sigma-rules

Author	SHA1	Message	Date
shashank-elastic	a568c56bc1	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 )	2023-10-30 16:53:04 +05:30
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Jonhnathan	d017156454	[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761 ) * [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-15 20:31:59 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Jonhnathan	c3d8bac402	[Security Content] Add Investigation Guides to Windows rules (#2521 ) * [Security Content] Add Investigation Guides to Windows rules * . * Add IG tag * Apply suggestions from review * Address reviews * address note * Update defense_evasion_amsi_bypass_dllhijack.toml * Update defense_evasion_amsi_bypass_powershell.toml	2023-02-22 18:13:13 -03:00
Mika Ayenson	1784429aa7	[FR] Add Integration Schema Query Validation (#2470 )	2023-02-02 16:22:44 -05:00
Jonhnathan	54f65abdb0	[Rule Tuning] Potential Shadow Credentials added to AD Object (#2498 )	2023-01-30 09:14:23 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	9c1bd50a63	[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF (#2438 ) * [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF * s/host.id/winlog.computer_name	2022-12-21 11:30:04 -03:00
Samirbous	cbbac02b56	[Rule Tuning] Potential Shadow Credentials added to AD Object (#2359 ) limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:<char count>:<binary value>:<object DN>` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others). Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-11-15 20:01:22 +00:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Jonhnathan	0943ffba5f	[Rule Tuning] Remove `logs-windows.` index (#1928 ) Remove `logs-windows.` index Update discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-14 09:25:44 -03:00
Jonhnathan	85b72256c2	[New Rule] Potential Shadow Credentials added to AD Object (#1729 ) * Potential Shadow Credentials added to AD Object Initial Rule * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update credential_access_shadow_credentials.toml * Add AD tag * Update credential_access_shadow_credentials.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-02-04 15:49:04 -03:00

14 Commits