security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,388 Commits 1 Branch 0 Tags
694376bd7a8bef1e2d8b8e6df2d23911ae25919d
Commit Graph

3388 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ruben Groenewoud 694376bd7a [Bug] Fix UTF-8 Encoding for Rule File Operations (#5684) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Bug] Fix UTF-8 Encoding for Rule File Operations
 2026-02-05 14:21:30 +01:00
Samirbous 00159a3eca [Tuning] M365 Exchange Inbox Phishing Evasion Rule Created (#5648) 
* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml

* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-05 10:02:57 -03:00
Ruben Groenewoud 3cba3d7982 [Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* Few more deprecations

* ++

* Update unit test syntax fix

* Update bad bytes

* ++
 2026-02-05 13:24:21 +01:00
Mika Ayenson, PhD aff945cb70 [New Rules] ESQL LLM-Based Alert Triage Rules (#5656) 
---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-04 14:32:36 -06:00
Mika Ayenson, PhD 94c17dff59 [New Rule] Execution via OpenClaw Agent (#5666) 2026-02-04 14:02:52 -06:00
ailiffa e6fafc914e [Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion (#5592) 
* [Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion

- Add Downloads folder to the suspicious paths list
- Modify directory matching logic from endswith~ to startswith~ to detect DLLs loaded from subdirectories of the executable's location

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Swap back to "endswith" and add chrome_elf.dll coverage.

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-04 14:16:14 -03:00
Samirbous 2b8fb44cb5 [New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665) 
* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.

https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

https://github.com/rapid7/metasploit-framework/pull/20917

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 16:09:55 +00:00
Mika Ayenson, PhD f6454e93e8 Update (#5675) 2026-02-04 09:15:53 -06:00
Samirbous fda9f00c2b [Tuning] M365 Exchange Inbox Forwarding Rule Created (#5647) 
* Update collection_exchange_new_inbox_rule.toml

* Update collection_exchange_new_inbox_rule.toml

* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 13:50:55 +00:00
Samirbous d42ebdc3e6 [Tuning] Component Object Model Hijacking (#5651) 
* Update persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml
 2026-02-04 13:23:40 +00:00
Samirbous ed089d5d76 [Tuning] Svchost spawning Cmd (#5649) 
* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml
 2026-02-04 12:42:50 +00:00
Samirbous 362c459094 [New] Multiple Machine Learning Alerts by Influencer Field (#5660) 
* [New] Multiple Machine Learning Alerts by Influencer Field

This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.

* Update multiple_machine_learning_jobs_by_entity.toml

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json
 2026-02-04 12:25:59 +00:00
Sergey Polzunov 59e394f36b [doc fix] Adjust wording in the docs for Kibana import/export commands (#5600) 
* Wording fix

* Version bump

* Style fixes

* Style fix for tests
 2026-02-04 11:17:58 +01:00
Ruben Groenewoud c455d3d98a [Rule Tuning] Full Kubernetes Ruleset (#5659) 
* [Rule Tuning] Full Kubernetes Ruleset

* ++

* Update manifests & schemas

* Update pyproject.toml

* Added "kubernetes.audit.userAgent" to non_ecs

* Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword

* Apply suggestion from @Aegrah

* Apply suggestion from @Aegrah

* Update privilege_escalation_pod_created_with_hostnetwork.toml

* Apply suggestion from @Aegrah

* Update privilege_escalation_pod_created_with_hostipc.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 10:42:41 +01:00
Ruben Groenewoud 7c03840737 [New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. D4C Rules related to (un)authenticated API Access

* Apply suggestion from @Aegrah

* [New Rule] Kubelet Certificate File Access Detected via Defend for Containers

* [New Rule] Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Potential Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt Detected

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected

* [New Rule] Kubernetes Anonymous User Create/Update/Patch Pods Request

* [New Rule] Potential Cluster Enumeration via jq Detected via Defend for Containers

