security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
198 Commits 1 Branch 0 Tags
a679207413bed5ca2e0809fa2eb3e735a58fd4a5
Commit Graph

19 Commits

Author SHA1 Message Date
Craig Chamberlain a7dee682cc Add Tags to Unusual Sudo Activity Rule (#340) 
* Update ml_linux_anomalous_sudo_activity.toml

added T1548

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml
 2020-09-28 16:07:41 -04:00
Craig Chamberlain 0affb48b07 [New Rule] Unusual User Calling the Metadata Service [Linux] (#327) 
* Create ml_linux_anomalous_metadata_user.toml

rule create

* Update rules/ml/ml_linux_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_metadata_user.toml

* Update ml_linux_anomalous_metadata_user.toml

* Update rules/ml/ml_linux_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-28 12:13:06 -04:00
Craig Chamberlain 746c175669 [New Rule] Unusual User Calling the Metadata Service [Windows] (#328) 
* Create ml_windows_anomalous_metadata_user.toml

* Update ml_windows_anomalous_metadata_user.toml

* Update rules/ml/ml_windows_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_windows_anomalous_metadata_user.toml

* Update rules/ml/ml_windows_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-28 12:09:14 -04:00
Craig Chamberlain 4473f6d8f3 [New Rule] Unusual Sudo Activity (#263) 
* Create ml_linux_anomalous_sudo_activity.toml

rule to accompany the unusual sudo activity job

* Update ml_linux_anomalous_sudo_activity.toml

added fp field

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml

linting

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml

* Update rules/ml/ml_linux_anomalous_sudo_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 14:55:33 -04:00
Craig Chamberlain e39d857a11 [New Rule] Unusual Linux System Network Configuration Discovery (#265) 
* Create ml_linux_system_network_configuration_discovery.toml

ML rule to accompany the network configuration discovery job

* Update ml_linux_system_network_configuration_discovery.toml

added fp field

* Update ml_linux_system_network_configuration_discovery.toml

* Update ml_linux_system_network_configuration_discovery.toml

linting

* Update ml_linux_system_network_configuration_discovery.toml

* Update ml_linux_system_network_configuration_discovery.toml

* Update rules/ml/ml_linux_system_network_configuration_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:07:34 -04:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Craig Chamberlain 1e43896cf1 [New Rule] Unusual Process Calling the Metadata Service [Windows] (#323) 
* Create ml_windows_anomalous_metadata_process.toml

rule create

* Update rules/ml/ml_windows_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_windows_anomalous_metadata_process.toml

* Update ml_windows_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-23 15:50:43 -04:00
Craig Chamberlain dd65dad9dc [New Rule] Unusual Process Calling the Metadata Service [Linux] (#321) 
* Create ml_linux_anomalous_metadata_process.toml

rule creation

* Update rules/ml/ml_linux_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-23 15:29:48 -04:00
Craig Chamberlain baefaeeaff [New Rule] Unusual Linux Network Connection Discovery (#266) 
* Create ml_linux_system_network_connection_discovery.toml

ML rule to accompany the unsual network connection discovery job

* Update ml_linux_system_network_connection_discovery.toml

set author

* Update ml_linux_system_network_connection_discovery.toml

added fasle positve field

* Update ml_linux_system_network_connection_discovery.toml

* Update ml_linux_system_network_connection_discovery.toml

linting

* Update rules/ml/ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 16:27:17 -04:00
Craig Chamberlain f1f88e3b3a [New Rule] Unusual Linux System Information Discovery Activity (#264) 
* Create ml_linux_system_information_discovery.toml

rule to accompany the system information discovery job

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

added fp field

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

linting

* Update ml_linux_system_information_discovery.toml

* Update rules/ml/ml_linux_system_information_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:25:59 -04:00
Craig Chamberlain 92633ed51a [New Rule] Anomalous Linux Compiler Activity (#262) 
* Create ml_linux_anomalous_compiler_activity.toml

rule to accompany the rare compiler activity job

* Update ml_linux_anomalous_compiler_activity.toml

added fp field

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml
 2020-09-22 16:24:32 -04:00
Craig Chamberlain 8e2d4cbfc8 [New Rule] Unusual Linux System Owner or User Discovery Activity (#267) 
* Create ml_linux_system_user_discovery.toml

ML rule to accompany the unusual system owner / user discovery job

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_system_user_discovery.toml

added fp field

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

lint

* Update ml_linux_system_user_discovery.toml

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:22:41 -04:00
Craig Chamberlain 0a0c5986c5 [New Rule] Anomalous Kernel Module Activity (#257) 
* Create ml_linux_rare_kernel_module_arguments.toml

* rare module rule

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:18:51 -04:00
Craig Chamberlain 14a62ae93f [New Rule] Unusual Linux Process Discovery Activity (#261) 
* Create ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

added fp field

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update rules/ml/ml_linux_system_process_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linting

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-09-22 16:15:36 -04:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Devon Kerr f75b126ec4 Update terminology in ML job rules 2020-07-14 21:22:34 -06:00
Craig Chamberlain f24666bf12 [New Rule] Add Cloudtrail ML Rules 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com>
 2020-07-14 15:16:58 -06:00
Ben Skelker 680a04da8f Fix terminology and doc links (#54) 2020-07-13 12:47:42 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00