security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
409 Commits 1 Branch 0 Tags
6177458bd8ea65e01acecde9842a01ac1a472d08
Commit Graph

8 Commits

Author SHA1 Message Date
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Justin Ibarra 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) 2020-09-30 16:16:04 -08:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Samirbous 9926071b0d [New Rule] - Execution via Hidden Shell (#154) 
* [New Rule] - Execution via Hidden Shell

* Update execution_via_hidden_shell_conhost.toml

* Update execution_via_hidden_shell_conhost.toml

* Update execution_via_hidden_shell_conhost.toml

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:56:19 +02:00