* Apply suggestion from @Aegrah

* Update execution_kubeletctl_execution.toml
 2026-02-04 09:58:42 +01:00
Jan Calanog 7feaf0f1c0 Add security product to docset.yml (#5654) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-03 17:40:05 -06:00
Sergey Polzunov 3ce5379ef5 README fixes (#5616) 
* Small fixes

* Version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-03 16:22:17 -06:00
Terrance DeJesus c75fc7e487 [Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663) 
Fixes #5662
 2026-02-03 09:38:14 -05:00
Terrance DeJesus ae88c095e9 [New Rule] Fortigate (FG-IR-26-060) Detections (#5641) 
* initial FG-IR-26-060 rules

* adjusted investigation guides to proper formatting

* Update initial_access_fortigate_sso_login_from_unusual_source.toml

* Update and rename exfiltration_fortigate_config_download.toml to collection_fortigate_config_download.toml

* Update collection_fortigate_config_download.toml

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusting rules

* revert super admin

* adjusted source.ip to 'fortinet.firewall.ui'

* changing ESQL to EQL for non-aggregate queries

* added CISA reference

* adjusted interval and maxspan

* updating dates

* changed download rule to EQL

* added additional sso checks; linted previous rules

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-01-30 10:16:34 -05:00
Terrance DeJesus 6502ba61d7 [Rule Tuning] M365 Security Compliance Potential Ransomware Activity (#5653) 
Fixes #5652
 2026-01-30 09:57:56 -05:00
Samirbous efd1756d49 Update impact_hosts_file_modified.toml (#5655) 2026-01-29 17:02:14 +00:00
Terrance DeJesus fa56ae556e [New Rule] Okta AiTM Session Cookie Replay Detection (#5627) 
* New Rule: Okta AiTM Session Cookie Replay Detection
Fixes #5626

* added keep; linted

* adjusted logic to include UA 2+, fixed MITRE Mappings

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-29 08:58:59 -05:00
Samirbous a2c1dd8575 [New] Suspicious FortiGate and Fortinet Logon rules (#5640) 
* [New] Suspicious FortiGate Admin Logon rules

- First-Time FortiGate Administrator Login
- FortiGate Administrator Login from Multiple IP Addresses

* Update initial_access_fortigate_admin_login_multi_srcip.toml

* ++

* ++

* Create initial_access_newly_observed_frotinet_logon.toml

* Update initial_access_newly_observed_frotinet_logon.toml

* build schema and manifest for fortinet

* Update pyproject.toml

* Update initial_access_newly_observed_frotinet_logon.toml

* Revert "Update initial_access_newly_observed_frotinet_logon.toml"

This reverts commit 7b99828b9a28a8ad9cd156fbe33c92ea436041e0.

* Revert "Update pyproject.toml"

This reverts commit 025daf566fa1f2d7dffd83717f5a70a8285d62ca.

* Revert "build schema and manifest for fortinet"

This reverts commit a6234164f827b65a3d4b7580ef647bfefc34b658.

* ++
 2026-01-28 17:56:56 +00:00
Samirbous cee9f51b6d [New] Newly Observed Process Exhibiting CPU Spike (#5635) 
* [New] Newly Observed Process Exhibiting CPU Spike

This rule alerts on processes exhibiting CPU spike and that are observed for the first time in the previous 5 days. This behavior may indicate performance issues as well as potential suspicious software like cryptomining or exploit abusing system resources following compromise.

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update rules/cross-platform/impact_newly_observed_process_with_high_cpu.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-28 17:38:22 +00:00
github-actions[bot] 8b8c0beec7 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5639) 2026-01-28 18:37:52 +05:30
Eric Forte d252cae4ee Ignore Keep * for ES|QL hash calc (#5638) 
* Ignore Keep * for ES|QL hash calc

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>


---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-27 23:01:27 -05:00
Eric Forte 2265717c41 chore: Fix lock version for 9.3.2 Release (#5634) 
* Min stack mv_contains
 2026-01-27 22:38:39 -05:00
Eric Forte 070b457659 Test remote_cli update test indices 2026-01-27 20:08:19 +05:30
shashank-elastic 3ee0a72a65 Add investigation guides (#5630) 2026-01-27 14:28:06 +05:30
Eric Forte 7ff19b3497 [Rule Tuning] Accepted Default Telnet Port Connection (#5629) 
* Add Additional Data Sources
 2026-01-26 20:43:23 -05:00
Jonhnathan 2f9dc7af53 [Rule Tuning] PowerShell Rules Revamp - 2 (#5623) 
* [Rule Tuning] PowerShell Rules Revamp - 2

