Ibarra bf202b6b6c [New Rule] Initial converted EQL rules (#304) 
* 18 converted eql rules (not all prod)
 2020-09-30 21:40:55 -08:00
Justin Ibarra 7c1e9c1ed5 Update package summary extras produced during package generation (#341) 
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
 2020-09-30 14:43:45 -08:00
Justin Ibarra a212008f8c [Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342) 2020-09-30 09:41:33 -08:00
shravaka fa12340ff0 [Bug fix] Add missing parenthesis for -kibana-url 2020-09-30 09:32:43 -06:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Justin Ibarra 6ad3344af3 Collect unique query fields per rule (#296) 2020-09-23 14:36:34 -08:00
Ross Wolf 453553f685 Change the way we get environment variables (#280) 
* Change the way we get environment variables
* Change environ to getenv
* Read from envvar, then config file
* Switch to get_path
* Lint: Remove unused import
* Add --cloud-id/--elasticsearch-url
* Fix comment copy-pasta
 2020-09-16 10:23:22 -06:00
Ross Wolf 9d22970e21 Add EQL rules and schema validation (#297) 
* Add EQL rules and schema validation
* Lint nitpick
* Rename get_schema_from_eql
* Add EQL default language
* Rename parsed_kql to parsed_query
* Fix parsed_kql method call in loader
* Autopopulate dependent values
 2020-09-16 08:36:48 -06:00
Justin Ibarra 6b7ea7e66c Fix kibana-diff command (#198) 2020-09-02 12:19:17 -05:00
Ross Wolf 464d5e645a Fix kibana-upload and remove cumbersome dataclasses (#216) 
* Fix kibana-upload and remove cumbersom dataclasses

* Linting fixes
 2020-09-01 05:47:27 -06:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Justin Ibarra 28c869fb5f Expand documentation on CLI and workflows (#130) 2020-08-18 14:27:51 -05:00
Ross Wolf cb1c401e27 Merge branch '7.9' into main 2020-08-03 15:20:36 -06:00
Brent Murphy 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-08-03 17:15:15 -04:00
Ross Wolf a99b7c96fe Merge branch '7.9' into main 2020-08-03 14:03:15 -06:00
Ross Wolf 0455307577 Downgrade rule version before uploading to Kibana (#97) 
* Downgrade version before uploading to Kibana
* Update downgrade exception format
* Update s/siem/detection

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-28 11:03:47 -06:00
Justin Ibarra 8f5ddbb121 Add better CLI support for handling Kibana exported rules (#83) 2020-07-27 23:31:19 -05:00
Ross Wolf d15da0ada1 Add versioned schemas with a downgrade path (#84) 
* Add versioned schemas with a downgrade path
* Remove and move unused variables
* Add missing license
* Skip NotField for output_index
* Add strip_additional_properties for kibana import
* Remove stray comment
* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-23 11:39:35 -06:00
Ross Wolf 978a8d9df8 [Bug] Set threshold.field to empty string instead of null (#87) 2020-07-22 19:31:09 -04:00
Ross Wolf 16fb306254 Add command to upload to kibana (#58) 
* Add upload command to kibana
* Restore skipped fields
* Change prefix to DR_
* Add note to manage_versions call
* Reorder requirements.txt to trigger build
 2020-07-20 15:58:28 -06:00
Justin Ibarra 1cfb8f92bb Windows DNS server vulnerability (CVE-2020-1350) rules (#69) 2020-07-17 14:32:52 -05:00
Justin Ibarra 7647699e2b Add support for threshold rules (#65) 2020-07-16 19:06:34 -05:00
Justin Ibarra 916917a619 Update rule.py 2020-07-15 09:40:07 -05:00