security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
412 Commits 1 Branch 0 Tags
90a9320f93073dc8dcf272c7324fffeea01be9d8
Commit Graph

9 Commits

Author SHA1 Message Date
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Brent Murphy 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) 
* update azure indicies

* remove . in index to match prior cloud rules

* update o365 indicies

* add event.dataset:google_workspace.admin to existing google workspace rules

* gcp syntax

* add gcp index

* update gcp index

* update index patterns for google workspace rules

* update gcp index2

* update updated_date

* update event outcome for azure

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-18 12:23:12 -05:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Justin Ibarra a212008f8c [Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342) 2020-09-30 09:41:33 -08:00
Brent Murphy 95877f7879 [Rule Tuning] Update event.category for Azure rules (#335) 
* update event.category for azure rules

* update updated_date field

* update name to include Azure

* Update persistence_user_added_as_owner_for_azure_service_principal.toml
 2020-09-24 12:45:25 -04:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Brent Murphy b4a15960cb [New Rule] Azure Command Execution on Virtual Machine (#155) 
* Create execution_command_virtual_machine.toml

* Update execution_command_virtual_machine.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:09:40 -04:00