* Update credential_access_mimikatz_powershell_module.toml

* Apply suggestions from code review
 2026-01-26 19:35:05 -03:00
Jonhnathan 6843d11b09 [Rule Tuning] PowerShell Rules Revamp - 3 (#5625) 
* [Rule Tuning] PowerShell Rules Revamp - 3

* Apply suggestion from @w0rk3r
 2026-01-26 19:11:29 -03:00
Jonhnathan fc55e8b308 [Rule Tuning] PowerShell Rules Revamp - 1 (#5619) 
* [Rule Tuning] PowerShell Rules Revamp - 1

* bump
 2026-01-26 19:01:48 -03:00
Samirbous 42e7f3b4ce [New] Multiple Alerts on a Host Exhibiting CPU Spike (#5621) 
* [New] Multiple Alerts on a Host Exhibiting CPU Spike

This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

* Update multiple_alerts_on_host_with_cpu_spike.toml

* Rename multiple_alerts_on_host_with_cpu_spike.toml to impact_alerts_on_host_with_cpu_spike.toml

* Update impact_alerts_on_host_with_cpu_spike.toml

* Update rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 20:42:20 +00:00
Terrance DeJesus b311044624 [Rule Tuning] Entra ID OAuth Phishing via First-Party Microsoft Application (#5610) 
Fixes #5609
 2026-01-26 14:55:18 -05:00
Samirbous 094f907144 [New] Detection Alert on a Process Exhibiting CPU Spike (#5617) 
* [New] Detection Alert on a Process Exhibiting CPU Spike

This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

* Update securityt_alert_from_a_process_with_cpu_spike.toml

* Update securityt_alert_from_a_process_with_cpu_spike.toml

* Update rules/cross-platform/securityt_alert_from_a_process_with_cpu_spike.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Rename securityt_alert_from_a_process_with_cpu_spike.toml to security_alert_from_a_process_with_cpu_spike.toml

* Update security_alert_from_a_process_with_cpu_spike.toml

* Rename security_alert_from_a_process_with_cpu_spike.toml to impact_alert_from_a_process_with_cpu_spike.toml

* Update impact_alert_from_a_process_with_cpu_spike.toml

* Update non-ecs-schema.json

* Update rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2026-01-26 17:42:31 +00:00
Samirbous 6d9eef48b0 [New] Multiple Vulnerabilities by Asset via Wiz (#5598) 
* [New] Wiz - Multiple Vulnerabilities by Container

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* add wiz manif and schema

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update pyproject.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* ++

* Update external_alerts.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Delete detection_rules/etc/integration-manifests.json.gz

* Revert "add wiz manif and schema"

This reverts commit a1e9e7440dcb46ea2abebec834cfc0291e3b60ae.

* Revert "Update pyproject.toml"

This reverts commit 47ab9d2dc8239207126b8512006f353a3fd4affc.

* update manifest and schema for wiz
 2026-01-26 17:26:17 +00:00
Samirbous 88e0b14709 [Tuning] ESQL Dynamic unique value fields (#5569) 
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion

Extract dynamic field with 1 value to ECS fields for alerts exclusion:

Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update newly_observed_elastic_defend_alert.toml

* Update defense_evasion_base64_decoding_activity.toml

* Update discovery_subnet_scanning_activity_from_compromised_host.toml

* Update persistence_web_server_sus_command_execution.toml

* Update persistence_web_server_sus_child_spawned.toml

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/credential_access_rare_webdav_destination.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_rare_webdav_destination.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:34:16 +00:00
Samirbous edf28367e4 [New] Lateral Movement Alerts from a Newly Observed Entity (#5557) 
* [New] Lateral Movement Alerts from a Newly Observed Entity

High-order rules to prioritize lateral movement alerts triage (detects multiple lateral movement alerts from a source.ip or user.id that was observed for the first time in the previous 5 days).

