security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,115 Commits 1 Branch 0 Tags
7693d785aad70787971432c9d7511e7166312921
Commit Graph

418 Commits

Author SHA1 Message Date
Jonhnathan 54d5b442cf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests
 2024-06-26 11:06:27 -03:00
github-actions[bot] 6f43d1f535 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) 2024-06-25 17:58:37 +05:30
Mika Ayenson 259efaf716 [FR] Loosen Filters Schema Validation (#3753) 2024-06-18 15:57:14 -05:00
Terrance DeJesus 020ca4be24 [New Rule] Rapid7 Threat Command CVEs Correlation (#3718) 
* new rule 'Rapid7 Threat Command CVEs Correlation'

* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated threat index and tags

* changed 'indicator match' to 'threat match' for tags

* removed timeline

* updating integrations to match main

* re-adding rapid7 threat command integration manifest and schema

* reverting changes; removing timeline

* changed max signals to 10000

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-12 18:01:44 -04:00
github-actions[bot] e3a72c6c47 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3778) 2024-06-11 20:57:01 +05:30
Ruben Groenewoud ec223a4a05 [New Rule] Suspicious File Modification (#3746) 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-11 13:03:20 +02:00
shashank-elastic e357a2c050 Refresh MITRE Attack v15.1.0 (#3725) 2024-06-04 20:14:58 +05:30
github-actions[bot] 259bab7a5a Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3716) 2024-05-29 19:48:22 +05:30
Terrance DeJesus 527f785a60 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-28 10:49:20 -04:00
Eric Forte f43fbfba0d [FR] Update utility path computation to use pathlib (#3699) 
* update

* Updated to pathlib

* Linting

* Add string cast where needed

* Add additional string conversion as needed

* Str conversions to support eql lib

* Attack typo

* Typo in test script

* Updated for more pathlib

* Linting

* Update to convert string to path object

* Fix typo
 2024-05-23 17:36:51 -04:00
shashank-elastic f73022b900 Package Manifest changes to add capabilities (#3706) 2024-05-23 15:46:35 -05:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Mika Ayenson 371e24b2ed Revert "[FR] Update Utility Path Computation to use Pathlib (#3659)" 
This reverts commit 23567c1d0c.
 2024-05-21 16:14:45 -05:00
Eric Forte 23567c1d0c [FR] Update Utility Path Computation to use Pathlib (#3659) 
* update

* Updated to pathlib

* Linting

* Add string cast where needed

* Add additional string conversion as needed

* Str conversions to support eql lib

* Attack typo

* Typo in test script

* Updated for more pathlib

* Linting

* Update to convert string to path object
 2024-05-21 14:19:20 -04:00
Jonhnathan d023ad66b1 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-20 09:50:57 -03:00
Eric Forte 707ca32ab1 [FR] Add --force flag to update-lock-versions (#3693) 
* Add --force flag to update-lock-versions

* Add type hinting
 2024-05-17 20:25:08 -04:00
Mika Ayenson 79f575b33c [FR] Normalize yml ext to yaml (#3675) 2024-05-15 15:18:39 -05:00
github-actions[bot] f3585da503 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 (#3676) 2024-05-15 17:04:22 +05:30
shashank-elastic 50a8b52cd5 Prepare For Next Elastic Stack 8.15 (#3670) 2024-05-15 00:31:02 +05:30
Mika Ayenson 78837549e8 [FR] Bundle KQL & Kibana libs into base dependencies (#3662) 2024-05-13 14:29:03 -05:00
Eric Forte 094ef22604 [Bug] Update Rule Formatter (#3668) 
* Update Rule Formatter

* Only apply fix to Note
 2024-05-13 15:00:01 -04:00
github-actions[bot] 84437bac03 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3650) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Bumping status checks

* undo bump

---------

Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2024-05-06 12:44:32 -04:00
Eric Forte a4a0bc6a7e [Bug] Query validation failing to capture InSet edge case with ip field types (#3572) 
* Move test case to separate file

