security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,364 Commits 1 Branch 0 Tags
8b8c0beec7641b48527f711dfbfbded0e880e8f9
Commit Graph

14 Commits

Author SHA1 Message Date
Ruben Groenewoud e1698890a4 [Rule Tuning] Linux DR Tuning - 7 (#5504) 
* [Rule Tuning] Linux DR Tuning - 7

* Update execution_egress_connection_from_entrypoint_in_container.toml

* Update execution_kubernetes_direct_api_request_via_curl_or_wget.toml

* Update rules/linux/execution_perl_tty_shell.toml

* Update execution_perl_tty_shell.toml

* Update rules/linux/execution_unix_socket_communication.toml

* Update execution_file_made_executable_via_chmod_inside_container.toml

* Remove duplicate Crowdstrike data source entry

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-08 11:10:46 +01:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Ruben Groenewoud a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) 2024-03-21 13:48:41 +01:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Ruben Groenewoud 3484cac7eb [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-20 15:18:27 +01:00
shashank-elastic d52546eee5 Enhance Setup Guide information (#3256) 2023-11-03 19:05:29 +05:30
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
shashank-elastic 7254c582c5 Move Setup information into setup filed (#3206) 2023-10-23 19:28:18 +05:30
shashank-elastic 2a48db0598 Setup information for Linux Rules - Set5 (#3188) 2023-10-17 19:11:20 +05:30
Ruben Groenewoud f8f3576971 [New Rule] Potential UDP Reverse Shell (#2906) 
* [New Rule] Potential UDP Reverse Shell Detected

* Title change

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* updated non-ecs-schema to update unmapped fields

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Removed netcat, added destination ip list

* Update execution_shell_via_udp_cli_utility_linux.toml

* Added precautionary exclusions

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

* replaced schema files

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update execution_shell_via_udp_cli_utility_linux.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-09-07 17:13:22 +02:00