security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,512 Commits 1 Branch 0 Tags
71186c8788b3f85dba122647e8992dcafe29c7e3
Commit Graph

35 Commits

Author SHA1 Message Date
Justin Ibarra 411ec36ff0 Validate markdown plugin fields (#2602) 2023-03-28 09:17:50 -04:00
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-05 11:41:19 -07:00
Jonhnathan 1a4510c9d4 [Security Content] Add Investigation Guides to Windows Rules - 2 (#2534) 
* [Security Content] Add Investigation Guides to Windows Rules - 2

* tags

* Adjust some phrasing based on the review

* Update credential_access_bruteforce_admin_account.toml

* Missing Osquery Note

* Missing note
 2023-03-01 21:23:09 -03:00
Jonhnathan f17b6f1702 [Security Content] Fix verbiage used on Osquery Note (#2513) 
* [Security Content] Fix verbiage used on Osquery Note

* Adjust verbiage

* date bump

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-02-22 12:33:23 -03:00
Jonhnathan 7725e32126 [Security Content] Fix Osquery Markdown Plugin Escaped queries (#2447) 
* [Security Content] Fix Osquery Markdown Plugin Escaped queries

* Re-add line

* Update credential_access_credential_dumping_msbuild.toml

* Update command_and_control_common_webservices.toml
 2023-01-09 14:45:31 -03:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Jonhnathan ac01718bb6 [Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352) 
* [Rule Tuning] Add tags to flag Sysmon-only rules

* Modify tags

* Revert "Modify tags"

This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.

* Modify tags

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py
 2022-11-18 12:32:27 -03:00
Jonhnathan 6055d0db60 [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides (#2387) 
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides

* Remove min_stack and add Note

* Fix Typo and preffix

* Update command_and_control_certutil_network_connection.toml

* Add unit test to check Note about Osquery Markdown plugin and Version limitations

* Update test_all_rules.py

* Update test_all_rules.py

* Change Note Verbiage
 2022-11-17 18:38:34 -03:00
Jonhnathan f02ffbbe13 [Security Content] Add Investigation Guides - 8.5 (#2305) 
* [Security Content] Add Investigation Guides - 8.5

* Update persistence_run_key_and_startup_broad.toml

* Apply suggestions from security-docs review review

* Update execution_suspicious_jar_child_process.toml

* Apply suggestions from review
 2022-09-23 18:44:24 -03:00
Jonhnathan ec04a39413 [Security Content] Tag rules with robust Investigation Guides (#2297) 2022-09-23 14:20:32 -03:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Jonhnathan d854b943e5 [Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104) 
* [Security Content] Add Investigation Guides to Cloud Rules - AWS

* Apply suggestion from review

* Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* .

* Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-07-20 12:28:58 -03:00
Jonhnathan 817b97f428 [Security Content] Refactor Existing Investigation Guides (#1959) 
* Initial commit

* Update Investigation guides - security-docs review

* Update command_and_control_dns_tunneling_nslookup.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply security-docs review

* Remove dot

* Update rules/windows/command_and_control_rdp_tunnel_plink.toml

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply changes from review

* Apply the suggestion

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2022-05-18 12:59:39 -03:00
Jonhnathan a3d7427d29 [Security Content] Add Investigation Guides - 2 (#1822) 
* Add Investigation Guides for Windows Rules - First half

* + 1/2

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update credential_access_mod_wdigest_security_provider.toml

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_amsienable_key_mod.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update command_and_control_certutil_network_connection.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update collection_winrar_encryption.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
 2022-03-30 14:43:55 -03:00
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:22:59 -04:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Justin Ibarra a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) 2020-10-29 11:06:24 -08:00
Justin Ibarra 0d3c35886c Remove connection type from endpoint network rules (#426) 2020-10-28 12:35:34 -08:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
brokensound77 aec3ec31b9 Merge branch '7.9' into main 2020-08-27 15:54:44 -08:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Justin Ibarra be08536880 Increase lookback for endpoint rules (#200) 2020-08-21 12:23:43 -05:00
Brent Murphy 7efe33e01d [Rule Tuning] Update Index Pattern for Detection Engine Rules (#101) 
* [Rule Tuning] Update Index Pattern for Detection Engine Rules

* update indices
 2020-08-03 15:46:57 -04:00
Justin Ibarra 95908c22a4 Improve ECS compatibility for endpoint rules 2020-07-07 15:41:23 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00