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_srcip.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_srcip.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_userid.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:21:27 +00:00
Ruben Groenewoud 6626475119 [Rule Tuning] Several Community DR Issues (#5615) 
* [Rule Tuning] Suspicious Network Connection via systemd

* [Rule Tuning] Systemd-udevd Rule File Creation

* ++
 2026-01-26 17:08:49 +01:00
Ruben Groenewoud c5b64c9fbf [New/Tuning] General API Abuse D4C/K8s Rules (#5591) 
* [New/Tuning] General API Abuse D4C/K8s Rules

* [New Rule] DNS Enumeration Detected via Defend for Containers

* [New Rule] Tool Enumeration Detected via Defend for Containers

* [New Rule] Tool Installation Detected via Defend for Containers

* Service Account File Reads

* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers

* Rule name update

* [New Rules] D4C K8S MDA API Request Rules

* Add 'tor' to the list of allowed process args

* ++

* ++

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update description

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:59:14 +01:00
Ruben Groenewoud 57599e3796 [New Rule] Curl SOCKS Proxy Detected via Defend for Containers (#5596) 
* [New Rule] Curl SOCKS Proxy Detected via Defend for Containers

* Added reference

* Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update time range for cloud defend rule

* Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-01-26 16:46:59 +01:00
Ruben Groenewoud fe4418d7f5 [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561) 
* [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset

* ++

* Removed Reintroduced Rules from Deprecated Folder

* Updated Rule Names

* Added maturity field

* [Update] Large D4C Compatibility Overhaul

* Added busybox

* Remove file that was accidently added in this PR

* Creation date revert

* ++

* Update pyproject.toml

* ++

* ++

* Update

* Update schemas/manifests

* ++
 2026-01-26 16:37:34 +01:00
Samirbous 3b6302a0c5 Update credential_access_multi_could_secrets_via_api.toml (#5618) 2026-01-26 15:21:18 +00:00
Mika Ayenson, PhD bbe83452b4 Revert "[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578)" (#5620) 
This reverts commit c608b673bf.
 2026-01-26 08:31:53 -06:00
Samirbous 7221db6b36 [Tuning] Potential Ransomware Behavior - Note Files by System (#5595) 
* [Tuning] Potential Ransomware Behavior - Note Files by System

added host.id and removed noisy patterns (writes to non C drive)

* Update impact_high_freq_file_renames_by_kernel.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 13:15:54 +00:00
Samirbous 30c7833f08 [Tuning] Rare Connection to WebDAV Target (#5604) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-26 12:51:09 +00:00
Ruben Groenewoud c608b673bf [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578) 
* [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules

* Update manifests & schemas

* [New/Updated] Migrated `process.command_line` --> `process.args` for Compatibility

* Pyproject.toml Patch

* ++
 2026-01-26 13:28:08 +01:00
Sergey Polzunov 5b092d7831 [fix] Preserve actions[].params.message field formatting during rule export from the repo (#5597) 
* Preserve `message` field formatting

* Note the JSON path explicitely in the comment

* version bump fix
 2026-01-26 13:04:36 +01:00
Samirbous 3497c7b0b5 [New] Potential Telnet Authentication Bypass (CVE-2026-24061) (#5612) 
* [New] Potential Telnet Authentication Bypass (CVE-2026-24061)

https://www.safebreach.com/blog/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061/"

https://security-tracker.debian.org/tracker/CVE-2026-24061

* Update lateral_movement_telnet_auth_bypass_via_envar.toml

* Update lateral_movement_telnet_auth_bypass_via_envar.toml

* Update lateral_movement_telnet_auth_bypass_via_envar.toml

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update initial_access_telnet_auth_bypass_via_user_envar.toml

* Update rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml

* added rule for auditd

* Update rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml

* Update rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml

* Update initial_access_telnet_auth_bypass_envar_auditd.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-01-26 10:18:23 +00:00