security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,938 Commits 1 Branch 0 Tags
a3ba0fcda35d31defe2ecba97fa00c33c9bfe791
Commit Graph

4 Commits

Author SHA1 Message Date
Susan 390cb8e2d1 Update setup guide for ML integration packages (#3475) 
* Add more detail to ingest pipeline install

* Add more info to anomaly detection setup

* Update draft

* Fix typo

* Bulk add doc updates

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Address Kseniia feedback

* Update updated_date per review feedback

---------

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 400a84628e)
 2024-04-01 19:09:37 +00:00
Jonhnathan b1989a921b [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

(selectively cherry picked from commit 458e67918a)
 2024-03-11 12:14:53 +00:00
Apoorva Joshi c5606e7f3f Update Advanced Analytics config guides (#3302) 
* Updating config guides for Advanced Analytics rules

* More updates

* Update setup instructions for LMD

* Adding more guides

* update TestRuleTiming unit test to ignore advanced analytic rules

* fixed flake error

* Moving config guides under setup instead of note

* Removing leading and trailing whitespace

* Updates as requested by PM

* Updating related integrations, minor updates to setup guides

* fixing unit tests to ignore analytic packages with multiple integration tags

* Update tests/test_all_rules.py

* fixing linting errors

---------

Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

(selectively cherry picked from commit 9a9f5437f2)
 2023-12-13 15:58:18 +00:00
Terrance DeJesus 4ed6c7d594 [New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193) 
* adding new LotL rules

* added endpoint tags; updated technique mapping

* added missing data source tag

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* updated note, references and date

* changed ATT&CK technique to binary proxy execution

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 835be9b245)
 2023-10-23 16:29:59 +00:00