security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
252 Commits 1 Branch 0 Tags
9d3395f9e3e9fa4840e87dfd43ed7691e1d97427
Commit Graph

252 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
David French 9d3395f9e3 Create okta_attempt_to_delete_okta_application.toml (#497) 2020-11-17 08:53:59 -07:00
David French 58e54f40e3 Create okta_attempt_to_deactivate_okta_application.toml (#496) 2020-11-17 08:51:51 -07:00
David French 768069a8bc [New Rule] Attempt to Modify an Okta Application (#495) 
* Create okta_attempt_to_modify_okta_application.toml

* add reference
 2020-11-17 08:49:02 -07:00
David French 88b8bca929 Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml (#530) 2020-11-17 08:44:37 -07:00
Justin Ibarra 0573def41c Merge pull request #528 from brokensound77/mergeback/7.10-to-main 
Mergeback 7.10 changes to main
 2020-11-12 20:49:04 +01:00
Justin Ibarra 00f8f83a25 Merge branch 'main' into mergeback/7.10-to-main 2020-11-12 20:28:42 +01:00
Ross Wolf b91203233d Link to the Elastic contributor program (#520) 2020-11-12 07:02:18 -07:00
brokensound77 75d37e9271 Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main 2020-11-12 00:59:31 -09:00
brokensound77 123d523cf0 lock version changes for 7.10 2020-11-12 00:52:44 -09:00
Ross Wolf 8ca32f1423 Fix ClientError (NoneType) suffix 2020-11-09 11:08:36 -07:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Brent Murphy 9838d3d2f7 [Rule Tuning] Remove duplicate rules after EQL conversion (#436) 
* [Rule Tuning] Remove duplicate rules after EQL conversion

* Update defense_evasion_rundll32_sequence.toml

* swap msxsl rules
 2020-10-30 15:49:28 -04:00
Justin Ibarra 3b597bdb72 fix auth args in get_es_client 2020-10-30 09:19:50 -08:00
Justin Ibarra 3827d01a65 fix bugs in es client retrieval 2020-10-29 21:20:49 -08:00
Justin Ibarra a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) 2020-10-29 11:06:24 -08:00
Justin Ibarra fda1e7ef94 Bump zoom rule to production (#427) 2020-10-29 11:02:29 -08:00
Justin Ibarra 0d3c35886c Remove connection type from endpoint network rules (#426) 2020-10-28 12:35:34 -08:00
Ross Wolf 7da343e89f Fix kibana upload command (#425) 2020-10-28 10:16:36 -06:00
Ross Wolf a0a8d63baf Merge branch '7.10' into main 2020-10-28 09:40:15 -06:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
Justin Ibarra e71398e2ad [Bug] Fix Kibana client login to work with 7.10 (#404) 2020-10-26 22:25:48 -08:00
Justin Ibarra 442b31bd2f Update packages.yml 2020-10-26 12:07:34 -08:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra 0a992d716a [Rule Tuning] Update EQL rules for 7.10 (#399) 
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
 2020-10-21 12:35:18 -08:00
Justin Ibarra fd2d36573d Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364) 2020-10-20 15:22:02 -08:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Stijn Holzhauer 60b3d47efd Add kibana-upload --space option (#251) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-10-08 12:21:54 -06:00
Justin Ibarra 758e4a2c5b Add unit tests for rule tags (#359) 2020-10-07 19:29:19 -08:00
Justin Ibarra bd680a2bd4 Re-organize commands under more specific click groups (#356) 
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files 
* distinguish variable names for better env/config parsing
 2020-10-07 12:15:33 -08:00
Kevin Logan f34c96f4dc [Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355) 2020-10-05 09:55:15 -08:00
Andrew Pease 0b745c5492 [New Rule] Zoom Meeting with no Passcode (#292) 2020-09-30 21:44:45 -08:00
Justin Ibarra bf202b6b6c [New Rule] Initial converted EQL rules (#304) 
* 18 converted eql rules (not all prod)
 2020-09-30 21:40:55 -08:00
Justin Ibarra 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) 2020-09-30 16:16:04 -08:00
Samirbous d094c76534 [New Rule] Suspicious Zoom ChildProcess (#245) 2020-09-30 15:46:33 -08:00
Andrew Pease 5ba848552a [New Rule] Post Exploitation Public IP Reconnaissance (#270) 2020-09-30 15:36:22 -08:00
Andrew Pease e753162fe2 [New Rule] Detecting Unsecure Elasticsearch Nodes (#109) 2020-09-30 15:34:38 -08:00
Andrew Pease 1a260536d4 [New Rule] RAR and PowerShell Downloaded from the Internet (#30) 2020-09-30 15:32:44 -08:00
Andrew Pease faeac00465 [New Rule] Possible FIN7 Command and Control Behavior (#28) 2020-09-30 15:26:13 -08:00
Andrew Pease d68e4ac7f0 [New Rule] Hosts File Modified (#25) 2020-09-30 15:24:07 -08:00
Andrew Pease 1620559f1f [New Rule] Halfbaked C2 Beacon (#23) 2020-09-30 15:21:33 -08:00
Andrew Pease 8caf897a73 [New Rule] Cobalt Strike Beacon (#21) 2020-09-30 14:58:24 -08:00
Justin Ibarra 7c1e9c1ed5 Update package summary extras produced during package generation (#341) 
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
 2020-09-30 14:43:45 -08:00
Brent Murphy 83fb9bdf93 [Rule Tuning] Update event.code to category (#349) 2020-09-30 14:34:58 -08:00
Samirbous cbf465ba01 [New Rule] Kerberos dump using kcc command (#139) 
* [New Rule] Kerberos dump using kcc command

* Delete .gitignore

* Delete vcs.xml

* Delete profiles_settings.xml

* Delete misc.xml

* Delete rules.iml

* Delete modules.xml

* Update credential_access_kerberosdump_kcc.toml

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_kerberosdump_kcc.toml

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-30 23:03:44 +02:00
Justin Ibarra a212008f8c [Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342) 2020-09-30 09:41:33 -08:00
Justin Ibarra aecf355582 Refresh beats schema for validation to 7.9.2 (#347) 2020-09-30 09:35:13 -08:00
shravaka fa12340ff0 [Bug fix] Add missing parenthesis for -kibana-url 2020-09-30 09:32:43 -06:00
Samirbous f15d179a50 [New Rule]- Credential Access - Domain DPAPI Backup key (#125) 
* new rule - credential access

Domain Backup DPAPI Private Keys Access

* Update credential_access_domain_backup_dpapi_private_keys.toml

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Linted

* added an extra reference

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-29 21:14:07 +02:00