security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,104 Commits 1 Branch 0 Tags
617991db0bc07a433bb943a98a98b2cb820fef44
Commit Graph

417 Commits

Author SHA1 Message Date
Terrance DeJesus 0b808211f6 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) 
* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 99a4d629c9)
 2024-07-01 14:34:42 +00:00
shashank-elastic 28f67e3ace Generate Better Index Keys (#3826) 
* Generate Better Index Keys

* More Robust index mapping

* Remove unused import

* Remove unused import

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 949ceccc0f)
 2024-06-28 17:51:17 +00:00
github-actions[bot] a1b34e0211 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845) 
(cherry picked from commit aef9fe8ec4)
 2024-06-28 12:22:41 +00:00
Mika Ayenson 2133e1f1a3 [FR] Limit historical rules to the latest 2 (#3842) 
(cherry picked from commit 357204e1c5)
 2024-06-28 11:45:17 +00:00
Jonhnathan 8bab0df7bf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests

Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml

(selectively cherry picked from commit 54d5b442cf)
 2024-06-26 14:09:43 +00:00
github-actions[bot] 30f5784613 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) 
(cherry picked from commit 6f43d1f535)
 2024-06-25 12:31:41 +00:00
Mika Ayenson 495539b697 [FR] Loosen Filters Schema Validation (#3753) 
(cherry picked from commit 259efaf716)
 2024-06-18 21:00:33 +00:00
Terrance DeJesus 37ea64baf4 [New Rule] Rapid7 Threat Command CVEs Correlation (#3718) 
* new rule 'Rapid7 Threat Command CVEs Correlation'

* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated threat index and tags

* changed 'indicator match' to 'threat match' for tags

* removed timeline

* updating integrations to match main

* re-adding rapid7 threat command integration manifest and schema

* reverting changes; removing timeline

* changed max signals to 10000

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 020ca4be24)
 2024-06-12 22:04:56 +00:00
github-actions[bot] 24d79f230e Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3778) 
(cherry picked from commit e3a72c6c47)
 2024-06-11 15:30:13 +00:00
Ruben Groenewoud d26951d94e [New Rule] Suspicious File Modification (#3746) 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4a05)
 2024-06-11 11:06:39 +00:00
shashank-elastic 06660cb2e1 Refresh MITRE Attack v15.1.0 (#3725) 
(cherry picked from commit e357a2c050)
 2024-06-04 14:48:18 +00:00
github-actions[bot] 5839b408ca Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3716) 
(cherry picked from commit 259bab7a5a)
 2024-05-29 14:21:29 +00:00
Terrance DeJesus 2691273c93 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 527f785a60)
 2024-05-28 14:52:40 +00:00
Eric Forte 39782b4295 [FR] Update utility path computation to use pathlib (#3699) 
* update

* Updated to pathlib

* Linting

* Add string cast where needed

* Add additional string conversion as needed

* Str conversions to support eql lib

* Attack typo

* Typo in test script

* Updated for more pathlib

* Linting

* Update to convert string to path object

* Fix typo

(cherry picked from commit f43fbfba0d)
 2024-05-23 21:39:55 +00:00
shashank-elastic f27479ee12 Package Manifest changes to add capabilities (#3706) 
Removed changes from:
- detection_rules/etc/packages.yaml

(selectively cherry picked from commit f73022b900)
 2024-05-23 20:49:50 +00:00
shashank-elastic 18fcd83683 Back-porting Version Trimming (#3704) 
(cherry picked from commit 63e91c2f12)
 2024-05-22 19:18:10 +00:00
Jonhnathan 0ab70f13a4 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d023ad66b1)
 2024-05-20 12:59:37 +00:00
Eric Forte 6e25eabf71 [FR] Add --force flag to update-lock-versions (#3693) 
* Add --force flag to update-lock-versions

* Add type hinting

(cherry picked from commit 707ca32ab1)
 2024-05-18 00:33:11 +00:00
Mika Ayenson 06ef471c39 [FR] Normalize yml ext to yaml (#3675) 2024-05-15 17:08:01 -05:00
Mika Ayenson 2d96f10725 [FR] Normalize yml ext to yaml (#3675) 
Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 79f575b33c)
 2024-05-15 20:27:01 +00:00
github-actions[bot] ed48d9fd57 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 (#3676) 
(cherry picked from commit f3585da503)
 2024-05-15 11:41:56 +00:00
shashank-elastic 891da3623d Prepare For Next Elastic Stack 8.15 (#3670) 
Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 50a8b52cd5)
 2024-05-14 19:10:09 +00:00
Mika Ayenson 33e44b29fc [FR] Bundle KQL & Kibana libs into base dependencies (#3662) 
(cherry picked from commit 78837549e8)
 2024-05-13 19:36:55 +00:00
Eric Forte e45c7db95e [Bug] Update Rule Formatter (#3668) 
* Update Rule Formatter

* Only apply fix to Note

(cherry picked from commit 094ef22604)
 2024-05-13 19:07:19 +00:00
github-actions[bot] 947e8fd965 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3650) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Bumping status checks

* undo bump

---------

Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>

(cherry picked from commit 84437bac03)
 2024-05-06 16:52:30 +00:00
Eric Forte 2bd230ff60 [Bug] Query validation failing to capture InSet edge case with ip field types (#3572) 
* Move test case to separate file

