security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,011 Commits 1 Branch 0 Tags
8b3d4f66910d9eb4c8209c2da2d10532ea4e3567
Commit Graph

8 Commits

Author SHA1 Message Date
Justin Ibarra 3311168e28 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:29:22 +00:00
Justin Ibarra 5bc3d1e2d5 [New Rule] Okta User Session Impersonation (#1867) 
* [New Rule] Okta User Session Impersonation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 46c2383e5b)
 2022-03-23 00:13:53 +00:00
Jonhnathan 73b3bec457 [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1c50f35aed)
 2022-03-02 00:41:56 +00:00
Justin Ibarra 948e484070 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 72c64de3f5)
 2022-01-28 19:43:39 +00:00
Jonhnathan 15d6244331 Create credential_access_mfa_push_brute_force.toml (#1682) 
(cherry picked from commit 7e4325dd7a)
 2022-01-27 12:40:11 +00:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 3b0d2006b7 Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 09:29:40 -03:00
Ross Wolf 1882f4456c [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
 2021-07-21 15:24:56 -06:00