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-05-06 07:58:42 -04:00
Mika Ayenson 2ffb0e7fe2 [New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes (#3644) 2024-05-03 18:01:53 -05:00
Justin Ibarra 2668f5f762 [Bug] Fix missing indexes on navigator build (#3636) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-05-01 15:50:54 -06:00
Justin Ibarra 54ff270c62 [New Rule] AWS S3 Bucket Enumeration or Brute Force (#3635) 
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-01 15:00:33 -06:00
github-actions[bot] ca78f550fd Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3630) 2024-04-30 18:06:01 +05:30
Justin Ibarra c567d3731a Refresh Kibana module with API updates (#3466) 
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-04-26 11:12:50 -06:00
github-actions[bot] 374f21fbc4 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615) 2024-04-23 17:59:01 +05:30
Jonhnathan d0dfa479bb [Rule Tuning] Windows BBR Rule Tuning - 1 (#3579) 
* [Rule Tuning] Windows BBR Rule Tuning - 1

* Update non-ecs-schema.json

* Update rules_building_block/command_and_control_certutil_network_connection.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/collection_common_compressed_archived_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_dll_hijack.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-08 10:38:41 -03:00
Terrance DeJesus 0cb42983c1 updated to v14.0 mitre ATT&CK (#3289) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-04-05 14:30:23 -04:00
Eric Forte fbb6df506e Update default (#3574) 2024-04-04 20:27:14 -04:00
Eric Forte 1566c29bae [Bug] KQL fails validation on uppercase keywords (#3568) 
* add todo

* Add a normalize_kql_keywords function to utils

* update rule loader to normalize and warn

* optimized loading

* fix linting

* Moved conversion to kql module.

* Updated unit test

* Refactor KQL parser to normalize keywords via flag

* Fix logic typo

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update lib/kql/kql/__init__.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated to fix unit tests and remove warnings

* linting typo

* Added comments

* remove unused imports

* Update kql.parse default

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-04 18:03:30 -04:00
Eric Forte fa75876322 [Bug] New Terms Rule Import Failing (#3569) 
* initial patch

* Update definitions to allow for brackets in name

* Update to prompt for required fields.

* Update detection_rules/cli_utils.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-04 17:37:13 -04:00
Mika Ayenson c35652c8c8 [Bug] Add explicit format preserver (#3566) 2024-04-04 15:50:48 -05:00
Eric Forte a9cc323d09 [Bug] Threshold Rule Importing Failures (#3560) 
* remove threshold specific req

* fix test event override

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-04-03 14:15:09 -04:00
shashank-elastic 3fbffa24ed Deprecate Releasing to a patch kibana version workflow (#3552) 2024-04-03 08:34:45 +05:30
github-actions[bot] 8d5bd3b0f6 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3567) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-04-02 23:59:42 +05:30
Jonhnathan 67ca13c1ce [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) 
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions

* update min_stack

* build out schema in more detail for Filters

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Remove enum for definition

* remove unused import

* remove $state store

* transform state

* add call to super

* add return type hint

* use dataclass metadata

* use Literal type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-01 17:44:50 -03:00
Mika Ayenson bb907a4d76 [FR] Add support for investigation_fields (#3550) 2024-04-01 11:52:46 -05:00
shashank-elastic 8b215eac41 Fix create PR in release workflow (#3528) 2024-04-01 21:17:10 +05:30
Mika Ayenson b6a7e7ebda [FR] Add required-fields option to import-rules (#3546) 2024-03-28 18:29:47 -05:00
Eric Forte 3503786154 Update sort parameter (#3531) 2024-03-25 11:46:30 -04:00
github-actions[bot] eaf4658620 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-03-21 20:30:46 +05:30
Mika Ayenson 5c3523954e [FR] Update Python Dependency Versions (#3515) 2024-03-19 14:07:16 -05:00
Mika Ayenson d26981f712 [FR] Independently package kql / kibana and bump to py3.12 (#3514) 2024-03-14 20:18:32 -05:00
Mika Ayenson 3d2a36be32 Revert "[FR] Independently package kql / kibana and bump to py3.12 (#3492)" 
This reverts commit fc139fc3c2.
 2024-03-14 19:48:50 -05:00
Mika Ayenson fc139fc3c2 [FR] Independently package kql / kibana and bump to py3.12 (#3492) 2024-03-14 19:14:25 -05:00