security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,551 Commits 1 Branch 0 Tags
9999336f5ecc16472ea4c45271b1574a5b77d430
Commit Graph

15 Commits

Author SHA1 Message Date
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-04-01 09:12:42 -05:00
Eric Forte b2f76bd2c9 Tuning to allow for greater flexibility in integration policy (#5774) 2026-02-25 13:56:02 -05:00
Jonhnathan 5653190d08 [Rule Tuning] Remove hardcoded logic from description (#4503) 2025-02-28 14:38:18 -03:00
Ruben Groenewoud 32975e5155 [Rule Tuning] Port Scan Rules (#4443) 2025-02-05 15:40:27 +01:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Samirbous 5e0fb4a63e [Tuning] Add logs-panw.panos index to Network rules (#4089) 
* [Tuning] Add logs-panw.panos index to Network rules

https://github.com/elastic/detection-rules/issues/3998

This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.

* add tag and integration

* Update command_and_control_fin7_c2_behavior.toml

* Build Manifest and Schema for panw integration

* Update definitions.py

* Update definitions.py

* Fix definitions declaration

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-09-19 08:01:44 +01:00
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
Terrance DeJesus b8ae2218f8 [Rule Tuning] Add filebeat Compatibility to Network Rules (#2925) 
* add beats compatability to NPC rules

* added filebeat compatibility to 'Accepted Default Telnet Port Connection'

* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'

* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'

* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'

* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'

* added filebeat compatibility to 'Halfbaked Command and Control Beacon'

* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'

* added filebeat compatibility to 'SMTP on Port 26/TCP'

* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'

* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'

* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'

* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'

* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'

* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'

* removed extra space in query

* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'

* added filebeat compatibility to 'Abnormally Large DNS Response'

* fixed missing ending parenthesis

* added auditbeat to compatible rules

* addressed feedback

* removed filebeat and auditbeat due to incompatibility

* Update rules/network/command_and_control_cobalt_strike_beacon.toml

* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-10-03 15:05:41 -04:00
Ruben Groenewoud a7ff449fbc [Rule Tuning] Some Tunings of several 8.9 rules (#2985) 
* [Rule Tuning] Doing some quick tunings

* updated_date bump

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_sysctl_enumeration.toml

* Update rules/linux/persistence_init_d_file_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_shared_object_creation.toml

* deprecate rule

* deprecate rule

* Update execution_abnormal_process_id_file_created.toml

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update execution_remote_code_execution_via_postgresql.toml

* Update discovery_potential_syn_port_scan_detected.toml

* Added 2 tunings, sorry I missed those..

* One more tune

* Update discovery_suspicious_proc_enumeration.toml
 2023-08-03 15:25:33 +02:00
Remco Sprooten 1283a21fb7 [New Rules] Potential portscan detected (#2817) 
* [New Rules] Potential portscan detected

* Updated descriptions

* Update rules/network/discovery_potential_syn_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_network_sweep_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating integration manifests and schemas

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-07-09 09:49:32 +02:00