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit a4a0bc6a7e)
 2024-05-06 12:07:00 +00:00
Mika Ayenson b75a9f902b [New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes (#3644) 
(cherry picked from commit 2ffb0e7fe2)
 2024-05-03 23:08:58 +00:00
Justin Ibarra c97395d606 [Bug] Fix missing indexes on navigator build (#3636) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

(cherry picked from commit 2668f5f762)
 2024-05-01 21:58:13 +00:00
Justin Ibarra b83887e73d [New Rule] AWS S3 Bucket Enumeration or Brute Force (#3635) 
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 54ff270c62)
 2024-05-01 21:08:19 +00:00
github-actions[bot] 809279b62b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3630) 
(cherry picked from commit ca78f550fd)
 2024-04-30 12:43:58 +00:00
Justin Ibarra 09a7e2e81b Refresh Kibana module with API updates (#3466) 
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

(cherry picked from commit c567d3731a)
 2024-04-26 17:20:37 +00:00
github-actions[bot] dfd261590b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615) 
(cherry picked from commit 374f21fbc4)
 2024-04-23 12:36:46 +00:00
Jonhnathan 608a0ff0c2 [Rule Tuning] Windows BBR Rule Tuning - 1 (#3579) 
* [Rule Tuning] Windows BBR Rule Tuning - 1

* Update non-ecs-schema.json

* Update rules_building_block/command_and_control_certutil_network_connection.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/collection_common_compressed_archived_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_dll_hijack.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit d0dfa479bb)
 2024-04-08 13:46:29 +00:00
Terrance DeJesus a2cb089d12 updated to v14.0 mitre ATT&CK (#3289) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

(cherry picked from commit 0cb42983c1)
 2024-04-05 18:38:20 +00:00
Eric Forte dee8c947de Update default (#3574) 
(cherry picked from commit fbb6df506e)
 2024-04-05 00:35:15 +00:00
Eric Forte 72ba0b16a9 [Bug] KQL fails validation on uppercase keywords (#3568) 
* add todo

* Add a normalize_kql_keywords function to utils

* update rule loader to normalize and warn

* optimized loading

* fix linting

* Moved conversion to kql module.

* Updated unit test

* Refactor KQL parser to normalize keywords via flag

* Fix logic typo

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update lib/kql/kql/__init__.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated to fix unit tests and remove warnings

* linting typo

* Added comments

* remove unused imports

* Update kql.parse default

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 1566c29bae)
 2024-04-04 22:10:57 +00:00
Eric Forte 645fa593a1 [Bug] New Terms Rule Import Failing (#3569) 
* initial patch

* Update definitions to allow for brackets in name

* Update to prompt for required fields.

* Update detection_rules/cli_utils.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit fa75876322)
 2024-04-04 21:45:02 +00:00
Mika Ayenson 5a28e1ecac [Bug] Add explicit format preserver (#3566) 
(cherry picked from commit c35652c8c8)
 2024-04-04 20:58:27 +00:00
Eric Forte ec275e8d99 [Bug] Threshold Rule Importing Failures (#3560) 
* remove threshold specific req

* fix test event override

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit a9cc323d09)
 2024-04-03 18:23:39 +00:00
shashank-elastic fe9217892f Deprecate Releasing to a patch kibana version workflow (#3552) 
(cherry picked from commit 3fbffa24ed)
 2024-04-03 03:12:07 +00:00
github-actions[bot] 112ae41cd3 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3567) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 8d5bd3b0f6)
 2024-04-02 18:37:42 +00:00
Jonhnathan 7838042839 [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) 
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions

* update min_stack

* build out schema in more detail for Filters

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Remove enum for definition

* remove unused import

* remove $state store

* transform state

* add call to super

* add return type hint

* use dataclass metadata

* use Literal type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml

(selectively cherry picked from commit 67ca13c1ce)
 2024-04-01 20:53:09 +00:00
Mika Ayenson e74f7a4d6b [FR] Add support for investigation_fields (#3550) 
(cherry picked from commit bb907a4d76)
 2024-04-01 16:59:59 +00:00
shashank-elastic 69d2f4b607 Fix create PR in release workflow (#3528) 
(cherry picked from commit 8b215eac41)
 2024-04-01 15:54:59 +00:00
Mika Ayenson e7416a6a68 [FR] Add required-fields option to import-rules (#3546) 
(cherry picked from commit b6a7e7ebda)
 2024-03-28 23:37:15 +00:00
Eric Forte 6bf3a82f51 Update sort parameter (#3531) 
(cherry picked from commit 3503786154)
 2024-03-25 15:54:13 +00:00
github-actions[bot] dda6a33f70 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit eaf4658620)
 2024-03-21 15:09:40 +00:00
Mika Ayenson edf52a578c [FR] Update Python Dependency Versions (#3515) 
(cherry picked from commit 5c3523954e)
 2024-03-19 19:15:12 +00:00
Mika Ayenson 434b3ffcc0 [FR] Independently package kql / kibana and bump to py3.12 (#3514) 
(cherry picked from commit d26981f712)
 2024-03-15 01:26:12 +00:00
Mika Ayenson 2af0c64945 [FR] Add support for dataviews in the rule schema (#3510) 
(cherry picked from commit 8724077a0e)
 2024-03-14 22:48:44 +00:00