sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jonhnathan	d017156454	[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761 ) * [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-15 20:31:59 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Samirbous	cd2307ba7d	[New Rule] FirstTimeSeen User Performing DCSync (#2433 ) * Create credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-02-02 15:44:31 +00:00

Author

SHA1

Message

Date

Jonhnathan

d017156454

[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761 )

* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

2023-05-15 20:31:59 -03:00

Justin Ibarra

59da2da474

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

2023-03-05 11:41:19 -07:00

Samirbous

cd2307ba7d

[New Rule] FirstTimeSeen User Performing DCSync (#2433 )

* Create credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

2023-02-02 15:44:31 +00:00

3 Commits